################################################################
# abuse.ch URLhaus IDS ruleset (Suricata only)                 #
# Last updated: 2026-06-02 01:09:19 (UTC)                      #
#                                                              #
# Terms Of Use: https://urlhaus.abuse.ch/api/                  #
# For questions please contact urlhaus [at] abuse.ch           #
################################################################
#
# url
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.171.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857272/; classtype:trojan-activity;sid:84720372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.199.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857269/; classtype:trojan-activity;sid:84720369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.ppc"; depth:13; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857268/; classtype:trojan-activity;sid:84720368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.spc"; depth:13; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857256/; classtype:trojan-activity;sid:84720356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.arm7"; depth:14; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857257/; classtype:trojan-activity;sid:84720357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.arm6"; depth:14; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857258/; classtype:trojan-activity;sid:84720358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857259/; classtype:trojan-activity;sid:84720359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857260/; classtype:trojan-activity;sid:84720360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.arm"; depth:13; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857261/; classtype:trojan-activity;sid:84720361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.mpsl"; depth:14; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857262/; classtype:trojan-activity;sid:84720362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.mips"; depth:14; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857263/; classtype:trojan-activity;sid:84720363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.arm5"; depth:14; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857264/; classtype:trojan-activity;sid:84720364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.sh4"; depth:13; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857265/; classtype:trojan-activity;sid:84720365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.x86"; depth:13; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857266/; classtype:trojan-activity;sid:84720366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857267/; classtype:trojan-activity;sid:84720367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ogz.m68k"; depth:14; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857255/; classtype:trojan-activity;sid:84720355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.146.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857254/; classtype:trojan-activity;sid:84720354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.93.214"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857253/; classtype:trojan-activity;sid:84720353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.239.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857252/; classtype:trojan-activity;sid:84720352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.7.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857251/; classtype:trojan-activity;sid:84720351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.254.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857249/; classtype:trojan-activity;sid:84720349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857248/; classtype:trojan-activity;sid:84720348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.7.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857247/; classtype:trojan-activity;sid:84720347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.146.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857246/; classtype:trojan-activity;sid:84720346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.239.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_02; reference:url, urlhaus.abuse.ch/url/3857245/; classtype:trojan-activity;sid:84720345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.255.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857244/; classtype:trojan-activity;sid:84720344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=08144743-dd48-469d-a3c7-d0be12964247"; depth:47; endswith; nocase; http.host; content:"gfwbeo2g.7lf.net"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857243/; classtype:trojan-activity;sid:84720343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"14.145.162.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857242/; classtype:trojan-activity;sid:84720342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857241/; classtype:trojan-activity;sid:84720341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.39.52"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857240/; classtype:trojan-activity;sid:84720340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/496ab272-b028-4acf-b361-ea46018f1dcc"; depth:37; endswith; nocase; http.host; content:"ydcpmjs.303-bet.xyz"; depth:19; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857239/; classtype:trojan-activity;sid:84720339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.255.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857238/; classtype:trojan-activity;sid:84720338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.80.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857237/; classtype:trojan-activity;sid:84720337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.106.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857236/; classtype:trojan-activity;sid:84720336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.85.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857235/; classtype:trojan-activity;sid:84720335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8ae0b9fa-1b26-41dc-b559-7a90cc141bd9"; depth:37; endswith; nocase; http.host; content:"maibnyf.303-bet.buzz"; depth:20; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857234/; classtype:trojan-activity;sid:84720334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857233/; classtype:trojan-activity;sid:84720333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857232/; classtype:trojan-activity;sid:84720332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.80.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857231/; classtype:trojan-activity;sid:84720331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.106.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857230/; classtype:trojan-activity;sid:84720330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857229/; classtype:trojan-activity;sid:84720329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857228/; classtype:trojan-activity;sid:84720328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.85.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857227/; classtype:trojan-activity;sid:84720327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30e7e44c-9378-47ca-90e9-57d36aa38856"; depth:37; endswith; nocase; http.host; content:"ssiysqt.1xbet1farsi.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857226/; classtype:trojan-activity;sid:84720326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.88.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857225/; classtype:trojan-activity;sid:84720325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.226.226.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857224/; classtype:trojan-activity;sid:84720324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.135.153.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857223/; classtype:trojan-activity;sid:84720323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.88.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857222/; classtype:trojan-activity;sid:84720322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.187.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857221/; classtype:trojan-activity;sid:84720321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=5c963bc1-4201-45d1-9484-9acae9a04fc4"; depth:47; endswith; nocase; http.host; content:"4iod03t4.eutoor.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857220/; classtype:trojan-activity;sid:84720320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.238.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857219/; classtype:trojan-activity;sid:84720319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.148.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857218/; classtype:trojan-activity;sid:84720318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857217/; classtype:trojan-activity;sid:84720317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.247.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857216/; classtype:trojan-activity;sid:84720316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.203.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857215/; classtype:trojan-activity;sid:84720315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.238.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857214/; classtype:trojan-activity;sid:84720314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.247.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857213/; classtype:trojan-activity;sid:84720313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/127a5ebe-0d7d-4d4d-9ade-b2dc699eab3d"; depth:37; endswith; nocase; http.host; content:"dkgxlcw.venusbetyek.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857212/; classtype:trojan-activity;sid:84720312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.170.63"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857211/; classtype:trojan-activity;sid:84720311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.141.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857210/; classtype:trojan-activity;sid:84720310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.34.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857209/; classtype:trojan-activity;sid:84720309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.215.207.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857208/; classtype:trojan-activity;sid:84720308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.235.158.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857206/; classtype:trojan-activity;sid:84720306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.187.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857207/; classtype:trojan-activity;sid:84720307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857203/; classtype:trojan-activity;sid:84720303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meowarm64"; depth:10; endswith; nocase; http.host; content:"34.181.210.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857204/; classtype:trojan-activity;sid:84720304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow"; depth:5; endswith; nocase; http.host; content:"34.181.210.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857205/; classtype:trojan-activity;sid:84720305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_27c474da366340b6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857201/; classtype:trojan-activity;sid:84720301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5c45918e867514f4.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857202/; classtype:trojan-activity;sid:84720302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.218.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857200/; classtype:trojan-activity;sid:84720300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.187.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857199/; classtype:trojan-activity;sid:84720299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.sh4"; depth:9; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857198/; classtype:trojan-activity;sid:84720298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.x86"; depth:9; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857195/; classtype:trojan-activity;sid:84720295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.sparc"; depth:11; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857196/; classtype:trojan-activity;sid:84720296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.armv6l"; depth:12; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857197/; classtype:trojan-activity;sid:84720297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.armv5l"; depth:12; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857193/; classtype:trojan-activity;sid:84720293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.mips"; depth:10; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857194/; classtype:trojan-activity;sid:84720294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.armv7l"; depth:12; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857188/; classtype:trojan-activity;sid:84720288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.mipsrouter"; depth:16; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857189/; classtype:trojan-activity;sid:84720289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.armv4l"; depth:12; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857190/; classtype:trojan-activity;sid:84720290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.m68k"; depth:10; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857191/; classtype:trojan-activity;sid:84720291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zero.mipsel"; depth:12; endswith; nocase; http.host; content:"31.56.209.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857192/; classtype:trojan-activity;sid:84720292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857187/; classtype:trojan-activity;sid:84720287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/185e7150-841c-4085-9ac0-09e978d5f45d"; depth:37; endswith; nocase; http.host; content:"nljinxg.takhtebet.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857186/; classtype:trojan-activity;sid:84720286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.141.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857185/; classtype:trojan-activity;sid:84720285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.187.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857184/; classtype:trojan-activity;sid:84720284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.235.158.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857183/; classtype:trojan-activity;sid:84720283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.34.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857182/; classtype:trojan-activity;sid:84720282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.218.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857181/; classtype:trojan-activity;sid:84720281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857179/; classtype:trojan-activity;sid:84720279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.177.237.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857180/; classtype:trojan-activity;sid:84720280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.152.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857178/; classtype:trojan-activity;sid:84720278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faea0967-fa05-4994-8440-686eaa2d049b"; depth:37; endswith; nocase; http.host; content:"rvvemra.takhtebet.app"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857177/; classtype:trojan-activity;sid:84720277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=3b493422-bbc9-4d54-b8d8-7dfc8ea5b545"; depth:47; endswith; nocase; http.host; content:"0nwfyg62.onja1bet.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857176/; classtype:trojan-activity;sid:84720276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e4c93c20-1250-4fda-8969-e425c2d0f56f"; depth:37; endswith; nocase; http.host; content:"msbeora.takhtebet.app"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857175/; classtype:trojan-activity;sid:84720275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8472153909/kpb7its.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857174/; classtype:trojan-activity;sid:84720274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.112.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857173/; classtype:trojan-activity;sid:84720273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.6.167.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857172/; classtype:trojan-activity;sid:84720272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.121.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857171/; classtype:trojan-activity;sid:84720271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/608a9908-0f7e-496b-bc75-015f249004e6"; depth:37; endswith; nocase; http.host; content:"ekffxlo.shart90bet.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857170/; classtype:trojan-activity;sid:84720270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb25.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857169/; classtype:trojan-activity;sid:84720269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"31.56.209.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857167/; classtype:trojan-activity;sid:84720267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"31.56.209.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857168/; classtype:trojan-activity;sid:84720268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.6.167.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857166/; classtype:trojan-activity;sid:84720266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.215.207.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857165/; classtype:trojan-activity;sid:84720265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.36.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857164/; classtype:trojan-activity;sid:84720264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.112.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857163/; classtype:trojan-activity;sid:84720263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.121.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857162/; classtype:trojan-activity;sid:84720262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/92ce30d1-330e-477f-aace-4262bd852f9a"; depth:37; endswith; nocase; http.host; content:"bgtwfmx.rikashart.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857161/; classtype:trojan-activity;sid:84720261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.4.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857160/; classtype:trojan-activity;sid:84720260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.195"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857159/; classtype:trojan-activity;sid:84720259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.31.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857158/; classtype:trojan-activity;sid:84720258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.93.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857157/; classtype:trojan-activity;sid:84720257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.142.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857156/; classtype:trojan-activity;sid:84720256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"206.168.201.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857155/; classtype:trojan-activity;sid:84720255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"175.107.205.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857154/; classtype:trojan-activity;sid:84720254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b"; depth:2; endswith; nocase; http.host; content:"91.92.42.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857153/; classtype:trojan-activity;sid:84720253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61949eeb-139c-46cf-a17d-e08dc62ab601"; depth:37; endswith; nocase; http.host; content:"tfbkfdw.21pasoor.app"; depth:20; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857152/; classtype:trojan-activity;sid:84720252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=fe96f4a1-bb1f-4a22-95a8-5b2933ecf37b"; depth:47; endswith; nocase; http.host; content:"a0sadcof.ogabbet.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857151/; classtype:trojan-activity;sid:84720251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.36.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857150/; classtype:trojan-activity;sid:84720250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.145.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857149/; classtype:trojan-activity;sid:84720249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.145.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857148/; classtype:trojan-activity;sid:84720248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.142.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857147/; classtype:trojan-activity;sid:84720247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/89b66ec8-ecc6-4b61-b8d1-891a25c75940"; depth:37; endswith; nocase; http.host; content:"hfsdguf.asyabet303.bet"; depth:22; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857146/; classtype:trojan-activity;sid:84720246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.142.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857145/; classtype:trojan-activity;sid:84720245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.168.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857144/; classtype:trojan-activity;sid:84720244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.184.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857143/; classtype:trojan-activity;sid:84720243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.135.54.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857142/; classtype:trojan-activity;sid:84720242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857141/; classtype:trojan-activity;sid:84720241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.135.54.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857140/; classtype:trojan-activity;sid:84720240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.126.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857139/; classtype:trojan-activity;sid:84720239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.222.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857138/; classtype:trojan-activity;sid:84720238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fe4d577f-537f-49be-b2d6-92e57674d713"; depth:37; endswith; nocase; http.host; content:"zfkzwhk.bakhtazmaeii.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857137/; classtype:trojan-activity;sid:84720237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.102.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857136/; classtype:trojan-activity;sid:84720236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.126.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857135/; classtype:trojan-activity;sid:84720235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.168.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857134/; classtype:trojan-activity;sid:84720234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.179.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857133/; classtype:trojan-activity;sid:84720233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.184.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857132/; classtype:trojan-activity;sid:84720232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.70.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857131/; classtype:trojan-activity;sid:84720231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.70.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857130/; classtype:trojan-activity;sid:84720230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.232.32.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857129/; classtype:trojan-activity;sid:84720229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.171.168.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857128/; classtype:trojan-activity;sid:84720228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857127/; classtype:trojan-activity;sid:84720227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.247.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857126/; classtype:trojan-activity;sid:84720226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0e349f0c-214e-4ea4-b9ea-4a33a8df2163"; depth:37; endswith; nocase; http.host; content:"nxbided.bakhtbetyek.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857125/; classtype:trojan-activity;sid:84720225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857124/; classtype:trojan-activity;sid:84720224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.232.32.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857123/; classtype:trojan-activity;sid:84720223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857122/; classtype:trojan-activity;sid:84720222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/build/gagol.py/download"; depth:28; endswith; nocase; http.host; content:"store-standoff2-gold.shop"; depth:25; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857121/; classtype:trojan-activity;sid:84720221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=fc4cc581-9ac3-4690-bc4e-8d9ef0255f06"; depth:47; endswith; nocase; http.host; content:"9nwu3map.jetform.football"; depth:25; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857120/; classtype:trojan-activity;sid:84720220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.211.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857119/; classtype:trojan-activity;sid:84720219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a11c383-8b52-471b-ad30-66c66e532d3e"; depth:37; endswith; nocase; http.host; content:"nafnvgy.enf90.app"; depth:17; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857118/; classtype:trojan-activity;sid:84720218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"205.185.121.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857117/; classtype:trojan-activity;sid:84720217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857116/; classtype:trojan-activity;sid:84720216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.73.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857115/; classtype:trojan-activity;sid:84720215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/white/pool"; depth:11; endswith; nocase; http.host; content:"gloason.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857114/; classtype:trojan-activity;sid:84720214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.222.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857113/; classtype:trojan-activity;sid:84720213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857112/; classtype:trojan-activity;sid:84720212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c800780e-b6b1-46e1-acfa-60a147ec16fd"; depth:37; endswith; nocase; http.host; content:"hshpzhf.digibetyek.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857111/; classtype:trojan-activity;sid:84720211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.211.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857110/; classtype:trojan-activity;sid:84720210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857109/; classtype:trojan-activity;sid:84720209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.120.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857108/; classtype:trojan-activity;sid:84720208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.181.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857107/; classtype:trojan-activity;sid:84720207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.124.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857106/; classtype:trojan-activity;sid:84720206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.101.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857105/; classtype:trojan-activity;sid:84720205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857104/; classtype:trojan-activity;sid:84720204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/824d4700-d89e-4db5-a08e-474d1724fa1c"; depth:37; endswith; nocase; http.host; content:"olftxqs.dgyekbet1.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857103/; classtype:trojan-activity;sid:84720203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857102/; classtype:trojan-activity;sid:84720202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.244.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857101/; classtype:trojan-activity;sid:84720201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.55.198.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857100/; classtype:trojan-activity;sid:84720200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.181.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857099/; classtype:trojan-activity;sid:84720199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.146.185.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857098/; classtype:trojan-activity;sid:84720198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857097/; classtype:trojan-activity;sid:84720197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857096/; classtype:trojan-activity;sid:84720196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857094/; classtype:trojan-activity;sid:84720194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm64"; depth:14; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857095/; classtype:trojan-activity;sid:84720195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857085/; classtype:trojan-activity;sid:84720185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857086/; classtype:trojan-activity;sid:84720186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857087/; classtype:trojan-activity;sid:84720187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857088/; classtype:trojan-activity;sid:84720188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857089/; classtype:trojan-activity;sid:84720189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857090/; classtype:trojan-activity;sid:84720190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857091/; classtype:trojan-activity;sid:84720191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857092/; classtype:trojan-activity;sid:84720192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm"; depth:12; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857093/; classtype:trojan-activity;sid:84720193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857084/; classtype:trojan-activity;sid:84720184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"192.142.55.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857083/; classtype:trojan-activity;sid:84720183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.132.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857082/; classtype:trojan-activity;sid:84720182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.154.7.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857081/; classtype:trojan-activity;sid:84720181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.146.185.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857080/; classtype:trojan-activity;sid:84720180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.244.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857079/; classtype:trojan-activity;sid:84720179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.101.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857078/; classtype:trojan-activity;sid:84720178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=99515c7a-475a-4b75-bea0-f1d258e816bd"; depth:47; endswith; nocase; http.host; content:"a1bpvfc4.enfejar2.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857077/; classtype:trojan-activity;sid:84720177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2a44a4d5-075e-4bb3-bb55-befa26f7613b"; depth:37; endswith; nocase; http.host; content:"dobboeu.channelsbetyek.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857076/; classtype:trojan-activity;sid:84720176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.154.7.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857075/; classtype:trojan-activity;sid:84720175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.55.198.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857074/; classtype:trojan-activity;sid:84720174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857073/; classtype:trojan-activity;sid:84720173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857072/; classtype:trojan-activity;sid:84720172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857068/; classtype:trojan-activity;sid:84720168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857069/; classtype:trojan-activity;sid:84720169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857070/; classtype:trojan-activity;sid:84720170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857071/; classtype:trojan-activity;sid:84720171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857067/; classtype:trojan-activity;sid:84720167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857061/; classtype:trojan-activity;sid:84720161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857062/; classtype:trojan-activity;sid:84720162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857063/; classtype:trojan-activity;sid:84720163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857064/; classtype:trojan-activity;sid:84720164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857065/; classtype:trojan-activity;sid:84720165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"185.91.127.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857066/; classtype:trojan-activity;sid:84720166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.126.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857060/; classtype:trojan-activity;sid:84720160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=c5a512e2-588f-431d-ab3f-9493d859f609"; depth:47; endswith; nocase; http.host; content:"509ukk9c.enf90.vip"; depth:18; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857059/; classtype:trojan-activity;sid:84720159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.14.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857058/; classtype:trojan-activity;sid:84720158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.107.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857057/; classtype:trojan-activity;sid:84720157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.56.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857056/; classtype:trojan-activity;sid:84720156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.245.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857055/; classtype:trojan-activity;sid:84720155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.6.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857054/; classtype:trojan-activity;sid:84720154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/59bcd6cd-0ae9-458b-bd68-ba5ccfda1c90"; depth:37; endswith; nocase; http.host; content:"agqjwmu.betyekritzo.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857053/; classtype:trojan-activity;sid:84720153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.6.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857052/; classtype:trojan-activity;sid:84720152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.56.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857051/; classtype:trojan-activity;sid:84720151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.119.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857050/; classtype:trojan-activity;sid:84720150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.77.24.7"; depth:9; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857049/; classtype:trojan-activity;sid:84720149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.145.162.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857048/; classtype:trojan-activity;sid:84720148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.19.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857047/; classtype:trojan-activity;sid:84720147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.247.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857046/; classtype:trojan-activity;sid:84720146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857045/; classtype:trojan-activity;sid:84720145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/besnakker.asd"; depth:14; endswith; nocase; http.host; content:"192.227.135.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857040/; classtype:trojan-activity;sid:84720140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arc"; depth:8; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857041/; classtype:trojan-activity;sid:84720141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsrouter"; depth:15; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857042/; classtype:trojan-activity;sid:84720142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857043/; classtype:trojan-activity;sid:84720143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857044/; classtype:trojan-activity;sid:84720144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spiral.deploy"; depth:14; endswith; nocase; http.host; content:"192.227.135.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857039/; classtype:trojan-activity;sid:84720139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857027/; classtype:trojan-activity;sid:84720127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857028/; classtype:trojan-activity;sid:84720128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857029/; classtype:trojan-activity;sid:84720129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857030/; classtype:trojan-activity;sid:84720130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857031/; classtype:trojan-activity;sid:84720131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857032/; classtype:trojan-activity;sid:84720132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857033/; classtype:trojan-activity;sid:84720133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857034/; classtype:trojan-activity;sid:84720134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"cnc.reaperc2.xyz"; depth:16; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857035/; classtype:trojan-activity;sid:84720135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bestinksp.fla"; depth:14; endswith; nocase; http.host; content:"192.227.135.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857036/; classtype:trojan-activity;sid:84720136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wpmuqhqbhlougrxdqymvucgbw188.bin"; depth:33; endswith; nocase; http.host; content:"192.227.135.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857037/; classtype:trojan-activity;sid:84720137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngokjlj97.bin"; depth:14; endswith; nocase; http.host; content:"192.227.135.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857038/; classtype:trojan-activity;sid:84720138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntp"; depth:4; endswith; nocase; http.host; content:"198.98.50.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857024/; classtype:trojan-activity;sid:84720124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get"; depth:4; endswith; nocase; http.host; content:"198.98.50.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857025/; classtype:trojan-activity;sid:84720125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; endswith; nocase; http.host; content:"198.98.50.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857026/; classtype:trojan-activity;sid:84720126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.exe"; depth:11; endswith; nocase; http.host; content:"198.98.55.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857023/; classtype:trojan-activity;sid:84720123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.60.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857022/; classtype:trojan-activity;sid:84720122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6091fc26-08a9-4cbe-b279-d7686055ee74"; depth:37; endswith; nocase; http.host; content:"qxvudcz.bet1bartar.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857021/; classtype:trojan-activity;sid:84720121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.77.24.7"; depth:9; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857020/; classtype:trojan-activity;sid:84720120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.119.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857019/; classtype:trojan-activity;sid:84720119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.211.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857018/; classtype:trojan-activity;sid:84720118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.193.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857017/; classtype:trojan-activity;sid:84720117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.83.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857016/; classtype:trojan-activity;sid:84720116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.16.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857015/; classtype:trojan-activity;sid:84720115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.16.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857014/; classtype:trojan-activity;sid:84720114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9708a2cf-caf8-4e10-b4ad-102be7310d44"; depth:37; endswith; nocase; http.host; content:"ebzwaki.bakhtbetyek.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857013/; classtype:trojan-activity;sid:84720113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.193.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857012/; classtype:trojan-activity;sid:84720112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.60.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857011/; classtype:trojan-activity;sid:84720111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857010/; classtype:trojan-activity;sid:84720110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=f8140b65-7930-4eb2-b451-008d71f37b68"; depth:47; endswith; nocase; http.host; content:"6feq96px.eutoor.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857009/; classtype:trojan-activity;sid:84720109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.124.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857008/; classtype:trojan-activity;sid:84720108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857007/; classtype:trojan-activity;sid:84720107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.83.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857006/; classtype:trojan-activity;sid:84720106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.74.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857005/; classtype:trojan-activity;sid:84720105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1213466-88a8-4f47-b9ed-a6e218719e2c"; depth:37; endswith; nocase; http.host; content:"vumobeb.bakhtazmaeii.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857004/; classtype:trojan-activity;sid:84720104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.211.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857003/; classtype:trojan-activity;sid:84720103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.190.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857002/; classtype:trojan-activity;sid:84720102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.224.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857001/; classtype:trojan-activity;sid:84720101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3857000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.149.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3857000/; classtype:trojan-activity;sid:84720100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/arm"; depth:13; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856999/; classtype:trojan-activity;sid:84720099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/mips"; depth:14; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856992/; classtype:trojan-activity;sid:84720092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/spc"; depth:13; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856993/; classtype:trojan-activity;sid:84720093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/mpsl"; depth:14; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856994/; classtype:trojan-activity;sid:84720094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/m68k"; depth:14; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856995/; classtype:trojan-activity;sid:84720095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/arc"; depth:13; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856996/; classtype:trojan-activity;sid:84720096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/arm6"; depth:14; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856997/; classtype:trojan-activity;sid:84720097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/sh4"; depth:13; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856998/; classtype:trojan-activity;sid:84720098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/x86"; depth:13; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856988/; classtype:trojan-activity;sid:84720088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.sh"; depth:8; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856989/; classtype:trojan-activity;sid:84720089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/ppc"; depth:13; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856990/; classtype:trojan-activity;sid:84720090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/x86_64"; depth:16; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856991/; classtype:trojan-activity;sid:84720091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/arm5"; depth:14; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856987/; classtype:trojan-activity;sid:84720087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=2ea4362b-fcb2-475f-84ec-8918ae4fefeb"; depth:47; endswith; nocase; http.host; content:"klga3rph.easyprocode.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856986/; classtype:trojan-activity;sid:84720086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.exe"; depth:6; endswith; nocase; http.host; content:"103.231.14.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856984/; classtype:trojan-activity;sid:84720084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11.exe"; depth:7; endswith; nocase; http.host; content:"103.231.14.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856985/; classtype:trojan-activity;sid:84720085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/win.exe"; depth:8; endswith; nocase; http.host; content:"103.231.14.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856983/; classtype:trojan-activity;sid:84720083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.62.250.51"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856982/; classtype:trojan-activity;sid:84720082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e7ef8209-38d5-4fa9-b9e4-df3ed0733ace"; depth:37; endswith; nocase; http.host; content:"xzhuzft.asyabet303.bet"; depth:22; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856981/; classtype:trojan-activity;sid:84720081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.130.208.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856980/; classtype:trojan-activity;sid:84720080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.233.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856979/; classtype:trojan-activity;sid:84720079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.62.250.51"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856978/; classtype:trojan-activity;sid:84720078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemcl/arm7"; depth:14; endswith; nocase; http.host; content:"160.30.18.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856977/; classtype:trojan-activity;sid:84720077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.196.29.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856976/; classtype:trojan-activity;sid:84720076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.199.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856975/; classtype:trojan-activity;sid:84720075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.135.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856974/; classtype:trojan-activity;sid:84720074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.230.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856973/; classtype:trojan-activity;sid:84720073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856972/; classtype:trojan-activity;sid:84720072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/78117727-71d5-4e3a-be82-3e3438478e90"; depth:37; endswith; nocase; http.host; content:"pzacsqp.ariash.art"; depth:18; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856971/; classtype:trojan-activity;sid:84720071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.158.238.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856970/; classtype:trojan-activity;sid:84720070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.135.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856969/; classtype:trojan-activity;sid:84720069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.196.29.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856968/; classtype:trojan-activity;sid:84720068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.82.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856967/; classtype:trojan-activity;sid:84720067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.233.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856966/; classtype:trojan-activity;sid:84720066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.110.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856965/; classtype:trojan-activity;sid:84720065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.61.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856964/; classtype:trojan-activity;sid:84720064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.87.54"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856963/; classtype:trojan-activity;sid:84720063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.138.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856962/; classtype:trojan-activity;sid:84720062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.100.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856961/; classtype:trojan-activity;sid:84720061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856960/; classtype:trojan-activity;sid:84720060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.214.173.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856959/; classtype:trojan-activity;sid:84720059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856958/; classtype:trojan-activity;sid:84720058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86cd6bb4-03a3-46ed-8019-9f904ffad8bd"; depth:37; endswith; nocase; http.host; content:"jkjcrqj.21pasoor.app"; depth:20; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856957/; classtype:trojan-activity;sid:84720057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.87.54"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856956/; classtype:trojan-activity;sid:84720056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856955/; classtype:trojan-activity;sid:84720055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.110.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856954/; classtype:trojan-activity;sid:84720054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.126.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856953/; classtype:trojan-activity;sid:84720053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.61.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856952/; classtype:trojan-activity;sid:84720052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.100.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856951/; classtype:trojan-activity;sid:84720051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856950/; classtype:trojan-activity;sid:84720050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.167.175.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856949/; classtype:trojan-activity;sid:84720049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba3bd6aa-fbe6-480e-aa33-8a13e43c19fc"; depth:37; endswith; nocase; http.host; content:"vzfelbc.1shartbet1.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856947/; classtype:trojan-activity;sid:84720047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=199bce10-7ddf-4388-af4c-7bc72a2984c1"; depth:47; endswith; nocase; http.host; content:"p4nkss83.alsulmicpa.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856948/; classtype:trojan-activity;sid:84720048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.84.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856946/; classtype:trojan-activity;sid:84720046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.248.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856945/; classtype:trojan-activity;sid:84720045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.40.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856944/; classtype:trojan-activity;sid:84720044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.204.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856943/; classtype:trojan-activity;sid:84720043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bfceb72a-5f68-4317-b7a5-6619424887c8"; depth:37; endswith; nocase; http.host; content:"aehcwen.123betyek.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856942/; classtype:trojan-activity;sid:84720042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.84.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856941/; classtype:trojan-activity;sid:84720041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.213.224.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856940/; classtype:trojan-activity;sid:84720040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.248.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856939/; classtype:trojan-activity;sid:84720039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.204.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856938/; classtype:trojan-activity;sid:84720038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.61.150.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856937/; classtype:trojan-activity;sid:84720037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.61.150.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856936/; classtype:trojan-activity;sid:84720036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.61.149.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856935/; classtype:trojan-activity;sid:84720035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.79.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856934/; classtype:trojan-activity;sid:84720034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856933/; classtype:trojan-activity;sid:84720033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/08a30c49-a0e8-4490-a983-cf10b66c774c"; depth:37; endswith; nocase; http.host; content:"seahohx.saas-systems.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856932/; classtype:trojan-activity;sid:84720032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.73.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856929/; classtype:trojan-activity;sid:84720029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.72.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856930/; classtype:trojan-activity;sid:84720030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.89.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856931/; classtype:trojan-activity;sid:84720031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.91.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856926/; classtype:trojan-activity;sid:84720026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.89.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856927/; classtype:trojan-activity;sid:84720027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.89.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856928/; classtype:trojan-activity;sid:84720028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.89.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856923/; classtype:trojan-activity;sid:84720023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"216.126.225.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856924/; classtype:trojan-activity;sid:84720024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.90.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856925/; classtype:trojan-activity;sid:84720025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.91.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856922/; classtype:trojan-activity;sid:84720022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.89.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856917/; classtype:trojan-activity;sid:84720017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.91.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856918/; classtype:trojan-activity;sid:84720018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"216.126.225.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856919/; classtype:trojan-activity;sid:84720019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.72.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856920/; classtype:trojan-activity;sid:84720020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.89.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856921/; classtype:trojan-activity;sid:84720021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.73.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856915/; classtype:trojan-activity;sid:84720015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.91.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856916/; classtype:trojan-activity;sid:84720016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.24.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856914/; classtype:trojan-activity;sid:84720014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.238.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856913/; classtype:trojan-activity;sid:84720013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.181.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856912/; classtype:trojan-activity;sid:84720012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.74.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856911/; classtype:trojan-activity;sid:84720011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.exe"; depth:12; endswith; nocase; http.host; content:"172.86.110.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856910/; classtype:trojan-activity;sid:84720010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.200.211.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856909/; classtype:trojan-activity;sid:84720009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.114.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856908/; classtype:trojan-activity;sid:84720008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.114.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856907/; classtype:trojan-activity;sid:84720007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.126.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856906/; classtype:trojan-activity;sid:84720006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"172.86.116.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856905/; classtype:trojan-activity;sid:84720005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.116.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856903/; classtype:trojan-activity;sid:84720003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"172.86.126.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856904/; classtype:trojan-activity;sid:84720004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d3db2c84-0f86-4b3d-a385-992425d75d5e"; depth:37; endswith; nocase; http.host; content:"vxpkpgb.khaled-salah.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856902/; classtype:trojan-activity;sid:84720002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.24.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856901/; classtype:trojan-activity;sid:84720001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.149.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856900/; classtype:trojan-activity;sid:84720000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.74.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856899/; classtype:trojan-activity;sid:84719999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=684568bb-ac22-403e-93ad-1f68a27ffc45"; depth:47; endswith; nocase; http.host; content:"99ytipqf.mayochem.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856898/; classtype:trojan-activity;sid:84719998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"144.172.97.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856897/; classtype:trojan-activity;sid:84719997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"144.172.114.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856896/; classtype:trojan-activity;sid:84719996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"144.172.94.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856895/; classtype:trojan-activity;sid:84719995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"144.172.96.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856894/; classtype:trojan-activity;sid:84719994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.100.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856893/; classtype:trojan-activity;sid:84719993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"167.88.165.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856891/; classtype:trojan-activity;sid:84719991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"144.172.96.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856892/; classtype:trojan-activity;sid:84719992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"144.172.110.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856890/; classtype:trojan-activity;sid:84719990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"144.172.96.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856884/; classtype:trojan-activity;sid:84719984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"144.172.110.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856885/; classtype:trojan-activity;sid:84719985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"144.172.114.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856886/; classtype:trojan-activity;sid:84719986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"144.172.96.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856887/; classtype:trojan-activity;sid:84719987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"144.172.97.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856888/; classtype:trojan-activity;sid:84719988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"167.88.165.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856889/; classtype:trojan-activity;sid:84719989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.23.137.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856883/; classtype:trojan-activity;sid:84719983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.103.116.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856882/; classtype:trojan-activity;sid:84719982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.35.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856881/; classtype:trojan-activity;sid:84719981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/74ccd449-fc14-4086-bc87-221639e83da1"; depth:37; endswith; nocase; http.host; content:"dqtglfv.goldledgers.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856880/; classtype:trojan-activity;sid:84719980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.100.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856878/; classtype:trojan-activity;sid:84719978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.135.153.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856879/; classtype:trojan-activity;sid:84719979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.23.137.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856877/; classtype:trojan-activity;sid:84719977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.224.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856876/; classtype:trojan-activity;sid:84719976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.149.123.249"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856875/; classtype:trojan-activity;sid:84719975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.181.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856874/; classtype:trojan-activity;sid:84719974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.104.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856873/; classtype:trojan-activity;sid:84719973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.224.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856872/; classtype:trojan-activity;sid:84719972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.178.251.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856871/; classtype:trojan-activity;sid:84719971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/861b784c-0af3-45da-804b-940447a5752a"; depth:37; endswith; nocase; http.host; content:"kctwkqq.airtechmedical.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856870/; classtype:trojan-activity;sid:84719970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.23.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856869/; classtype:trojan-activity;sid:84719969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.149.123.249"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856868/; classtype:trojan-activity;sid:84719968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"104.194.132.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856867/; classtype:trojan-activity;sid:84719967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"104.194.132.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856866/; classtype:trojan-activity;sid:84719966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.140.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856865/; classtype:trojan-activity;sid:84719965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.23.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856864/; classtype:trojan-activity;sid:84719964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856862/; classtype:trojan-activity;sid:84719962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.78.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856863/; classtype:trojan-activity;sid:84719963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856861/; classtype:trojan-activity;sid:84719961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856855/; classtype:trojan-activity;sid:84719955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856856/; classtype:trojan-activity;sid:84719956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856857/; classtype:trojan-activity;sid:84719957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856858/; classtype:trojan-activity;sid:84719958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856859/; classtype:trojan-activity;sid:84719959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856860/; classtype:trojan-activity;sid:84719960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856854/; classtype:trojan-activity;sid:84719954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dbg"; depth:9; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856851/; classtype:trojan-activity;sid:84719951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856852/; classtype:trojan-activity;sid:84719952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856853/; classtype:trojan-activity;sid:84719953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856848/; classtype:trojan-activity;sid:84719948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856849/; classtype:trojan-activity;sid:84719949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856850/; classtype:trojan-activity;sid:84719950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.157.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856847/; classtype:trojan-activity;sid:84719947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856846/; classtype:trojan-activity;sid:84719946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856839/; classtype:trojan-activity;sid:84719939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856840/; classtype:trojan-activity;sid:84719940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856841/; classtype:trojan-activity;sid:84719941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856842/; classtype:trojan-activity;sid:84719942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856843/; classtype:trojan-activity;sid:84719943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856844/; classtype:trojan-activity;sid:84719944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856845/; classtype:trojan-activity;sid:84719945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856838/; classtype:trojan-activity;sid:84719938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856836/; classtype:trojan-activity;sid:84719936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856837/; classtype:trojan-activity;sid:84719937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856835/; classtype:trojan-activity;sid:84719935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.200.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856833/; classtype:trojan-activity;sid:84719933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.200.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856834/; classtype:trojan-activity;sid:84719934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.i586"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856832/; classtype:trojan-activity;sid:84719932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.arm4"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856829/; classtype:trojan-activity;sid:84719929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.ppc"; depth:199; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856830/; classtype:trojan-activity;sid:84719930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.i686"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856831/; classtype:trojan-activity;sid:84719931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.arm7"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856826/; classtype:trojan-activity;sid:84719926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.m68k"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856827/; classtype:trojan-activity;sid:84719927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.sparc"; depth:201; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856828/; classtype:trojan-activity;sid:84719928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.mpsl"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856820/; classtype:trojan-activity;sid:84719920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.arm5"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856821/; classtype:trojan-activity;sid:84719921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.arm6"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856822/; classtype:trojan-activity;sid:84719922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.mips"; depth:200; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856823/; classtype:trojan-activity;sid:84719923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.x86"; depth:199; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856824/; classtype:trojan-activity;sid:84719924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyouniggaa1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16ackerposidensfurhersploithackedyounigga1h2a3h4a5h6a7h8a9h10a11h12a13h14a15h16.sh4"; depth:199; endswith; nocase; http.host; content:"185.220.177.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856825/; classtype:trojan-activity;sid:84719925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856819/; classtype:trojan-activity;sid:84719919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arc"; depth:8; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856818/; classtype:trojan-activity;sid:84719918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856817/; classtype:trojan-activity;sid:84719917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856811/; classtype:trojan-activity;sid:84719911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856812/; classtype:trojan-activity;sid:84719912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856813/; classtype:trojan-activity;sid:84719913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856814/; classtype:trojan-activity;sid:84719914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsrouter"; depth:15; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856815/; classtype:trojan-activity;sid:84719915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856816/; classtype:trojan-activity;sid:84719916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.72.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856809/; classtype:trojan-activity;sid:84719909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atomic/main_x86_64"; depth:19; endswith; nocase; http.host; content:"176.65.139.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856810/; classtype:trojan-activity;sid:84719910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856808/; classtype:trojan-activity;sid:84719908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856807/; classtype:trojan-activity;sid:84719907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856803/; classtype:trojan-activity;sid:84719903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856804/; classtype:trojan-activity;sid:84719904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856805/; classtype:trojan-activity;sid:84719905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856806/; classtype:trojan-activity;sid:84719906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856801/; classtype:trojan-activity;sid:84719901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856802/; classtype:trojan-activity;sid:84719902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856800/; classtype:trojan-activity;sid:84719900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856799/; classtype:trojan-activity;sid:84719899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856791/; classtype:trojan-activity;sid:84719891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856792/; classtype:trojan-activity;sid:84719892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856793/; classtype:trojan-activity;sid:84719893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856794/; classtype:trojan-activity;sid:84719894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856795/; classtype:trojan-activity;sid:84719895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856796/; classtype:trojan-activity;sid:84719896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856797/; classtype:trojan-activity;sid:84719897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.139.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856798/; classtype:trojan-activity;sid:84719898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.i6"; depth:9; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856789/; classtype:trojan-activity;sid:84719889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.arm7"; depth:11; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856790/; classtype:trojan-activity;sid:84719890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow"; depth:5; endswith; nocase; http.host; content:"34.86.81.254"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856788/; classtype:trojan-activity;sid:84719888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.x86"; depth:10; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856784/; classtype:trojan-activity;sid:84719884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.spc"; depth:10; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856785/; classtype:trojan-activity;sid:84719885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow"; depth:5; endswith; nocase; http.host; content:"35.237.91.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856786/; classtype:trojan-activity;sid:84719886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meowarm64"; depth:10; endswith; nocase; http.host; content:"35.237.91.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856787/; classtype:trojan-activity;sid:84719887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.mips"; depth:11; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856779/; classtype:trojan-activity;sid:84719879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.mpsl"; depth:11; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856780/; classtype:trojan-activity;sid:84719880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.arm6"; depth:11; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856781/; classtype:trojan-activity;sid:84719881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.arm"; depth:10; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856782/; classtype:trojan-activity;sid:84719882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvgbh.arm5"; depth:11; endswith; nocase; http.host; content:"144.172.88.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856783/; classtype:trojan-activity;sid:84719883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fce2084e068f51c7.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856776/; classtype:trojan-activity;sid:84719876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_c3a04d0ec5a6a4c7.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856777/; classtype:trojan-activity;sid:84719877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_556fb6444bf472a8.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856778/; classtype:trojan-activity;sid:84719878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.33.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856774/; classtype:trojan-activity;sid:84719874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.39.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856775/; classtype:trojan-activity;sid:84719875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.119.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856773/; classtype:trojan-activity;sid:84719873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856767/; classtype:trojan-activity;sid:84719867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856768/; classtype:trojan-activity;sid:84719868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856769/; classtype:trojan-activity;sid:84719869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856770/; classtype:trojan-activity;sid:84719870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856771/; classtype:trojan-activity;sid:84719871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856772/; classtype:trojan-activity;sid:84719872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856760/; classtype:trojan-activity;sid:84719860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856761/; classtype:trojan-activity;sid:84719861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856762/; classtype:trojan-activity;sid:84719862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856763/; classtype:trojan-activity;sid:84719863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856764/; classtype:trojan-activity;sid:84719864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856765/; classtype:trojan-activity;sid:84719865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856766/; classtype:trojan-activity;sid:84719866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dbg"; depth:9; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856759/; classtype:trojan-activity;sid:84719859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856755/; classtype:trojan-activity;sid:84719855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856756/; classtype:trojan-activity;sid:84719856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856757/; classtype:trojan-activity;sid:84719857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856758/; classtype:trojan-activity;sid:84719858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856750/; classtype:trojan-activity;sid:84719850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856751/; classtype:trojan-activity;sid:84719851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856752/; classtype:trojan-activity;sid:84719852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856753/; classtype:trojan-activity;sid:84719853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856754/; classtype:trojan-activity;sid:84719854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856749/; classtype:trojan-activity;sid:84719849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856748/; classtype:trojan-activity;sid:84719848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856745/; classtype:trojan-activity;sid:84719845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856746/; classtype:trojan-activity;sid:84719846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856747/; classtype:trojan-activity;sid:84719847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.189.141.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856744/; classtype:trojan-activity;sid:84719844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dbg"; depth:9; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856743/; classtype:trojan-activity;sid:84719843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856736/; classtype:trojan-activity;sid:84719836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856737/; classtype:trojan-activity;sid:84719837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856738/; classtype:trojan-activity;sid:84719838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856739/; classtype:trojan-activity;sid:84719839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856740/; classtype:trojan-activity;sid:84719840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856741/; classtype:trojan-activity;sid:84719841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856742/; classtype:trojan-activity;sid:84719842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856734/; classtype:trojan-activity;sid:84719834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856735/; classtype:trojan-activity;sid:84719835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.72.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856733/; classtype:trojan-activity;sid:84719833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm5"; depth:13; endswith; nocase; http.host; content:"176.65.139.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856731/; classtype:trojan-activity;sid:84719831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856732/; classtype:trojan-activity;sid:84719832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856727/; classtype:trojan-activity;sid:84719827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm6"; depth:13; endswith; nocase; http.host; content:"176.65.139.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856728/; classtype:trojan-activity;sid:84719828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mpsl"; depth:13; endswith; nocase; http.host; content:"176.65.139.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856729/; classtype:trojan-activity;sid:84719829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.194.50.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856730/; classtype:trojan-activity;sid:84719830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm7"; depth:13; endswith; nocase; http.host; content:"176.65.139.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856726/; classtype:trojan-activity;sid:84719826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.31.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856725/; classtype:trojan-activity;sid:84719825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.39.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856724/; classtype:trojan-activity;sid:84719824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.68.160.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856723/; classtype:trojan-activity;sid:84719823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a2243150-cc50-4006-9370-f79f6f86a19c"; depth:37; endswith; nocase; http.host; content:"gozilwl.overlokcu.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856722/; classtype:trojan-activity;sid:84719822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856721/; classtype:trojan-activity;sid:84719821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=d39b619c-3bd5-4ec8-8969-e18007fa194f"; depth:47; endswith; nocase; http.host; content:"gnetier6.hegong-tools.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856720/; classtype:trojan-activity;sid:84719820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/715789d8-bc15-412c-a051-92b3260d4ceb"; depth:37; endswith; nocase; http.host; content:"ekqtbnv.overlokcu.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856719/; classtype:trojan-activity;sid:84719819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.115.158"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856718/; classtype:trojan-activity;sid:84719818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856717/; classtype:trojan-activity;sid:84719817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.115.158"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856716/; classtype:trojan-activity;sid:84719816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.213.224.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856715/; classtype:trojan-activity;sid:84719815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856714/; classtype:trojan-activity;sid:84719814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856713/; classtype:trojan-activity;sid:84719813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.68.160.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856712/; classtype:trojan-activity;sid:84719812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.72.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856711/; classtype:trojan-activity;sid:84719811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.119.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856710/; classtype:trojan-activity;sid:84719810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.72.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856709/; classtype:trojan-activity;sid:84719809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856708/; classtype:trojan-activity;sid:84719808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.130.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856707/; classtype:trojan-activity;sid:84719807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1213b518-d1f0-4692-a104-ca3798427778"; depth:37; endswith; nocase; http.host; content:"xelecqe.yutongdrying.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856706/; classtype:trojan-activity;sid:84719806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.254.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856705/; classtype:trojan-activity;sid:84719805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c69d9fa5-c6eb-4c5f-958b-487d884f3342"; depth:37; endswith; nocase; http.host; content:"apgagls.bonuliautoparts.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856704/; classtype:trojan-activity;sid:84719804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.254.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856703/; classtype:trojan-activity;sid:84719803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.44.147.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856702/; classtype:trojan-activity;sid:84719802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.130.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856701/; classtype:trojan-activity;sid:84719801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.152.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856700/; classtype:trojan-activity;sid:84719800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5082969b-50c5-4dbd-a5fd-8bd2ed22e582"; depth:37; endswith; nocase; http.host; content:"dufnsng.daqotransformers.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856699/; classtype:trojan-activity;sid:84719799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.161.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856698/; classtype:trojan-activity;sid:84719798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.147.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856697/; classtype:trojan-activity;sid:84719797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.216.48.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856696/; classtype:trojan-activity;sid:84719796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.23.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856695/; classtype:trojan-activity;sid:84719795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.56.177"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856694/; classtype:trojan-activity;sid:84719794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=553a8eff-4b41-4a73-9247-2a79de626e81"; depth:47; endswith; nocase; http.host; content:"mjvdhq4d.destek1.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856693/; classtype:trojan-activity;sid:84719793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"31.56.209.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856688/; classtype:trojan-activity;sid:84719788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"31.56.209.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856689/; classtype:trojan-activity;sid:84719789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink"; depth:7; endswith; nocase; http.host; content:"31.56.209.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856690/; classtype:trojan-activity;sid:84719790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"31.56.209.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856691/; classtype:trojan-activity;sid:84719791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"31.56.209.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856692/; classtype:trojan-activity;sid:84719792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.186.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856687/; classtype:trojan-activity;sid:84719787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2315bb24-f5d0-49fd-bb5a-351e28d89557"; depth:37; endswith; nocase; http.host; content:"kdwuzpk.yutongdrying.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856686/; classtype:trojan-activity;sid:84719786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.56.177"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856685/; classtype:trojan-activity;sid:84719785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.161.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856684/; classtype:trojan-activity;sid:84719784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.176.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856683/; classtype:trojan-activity;sid:84719783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.147.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856682/; classtype:trojan-activity;sid:84719782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.23.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856681/; classtype:trojan-activity;sid:84719781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.186.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856680/; classtype:trojan-activity;sid:84719780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ce78b476-61c7-4fd9-b8d1-e60d6e15ccf7"; depth:37; endswith; nocase; http.host; content:"nozeunl.xfgautoparts.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856679/; classtype:trojan-activity;sid:84719779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.176.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856678/; classtype:trojan-activity;sid:84719778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.41.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856677/; classtype:trojan-activity;sid:84719777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"106.58.23.116"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856676/; classtype:trojan-activity;sid:84719776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a580b70a-241b-4d0c-916d-cba8d560d772"; depth:37; endswith; nocase; http.host; content:"mgjfhpa.overlokcu.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856675/; classtype:trojan-activity;sid:84719775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.167.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856674/; classtype:trojan-activity;sid:84719774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.58.23.116"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856673/; classtype:trojan-activity;sid:84719773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.143.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856672/; classtype:trojan-activity;sid:84719772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=42efb428-9eb4-4b0e-bcdc-d8386c8bb3ff"; depth:47; endswith; nocase; http.host; content:"k5k1f5zd.cloudzone.tr"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856671/; classtype:trojan-activity;sid:84719771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/65c67296-8cd6-49d9-868e-22e58b439d4a"; depth:37; endswith; nocase; http.host; content:"isvfuzb.nasbt.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856670/; classtype:trojan-activity;sid:84719770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.170.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856669/; classtype:trojan-activity;sid:84719769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856668/; classtype:trojan-activity;sid:84719768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.109.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856667/; classtype:trojan-activity;sid:84719767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.143.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856666/; classtype:trojan-activity;sid:84719766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.103.116.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856664/; classtype:trojan-activity;sid:84719764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.113.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856665/; classtype:trojan-activity;sid:84719765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.210.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856663/; classtype:trojan-activity;sid:84719763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856662/; classtype:trojan-activity;sid:84719762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.67.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856661/; classtype:trojan-activity;sid:84719761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/87b13776-36fd-4451-8a9f-e49970c0816a"; depth:37; endswith; nocase; http.host; content:"zrcvuwg.ismailnas.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856660/; classtype:trojan-activity;sid:84719760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856658/; classtype:trojan-activity;sid:84719758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856659/; classtype:trojan-activity;sid:84719759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856656/; classtype:trojan-activity;sid:84719756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856657/; classtype:trojan-activity;sid:84719757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856650/; classtype:trojan-activity;sid:84719750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856651/; classtype:trojan-activity;sid:84719751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856652/; classtype:trojan-activity;sid:84719752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856653/; classtype:trojan-activity;sid:84719753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856654/; classtype:trojan-activity;sid:84719754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"176.65.149.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856655/; classtype:trojan-activity;sid:84719755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.88.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856649/; classtype:trojan-activity;sid:84719749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"159.255.2.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856648/; classtype:trojan-activity;sid:84719748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.183.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856647/; classtype:trojan-activity;sid:84719747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.67.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856646/; classtype:trojan-activity;sid:84719746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856645/; classtype:trojan-activity;sid:84719745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"159.255.2.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856644/; classtype:trojan-activity;sid:84719744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.18.41"; depth:10; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856643/; classtype:trojan-activity;sid:84719743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.208.112.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856642/; classtype:trojan-activity;sid:84719742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.25.123.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856641/; classtype:trojan-activity;sid:84719741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.8.230"; depth:12; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856640/; classtype:trojan-activity;sid:84719740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_cf0ada133aee1be5.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856639/; classtype:trojan-activity;sid:84719739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/207a1bd8-f319-4c75-9e21-526dbb0b1972"; depth:37; endswith; nocase; http.host; content:"pljiquv.destek1.com.tr"; depth:22; isdataat:!1,relative; metadata:created_at 2026_06_01; reference:url, urlhaus.abuse.ch/url/3856638/; classtype:trojan-activity;sid:84719738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a574ae5424d55beb.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856637/; classtype:trojan-activity;sid:84719737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.82.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856636/; classtype:trojan-activity;sid:84719736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.210.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856635/; classtype:trojan-activity;sid:84719735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.mips"; depth:9; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856634/; classtype:trojan-activity;sid:84719734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.sparc"; depth:10; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856625/; classtype:trojan-activity;sid:84719725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.armv7l"; depth:11; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856626/; classtype:trojan-activity;sid:84719726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.armv6l"; depth:11; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856627/; classtype:trojan-activity;sid:84719727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.armv5l"; depth:11; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856628/; classtype:trojan-activity;sid:84719728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.sh4"; depth:8; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856629/; classtype:trojan-activity;sid:84719729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.armv4l"; depth:11; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856630/; classtype:trojan-activity;sid:84719730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.mipsrouter"; depth:15; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856631/; classtype:trojan-activity;sid:84719731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.x86"; depth:8; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856632/; classtype:trojan-activity;sid:84719732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.m68k"; depth:9; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856633/; classtype:trojan-activity;sid:84719733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gov.mipsel"; depth:11; endswith; nocase; http.host; content:"46.23.108.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856624/; classtype:trojan-activity;sid:84719724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.113.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856623/; classtype:trojan-activity;sid:84719723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/07d524be-4d73-44b6-9aaf-233ad274ca1d"; depth:37; endswith; nocase; http.host; content:"ykrtpwu.destek1.com.tr"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856622/; classtype:trojan-activity;sid:84719722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.86.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856621/; classtype:trojan-activity;sid:84719721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.186.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856620/; classtype:trojan-activity;sid:84719720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.196.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856619/; classtype:trojan-activity;sid:84719719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.147.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856618/; classtype:trojan-activity;sid:84719718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.236.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856616/; classtype:trojan-activity;sid:84719716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.86.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856617/; classtype:trojan-activity;sid:84719717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=8be37cea-163b-4a44-93f8-b566be60d54c"; depth:47; endswith; nocase; http.host; content:"1aed1cm5.cloudzone.com.tr"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856615/; classtype:trojan-activity;sid:84719715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.230.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856614/; classtype:trojan-activity;sid:84719714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.186.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856613/; classtype:trojan-activity;sid:84719713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856612/; classtype:trojan-activity;sid:84719712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.230.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856611/; classtype:trojan-activity;sid:84719711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/81bce946-a2c8-4eac-b5f7-951ed76b0469"; depth:37; endswith; nocase; http.host; content:"qwimnzu.daqotransformers.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856610/; classtype:trojan-activity;sid:84719710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.145.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856608/; classtype:trojan-activity;sid:84719708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.196.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856609/; classtype:trojan-activity;sid:84719709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.167.206.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856607/; classtype:trojan-activity;sid:84719707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.236.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856606/; classtype:trojan-activity;sid:84719706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklarm7"; depth:8; endswith; nocase; http.host; content:"159.223.171.245"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856604/; classtype:trojan-activity;sid:84719704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklarm"; depth:7; endswith; nocase; http.host; content:"159.223.171.245"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856605/; classtype:trojan-activity;sid:84719705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.34.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856603/; classtype:trojan-activity;sid:84719703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8472153909/3fpt6m6.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856602/; classtype:trojan-activity;sid:84719702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uns"; depth:4; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856601/; classtype:trojan-activity;sid:84719701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.31.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856600/; classtype:trojan-activity;sid:84719700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/270485e9-f35f-43b3-b15b-24a9728baf0d"; depth:37; endswith; nocase; http.host; content:"ymfxhto.czhaijiangdrying.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856599/; classtype:trojan-activity;sid:84719699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.167.206.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856598/; classtype:trojan-activity;sid:84719698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.198.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856597/; classtype:trojan-activity;sid:84719697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.32.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856596/; classtype:trojan-activity;sid:84719696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.198.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856595/; classtype:trojan-activity;sid:84719695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.34.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856594/; classtype:trojan-activity;sid:84719694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.32.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856593/; classtype:trojan-activity;sid:84719693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.121.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856592/; classtype:trojan-activity;sid:84719692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856591/; classtype:trojan-activity;sid:84719691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.12.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856590/; classtype:trojan-activity;sid:84719690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/619c1eae-65eb-472c-a12a-89dd652361e9"; depth:37; endswith; nocase; http.host; content:"kbbnzve.cnjiaju.vip"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856589/; classtype:trojan-activity;sid:84719689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.199.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856588/; classtype:trojan-activity;sid:84719688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.231.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856587/; classtype:trojan-activity;sid:84719687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.44.147.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856586/; classtype:trojan-activity;sid:84719686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.37.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856585/; classtype:trojan-activity;sid:84719685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.116.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856584/; classtype:trojan-activity;sid:84719684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.178.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856583/; classtype:trojan-activity;sid:84719683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.35.88.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856582/; classtype:trojan-activity;sid:84719682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856581/; classtype:trojan-activity;sid:84719681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.186.169.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856580/; classtype:trojan-activity;sid:84719680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.231.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856579/; classtype:trojan-activity;sid:84719679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.116.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856578/; classtype:trojan-activity;sid:84719678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/13161bde-2dd2-486c-b878-e3671800ce97"; depth:37; endswith; nocase; http.host; content:"fmqblzz.bonuliautoparts.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856577/; classtype:trojan-activity;sid:84719677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=2426627f-a310-444c-b05e-d8d4ebcd3078"; depth:47; endswith; nocase; http.host; content:"eg125q1i.dvfb-vn.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856576/; classtype:trojan-activity;sid:84719676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.178.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856575/; classtype:trojan-activity;sid:84719675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.203.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856574/; classtype:trojan-activity;sid:84719674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.159.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856573/; classtype:trojan-activity;sid:84719673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.35.88.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856572/; classtype:trojan-activity;sid:84719672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856571/; classtype:trojan-activity;sid:84719671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.169.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856570/; classtype:trojan-activity;sid:84719670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.226.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856569/; classtype:trojan-activity;sid:84719669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/49dd7ba1-d7d7-4767-a28d-4dc32f0e406b"; depth:37; endswith; nocase; http.host; content:"ldtdyke.allnaparts.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856568/; classtype:trojan-activity;sid:84719668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.153.196.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856567/; classtype:trojan-activity;sid:84719667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.219.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856566/; classtype:trojan-activity;sid:84719666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.57.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856565/; classtype:trojan-activity;sid:84719665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.37.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856564/; classtype:trojan-activity;sid:84719664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.170.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856563/; classtype:trojan-activity;sid:84719663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.4.28"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856562/; classtype:trojan-activity;sid:84719662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.153.196.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856561/; classtype:trojan-activity;sid:84719661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.8.230"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856560/; classtype:trojan-activity;sid:84719660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a330963-0940-415a-9ca2-bbf957728d1b"; depth:37; endswith; nocase; http.host; content:"cuzxamf.airtechmedical.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856559/; classtype:trojan-activity;sid:84719659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.57.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856558/; classtype:trojan-activity;sid:84719658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856557/; classtype:trojan-activity;sid:84719657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.148.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856556/; classtype:trojan-activity;sid:84719656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.219.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856555/; classtype:trojan-activity;sid:84719655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.238.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856554/; classtype:trojan-activity;sid:84719654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856553/; classtype:trojan-activity;sid:84719653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.37.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856552/; classtype:trojan-activity;sid:84719652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.220.145.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856551/; classtype:trojan-activity;sid:84719651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.148.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856550/; classtype:trojan-activity;sid:84719650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.135.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856549/; classtype:trojan-activity;sid:84719649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fd384dc6-babc-46ca-a226-b2dfed76019e"; depth:37; endswith; nocase; http.host; content:"hwfdzzg.lavorcollective.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856548/; classtype:trojan-activity;sid:84719648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.238.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856546/; classtype:trojan-activity;sid:84719646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.157.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856547/; classtype:trojan-activity;sid:84719647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=10810d6a-4c92-40ea-bbff-84c785288585"; depth:47; endswith; nocase; http.host; content:"252rti6f.letrungkien.info"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856545/; classtype:trojan-activity;sid:84719645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856544/; classtype:trojan-activity;sid:84719644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12531f8f-6be4-4e2c-9752-c87599fe95cf"; depth:37; endswith; nocase; http.host; content:"ljofonx.muveszetiirasok.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856543/; classtype:trojan-activity;sid:84719643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.128.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856542/; classtype:trojan-activity;sid:84719642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8472153909/hkwqmrm.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856541/; classtype:trojan-activity;sid:84719641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.10.144.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856540/; classtype:trojan-activity;sid:84719640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.153.130.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856539/; classtype:trojan-activity;sid:84719639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1ae59227-5d84-430c-accd-667a5b7399fc"; depth:37; endswith; nocase; http.host; content:"ydqgwej.kortalanmuveszet.hu"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856538/; classtype:trojan-activity;sid:84719638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.109.81.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856537/; classtype:trojan-activity;sid:84719637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.10.144.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856536/; classtype:trojan-activity;sid:84719636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.153.130.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856535/; classtype:trojan-activity;sid:84719635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.179.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856534/; classtype:trojan-activity;sid:84719634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856533/; classtype:trojan-activity;sid:84719633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856522/; classtype:trojan-activity;sid:84719622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856523/; classtype:trojan-activity;sid:84719623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856524/; classtype:trojan-activity;sid:84719624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856525/; classtype:trojan-activity;sid:84719625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856526/; classtype:trojan-activity;sid:84719626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856527/; classtype:trojan-activity;sid:84719627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856528/; classtype:trojan-activity;sid:84719628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856529/; classtype:trojan-activity;sid:84719629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856530/; classtype:trojan-activity;sid:84719630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856531/; classtype:trojan-activity;sid:84719631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.149.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856532/; classtype:trojan-activity;sid:84719632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.233.57.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856521/; classtype:trojan-activity;sid:84719621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.128.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856520/; classtype:trojan-activity;sid:84719620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.11.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856519/; classtype:trojan-activity;sid:84719619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.148.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856518/; classtype:trojan-activity;sid:84719618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/29d8ab59-feb0-4779-8b80-7aab295d7aab"; depth:37; endswith; nocase; http.host; content:"bcbjicn.kreativkiteljesedes.hu"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856517/; classtype:trojan-activity;sid:84719617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.179.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856516/; classtype:trojan-activity;sid:84719616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.21.70.189"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856515/; classtype:trojan-activity;sid:84719615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.148.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856514/; classtype:trojan-activity;sid:84719614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=ac6d6fe8-fc98-4e87-b4e6-70bb8e134741"; depth:47; endswith; nocase; http.host; content:"iiamtrbo.liketudong.biz"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856513/; classtype:trojan-activity;sid:84719613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bc8c6b11-6c7f-4e1e-ac96-ecc5e3a698a1"; depth:37; endswith; nocase; http.host; content:"qksxwop.agivedresphotography.com"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856512/; classtype:trojan-activity;sid:84719612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856511/; classtype:trojan-activity;sid:84719611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856510/; classtype:trojan-activity;sid:84719610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.236.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856509/; classtype:trojan-activity;sid:84719609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.134.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856508/; classtype:trojan-activity;sid:84719608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.199.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856507/; classtype:trojan-activity;sid:84719607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.203.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856506/; classtype:trojan-activity;sid:84719606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856505/; classtype:trojan-activity;sid:84719605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.18.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856504/; classtype:trojan-activity;sid:84719604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.66.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856503/; classtype:trojan-activity;sid:84719603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.66.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856502/; classtype:trojan-activity;sid:84719602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.37.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856501/; classtype:trojan-activity;sid:84719601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afc06485-68a3-43da-9642-37e500fc57e8"; depth:37; endswith; nocase; http.host; content:"dgxarir.artisourlifestyle.com"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856500/; classtype:trojan-activity;sid:84719600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.236.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856499/; classtype:trojan-activity;sid:84719599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.199.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856498/; classtype:trojan-activity;sid:84719598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.157.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856497/; classtype:trojan-activity;sid:84719597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.209.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856496/; classtype:trojan-activity;sid:84719596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.130.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856495/; classtype:trojan-activity;sid:84719595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.18.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856494/; classtype:trojan-activity;sid:84719594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.35.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856493/; classtype:trojan-activity;sid:84719593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.115.209.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856492/; classtype:trojan-activity;sid:84719592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.223.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856491/; classtype:trojan-activity;sid:84719591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3879c5f9-fafc-40f4-865a-726237a4ba72"; depth:37; endswith; nocase; http.host; content:"anpjcfq.attilahatar.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856490/; classtype:trojan-activity;sid:84719590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.115.209.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856489/; classtype:trojan-activity;sid:84719589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.223.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856488/; classtype:trojan-activity;sid:84719588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.177.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856487/; classtype:trojan-activity;sid:84719587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.243.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856486/; classtype:trojan-activity;sid:84719586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.145.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856485/; classtype:trojan-activity;sid:84719585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.141.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856484/; classtype:trojan-activity;sid:84719584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.70.99"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856483/; classtype:trojan-activity;sid:84719583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856482/; classtype:trojan-activity;sid:84719582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/50b165b7-c2da-4bb4-8970-bb9ce3ca76e7"; depth:37; endswith; nocase; http.host; content:"brvtfsq.designyourlifeinflow.com"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856481/; classtype:trojan-activity;sid:84719581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.130.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856480/; classtype:trojan-activity;sid:84719580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.67.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856479/; classtype:trojan-activity;sid:84719579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=dd9aecaf-9d95-45a6-ab29-4a231776cee6"; depth:47; endswith; nocase; http.host; content:"as59n9n3.photoshopvn.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856478/; classtype:trojan-activity;sid:84719578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_eaacfdc24e3fe21d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856477/; classtype:trojan-activity;sid:84719577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.199.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856476/; classtype:trojan-activity;sid:84719576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856475/; classtype:trojan-activity;sid:84719575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.130.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856474/; classtype:trojan-activity;sid:84719574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.107.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856473/; classtype:trojan-activity;sid:84719573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.99.180.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856472/; classtype:trojan-activity;sid:84719572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1520104a-c0df-40c1-b238-38288d894b70"; depth:37; endswith; nocase; http.host; content:"ohabupw.vapebeat.pk"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856471/; classtype:trojan-activity;sid:84719571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.65.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856470/; classtype:trojan-activity;sid:84719570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.127.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856469/; classtype:trojan-activity;sid:84719569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.228.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856467/; classtype:trojan-activity;sid:84719567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.19.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856468/; classtype:trojan-activity;sid:84719568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.39.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856466/; classtype:trojan-activity;sid:84719566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.39.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856465/; classtype:trojan-activity;sid:84719565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856464/; classtype:trojan-activity;sid:84719564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.104.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856463/; classtype:trojan-activity;sid:84719563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.99.180.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856462/; classtype:trojan-activity;sid:84719562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.228.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856461/; classtype:trojan-activity;sid:84719561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.9.171"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856460/; classtype:trojan-activity;sid:84719560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/52793b00-3b7e-4e2b-b557-f82cca9023d9"; depth:37; endswith; nocase; http.host; content:"crrgjic.vostrovape.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856459/; classtype:trojan-activity;sid:84719559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.145.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856458/; classtype:trojan-activity;sid:84719558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.59.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856457/; classtype:trojan-activity;sid:84719557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.9.171"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856456/; classtype:trojan-activity;sid:84719556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.177.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856455/; classtype:trojan-activity;sid:84719555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856454/; classtype:trojan-activity;sid:84719554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.225.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856453/; classtype:trojan-activity;sid:84719553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.239.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856452/; classtype:trojan-activity;sid:84719552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.59.31.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856451/; classtype:trojan-activity;sid:84719551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856450/; classtype:trojan-activity;sid:84719550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=3900284f-2d73-4ddf-a741-db39d31b1f17"; depth:47; endswith; nocase; http.host; content:"37d389gt.botvn.net"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856449/; classtype:trojan-activity;sid:84719549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.225.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856448/; classtype:trojan-activity;sid:84719548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.215.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856447/; classtype:trojan-activity;sid:84719547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.197.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856446/; classtype:trojan-activity;sid:84719546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.8.49"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856445/; classtype:trojan-activity;sid:84719545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.87.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856444/; classtype:trojan-activity;sid:84719544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.239.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856443/; classtype:trojan-activity;sid:84719543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.243.66"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856442/; classtype:trojan-activity;sid:84719542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a83347f4-91c8-427e-9621-465596a5c817"; depth:37; endswith; nocase; http.host; content:"nhkohoq.wlwyb.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856441/; classtype:trojan-activity;sid:84719541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856440/; classtype:trojan-activity;sid:84719540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.59.31.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856439/; classtype:trojan-activity;sid:84719539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.6.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856438/; classtype:trojan-activity;sid:84719538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.243.66"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856437/; classtype:trojan-activity;sid:84719537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.181.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856436/; classtype:trojan-activity;sid:84719536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6qty"; depth:5; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856435/; classtype:trojan-activity;sid:84719535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856434/; classtype:trojan-activity;sid:84719534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b3j3"; depth:5; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856433/; classtype:trojan-activity;sid:84719533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jiwm"; depth:5; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856430/; classtype:trojan-activity;sid:84719530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lil"; depth:4; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856431/; classtype:trojan-activity;sid:84719531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etr"; depth:4; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856432/; classtype:trojan-activity;sid:84719532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruhb"; depth:5; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856429/; classtype:trojan-activity;sid:84719529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/89c8b8a2-047b-4845-97ac-42192b7d67cd"; depth:37; endswith; nocase; http.host; content:"oplzpps.popi999.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856428/; classtype:trojan-activity;sid:84719528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.82.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856427/; classtype:trojan-activity;sid:84719527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1dl"; depth:4; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856426/; classtype:trojan-activity;sid:84719526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vfz"; depth:4; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856425/; classtype:trojan-activity;sid:84719525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ufdj"; depth:5; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856424/; classtype:trojan-activity;sid:84719524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p"; depth:2; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856423/; classtype:trojan-activity;sid:84719523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.104.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856422/; classtype:trojan-activity;sid:84719522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doz"; depth:4; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856421/; classtype:trojan-activity;sid:84719521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.181.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856420/; classtype:trojan-activity;sid:84719520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.87.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856419/; classtype:trojan-activity;sid:84719519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slo"; depth:4; endswith; nocase; http.host; content:"188.132.232.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856418/; classtype:trojan-activity;sid:84719518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.163.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856417/; classtype:trojan-activity;sid:84719517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.67.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856416/; classtype:trojan-activity;sid:84719516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15415319-cb19-4ab6-a1ad-5a0057dfacce"; depth:37; endswith; nocase; http.host; content:"htciigz.intelect.gr"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856415/; classtype:trojan-activity;sid:84719515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.122.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856414/; classtype:trojan-activity;sid:84719514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.45.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856413/; classtype:trojan-activity;sid:84719513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.212.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856412/; classtype:trojan-activity;sid:84719512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.122.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856411/; classtype:trojan-activity;sid:84719511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2ec55cf6-ac80-4e73-8789-d3b0f6d5eebf"; depth:37; endswith; nocase; http.host; content:"ijdjqht.ktsagarakis.gr"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856410/; classtype:trojan-activity;sid:84719510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.158.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856409/; classtype:trojan-activity;sid:84719509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=e2bf211f-4c72-46f2-8375-8e99e6d2026d"; depth:47; endswith; nocase; http.host; content:"5pfvza4o.cretasoft.gr"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856408/; classtype:trojan-activity;sid:84719508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856407/; classtype:trojan-activity;sid:84719507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.196.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856406/; classtype:trojan-activity;sid:84719506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.45.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856405/; classtype:trojan-activity;sid:84719505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.255.43.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856404/; classtype:trojan-activity;sid:84719504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.212.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856403/; classtype:trojan-activity;sid:84719503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.59.47"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856402/; classtype:trojan-activity;sid:84719502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.158.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856401/; classtype:trojan-activity;sid:84719501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.196.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856400/; classtype:trojan-activity;sid:84719500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.76.107.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856399/; classtype:trojan-activity;sid:84719499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0f47e297-e227-475d-a9bb-c9e848cf09fe"; depth:37; endswith; nocase; http.host; content:"jtnvsfr.notjustsquare.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856398/; classtype:trojan-activity;sid:84719498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.115.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856397/; classtype:trojan-activity;sid:84719497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.2.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856396/; classtype:trojan-activity;sid:84719496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.115.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856395/; classtype:trojan-activity;sid:84719495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856394/; classtype:trojan-activity;sid:84719494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.2.112"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856393/; classtype:trojan-activity;sid:84719493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.76.107.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856392/; classtype:trojan-activity;sid:84719492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.126.245.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856391/; classtype:trojan-activity;sid:84719491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5032e3d7-eed4-4a97-8ddf-91e1befb53cf"; depth:37; endswith; nocase; http.host; content:"dlacbhw.nonamejustsoul.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856390/; classtype:trojan-activity;sid:84719490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.156.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856389/; classtype:trojan-activity;sid:84719489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.116.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856388/; classtype:trojan-activity;sid:84719488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.255.43.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856387/; classtype:trojan-activity;sid:84719487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856386/; classtype:trojan-activity;sid:84719486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856385/; classtype:trojan-activity;sid:84719485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.168.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856384/; classtype:trojan-activity;sid:84719484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.118.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856383/; classtype:trojan-activity;sid:84719483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.156.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856382/; classtype:trojan-activity;sid:84719482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.70.99"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856381/; classtype:trojan-activity;sid:84719481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856380/; classtype:trojan-activity;sid:84719480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856379/; classtype:trojan-activity;sid:84719479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbb0fd91-83cd-44ac-8f90-f8a0492e532c"; depth:37; endswith; nocase; http.host; content:"rpcmwsz.muveszetiirasok.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856378/; classtype:trojan-activity;sid:84719478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.106.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856377/; classtype:trojan-activity;sid:84719477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.77.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856376/; classtype:trojan-activity;sid:84719476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.126.245.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856375/; classtype:trojan-activity;sid:84719475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.136.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856374/; classtype:trojan-activity;sid:84719474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.232.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856373/; classtype:trojan-activity;sid:84719473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856372/; classtype:trojan-activity;sid:84719472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.162.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856371/; classtype:trojan-activity;sid:84719471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=9b8a35eb-3fda-4255-9d71-ed44ff8727db"; depth:47; endswith; nocase; http.host; content:"czf2txr8.asion.gr"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856370/; classtype:trojan-activity;sid:84719470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.35.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856369/; classtype:trojan-activity;sid:84719469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.74.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856367/; classtype:trojan-activity;sid:84719467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.206.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856368/; classtype:trojan-activity;sid:84719468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d60b06b9-01e2-4001-9053-045433c15d05"; depth:37; endswith; nocase; http.host; content:"saprwbu.lavorcollective.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856366/; classtype:trojan-activity;sid:84719466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.232.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856365/; classtype:trojan-activity;sid:84719465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.136.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856364/; classtype:trojan-activity;sid:84719464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.85.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856362/; classtype:trojan-activity;sid:84719462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.11.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856363/; classtype:trojan-activity;sid:84719463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.206.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856361/; classtype:trojan-activity;sid:84719461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.0.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856360/; classtype:trojan-activity;sid:84719460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.127.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856359/; classtype:trojan-activity;sid:84719459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.85.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856358/; classtype:trojan-activity;sid:84719458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b899fd1e-3b5c-4303-97ed-838740d8bf49"; depth:37; endswith; nocase; http.host; content:"batmemo.kreativkiteljesedes.hu"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856357/; classtype:trojan-activity;sid:84719457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"95.164.6.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856355/; classtype:trojan-activity;sid:84719455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.113.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856356/; classtype:trojan-activity;sid:84719456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.184.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856354/; classtype:trojan-activity;sid:84719454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.11.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856353/; classtype:trojan-activity;sid:84719453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blue.arm7"; depth:10; endswith; nocase; http.host; content:"45.198.224.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856352/; classtype:trojan-activity;sid:84719452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blue.x64"; depth:9; endswith; nocase; http.host; content:"45.198.224.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856351/; classtype:trojan-activity;sid:84719451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blue.mips"; depth:10; endswith; nocase; http.host; content:"45.198.224.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856350/; classtype:trojan-activity;sid:84719450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blue.mpsl"; depth:10; endswith; nocase; http.host; content:"45.198.224.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856349/; classtype:trojan-activity;sid:84719449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"45.198.224.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856348/; classtype:trojan-activity;sid:84719448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.184.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856347/; classtype:trojan-activity;sid:84719447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.212.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856346/; classtype:trojan-activity;sid:84719446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.exe"; depth:9; endswith; nocase; http.host; content:"102.220.160.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856345/; classtype:trojan-activity;sid:84719445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.exe"; depth:11; endswith; nocase; http.host; content:"193.17.183.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856344/; classtype:trojan-activity;sid:84719444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v.sh"; depth:5; endswith; nocase; http.host; content:"195.96.132.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856337/; classtype:trojan-activity;sid:84719437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karm7"; depth:6; endswith; nocase; http.host; content:"195.96.132.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856338/; classtype:trojan-activity;sid:84719438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kmpsl"; depth:6; endswith; nocase; http.host; content:"195.96.132.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856339/; classtype:trojan-activity;sid:84719439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karm"; depth:5; endswith; nocase; http.host; content:"195.96.132.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856340/; classtype:trojan-activity;sid:84719440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karm5"; depth:6; endswith; nocase; http.host; content:"195.96.132.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856341/; classtype:trojan-activity;sid:84719441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kmips"; depth:6; endswith; nocase; http.host; content:"195.96.132.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856342/; classtype:trojan-activity;sid:84719442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karm6"; depth:6; endswith; nocase; http.host; content:"195.96.132.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856343/; classtype:trojan-activity;sid:84719443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.144.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856336/; classtype:trojan-activity;sid:84719436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856328/; classtype:trojan-activity;sid:84719428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856329/; classtype:trojan-activity;sid:84719429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856330/; classtype:trojan-activity;sid:84719430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856331/; classtype:trojan-activity;sid:84719431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856332/; classtype:trojan-activity;sid:84719432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856333/; classtype:trojan-activity;sid:84719433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856334/; classtype:trojan-activity;sid:84719434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"103.83.87.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856335/; classtype:trojan-activity;sid:84719435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856327/; classtype:trojan-activity;sid:84719427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856325/; classtype:trojan-activity;sid:84719425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol"; depth:4; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856326/; classtype:trojan-activity;sid:84719426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856322/; classtype:trojan-activity;sid:84719422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856323/; classtype:trojan-activity;sid:84719423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856324/; classtype:trojan-activity;sid:84719424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856317/; classtype:trojan-activity;sid:84719417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856318/; classtype:trojan-activity;sid:84719418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856319/; classtype:trojan-activity;sid:84719419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856320/; classtype:trojan-activity;sid:84719420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856321/; classtype:trojan-activity;sid:84719421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jack5tr.sh"; depth:11; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856315/; classtype:trojan-activity;sid:84719415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856316/; classtype:trojan-activity;sid:84719416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"45.194.92.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856314/; classtype:trojan-activity;sid:84719414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.127.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856313/; classtype:trojan-activity;sid:84719413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"23.146.240.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856312/; classtype:trojan-activity;sid:84719412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"23.146.240.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856311/; classtype:trojan-activity;sid:84719411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"176.97.210.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856310/; classtype:trojan-activity;sid:84719410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p"; depth:2; endswith; nocase; http.host; content:"95.164.6.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856307/; classtype:trojan-activity;sid:84719407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_aarch64"; depth:12; endswith; nocase; http.host; content:"95.164.6.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856308/; classtype:trojan-activity;sid:84719408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot"; depth:4; endswith; nocase; http.host; content:"95.164.6.120"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856309/; classtype:trojan-activity;sid:84719409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0145cb69-ee81-4806-a9ee-193b87209436"; depth:37; endswith; nocase; http.host; content:"mbhofdf.kortalanmuveszet.hu"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856306/; classtype:trojan-activity;sid:84719406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dns"; depth:4; endswith; nocase; http.host; content:"176.65.139.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856305/; classtype:trojan-activity;sid:84719405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.106.225.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856304/; classtype:trojan-activity;sid:84719404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.144.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856298/; classtype:trojan-activity;sid:84719398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arc"; depth:14; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856299/; classtype:trojan-activity;sid:84719399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.155.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856300/; classtype:trojan-activity;sid:84719400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink/mips"; depth:12; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856301/; classtype:trojan-activity;sid:84719401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink/arm5"; depth:12; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856302/; classtype:trojan-activity;sid:84719402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink/arm"; depth:11; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856303/; classtype:trojan-activity;sid:84719403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink/arm7"; depth:12; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856297/; classtype:trojan-activity;sid:84719397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink/x86"; depth:11; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856291/; classtype:trojan-activity;sid:84719391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86_64"; depth:17; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856292/; classtype:trojan-activity;sid:84719392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/macosx.zip.b64.part2"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856293/; classtype:trojan-activity;sid:84719393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/e/raw/refs/heads/main/confidential_report.exe"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856294/; classtype:trojan-activity;sid:84719394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/macosx.zip.b64.part1"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856295/; classtype:trojan-activity;sid:84719395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sparc"; depth:16; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856296/; classtype:trojan-activity;sid:84719396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/macosx.zip.aes.part2"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856288/; classtype:trojan-activity;sid:84719388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppv"; depth:9; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856289/; classtype:trojan-activity;sid:84719389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips64"; depth:17; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856290/; classtype:trojan-activity;sid:84719390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/e/raw/refs/heads/main/document.hta"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856284/; classtype:trojan-activity;sid:84719384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/test_portable.lnk"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856285/; classtype:trojan-activity;sid:84719385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/download-macosx.cmd"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856286/; classtype:trojan-activity;sid:84719386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/fix_crypto.ps1"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856287/; classtype:trojan-activity;sid:84719387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink/mpsl"; depth:12; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856283/; classtype:trojan-activity;sid:84719383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.i686"; depth:15; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856282/; classtype:trojan-activity;sid:84719382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/run-download-macosx.cmd"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856281/; classtype:trojan-activity;sid:84719381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/csharp-version/sys_helper.vbs"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856280/; classtype:trojan-activity;sid:84719380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/test_portable2.lnk"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856279/; classtype:trojan-activity;sid:84719379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/csharp-version/mango.lnk"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856273/; classtype:trojan-activity;sid:84719373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/lightweight-version/download-macosx.cmd"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856274/; classtype:trojan-activity;sid:84719374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/make-macosx-restore-shortcut.ps1"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856275/; classtype:trojan-activity;sid:84719375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/create-lnk-vbs.cmd"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856276/; classtype:trojan-activity;sid:84719376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/pure_rel.lnk"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856277/; classtype:trojan-activity;sid:84719377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/restore-macosx-from-cloud.ps1"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856278/; classtype:trojan-activity;sid:84719378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/test3.lnk"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856270/; classtype:trojan-activity;sid:84719370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/download-macosx-from-cloud.lnk"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856271/; classtype:trojan-activity;sid:84719371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/download.macosx.vbs"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856272/; classtype:trojan-activity;sid:84719372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/lightweight-version/launcher_src.py"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856269/; classtype:trojan-activity;sid:84719369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/build_macosx.py"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856266/; classtype:trojan-activity;sid:84719366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/portableshelllink.ps1"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856267/; classtype:trojan-activity;sid:84719367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/raw/refs/heads/main/csharp-version/download-macosx.cmd"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856268/; classtype:trojan-activity;sid:84719368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/macosx_downloader.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856265/; classtype:trojan-activity;sid:84719365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/payload.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856262/; classtype:trojan-activity;sid:84719362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/macosx.zip.aes.part1"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856263/; classtype:trojan-activity;sid:84719363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/poly.cmd"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856264/; classtype:trojan-activity;sid:84719364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/macosx.zip.aes.part2"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856261/; classtype:trojan-activity;sid:84719361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/payload.b64"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856260/; classtype:trojan-activity;sid:84719360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/mo-edge.rar"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856256/; classtype:trojan-activity;sid:84719356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe.rar"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856257/; classtype:trojan-activity;sid:84719357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ptich/main.exe"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856258/; classtype:trojan-activity;sid:84719358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/macosx.zip.b64.part1"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856259/; classtype:trojan-activity;sid:84719359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/macosx.zip.b64.part2"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856254/; classtype:trojan-activity;sid:84719354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/restore-macosx-from-github.ps1"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856255/; classtype:trojan-activity;sid:84719355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/macosx.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856253/; classtype:trojan-activity;sid:84719353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/build_macosx_aes.py"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856252/; classtype:trojan-activity;sid:84719352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/build_macosx.py"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856251/; classtype:trojan-activity;sid:84719351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/test.vbs"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856249/; classtype:trojan-activity;sid:84719349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/_"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856250/; classtype:trojan-activity;sid:84719350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/mo-edge.lnk"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856246/; classtype:trojan-activity;sid:84719346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/push_all.bat"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856247/; classtype:trojan-activity;sid:84719347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/tai-macosx.hta"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856248/; classtype:trojan-activity;sid:84719348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/tai-macosx-tu-github.rar"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856245/; classtype:trojan-activity;sid:84719345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/test-relative-target.ps1"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856243/; classtype:trojan-activity;sid:84719343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/tai-macosx.cmd"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856244/; classtype:trojan-activity;sid:84719344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.229.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856242/; classtype:trojan-activity;sid:84719342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/release_test/tai-macosx-tu-github.lnk"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856241/; classtype:trojan-activity;sid:84719341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/test_curl.txt"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856237/; classtype:trojan-activity;sid:84719337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/release_test/tai.macosx.vbs"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856238/; classtype:trojan-activity;sid:84719338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/project%20details%20including%20salary%20and%20terms%20and%20conditions%202026.lnk"; depth:141; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856239/; classtype:trojan-activity;sid:84719339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/macosx.zip.b64.part1"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856240/; classtype:trojan-activity;sid:84719340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/tai-macosx.cmd"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856235/; classtype:trojan-activity;sid:84719335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/test_relative.lnk"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856236/; classtype:trojan-activity;sid:84719336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/macosx.zip.b64.part2"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856234/; classtype:trojan-activity;sid:84719334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/hta/restore-macosx-from-github.ps1"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856233/; classtype:trojan-activity;sid:84719333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/macosx_bypass.lnk"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856231/; classtype:trojan-activity;sid:84719331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/macosx_portable.cmd"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856232/; classtype:trojan-activity;sid:84719332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/release_test/chay-tai-macosx.cmd"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856227/; classtype:trojan-activity;sid:84719327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/macosx_curl.lnk"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856228/; classtype:trojan-activity;sid:84719328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/release_test/restore-macosx-from-github.ps1"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856229/; classtype:trojan-activity;sid:84719329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/macosx.lnk"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856230/; classtype:trojan-activity;sid:84719330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/launcher_src.py"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856226/; classtype:trojan-activity;sid:84719326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/blob/main/ban-gon-nhe/test_macosx/macosx/suds_000000000000041.wsf"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856225/; classtype:trojan-activity;sid:84719325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-gon-nhe/project%20details%20including%20salary%20and%20benefits%20for%202026.exe"; depth:131; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856224/; classtype:trojan-activity;sid:84719324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/blob/main/ban-gon-nhe/test_macosx/macosx/suds_00000000000000041.wsf"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856223/; classtype:trojan-activity;sid:84719323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ae9eea26-43f8-47c9-a2a4-ae4bc04b7a71"; depth:37; endswith; nocase; http.host; content:"ajfohrg.designyourlifeinflow.com"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856222/; classtype:trojan-activity;sid:84719322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-csharp/sys_helper.vbs"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856221/; classtype:trojan-activity;sid:84719321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-csharp/test.exe"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856220/; classtype:trojan-activity;sid:84719320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-csharp/project%20details%20including%20salary%20and%20terms%20and%20conditions%202026.lnk"; depth:140; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856219/; classtype:trojan-activity;sid:84719319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-csharp/test_aes.exe"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856218/; classtype:trojan-activity;sid:84719318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/adawcacaw/raw/refs/heads/main/ban-csharp/tai-macosx.cmd"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856217/; classtype:trojan-activity;sid:84719317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/fix_crypto.ps1"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856213/; classtype:trojan-activity;sid:84719313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/test_cache.cmd"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856214/; classtype:trojan-activity;sid:84719314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/restore-macosx-from-cloud.ps1"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856215/; classtype:trojan-activity;sid:84719315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/make-macosx-restore-shortcut.ps1"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856216/; classtype:trojan-activity;sid:84719316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/download.macosx.vbs"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856212/; classtype:trojan-activity;sid:84719312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/lightweight-version/download-macosx.cmd"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856211/; classtype:trojan-activity;sid:84719311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/csharp-version/download-macosx.cmd"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856197/; classtype:trojan-activity;sid:84719297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/test_cache2.cmd"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856198/; classtype:trojan-activity;sid:84719298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/build_macosx.py"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856199/; classtype:trojan-activity;sid:84719299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/lightweight-version/launcher_src.py"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856200/; classtype:trojan-activity;sid:84719300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/download-macosx.cmd"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856201/; classtype:trojan-activity;sid:84719301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/fix_command.ps1"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856202/; classtype:trojan-activity;sid:84719302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/fix_length.ps1"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856203/; classtype:trojan-activity;sid:84719303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/run-download-macosx.cmd"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856204/; classtype:trojan-activity;sid:84719304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/fix_defender.ps1"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856205/; classtype:trojan-activity;sid:84719305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/portableshelllink.ps1"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856206/; classtype:trojan-activity;sid:84719306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/csharp-version/sys_helper.vbs"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856207/; classtype:trojan-activity;sid:84719307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/create-lnk-vbs.cmd"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856208/; classtype:trojan-activity;sid:84719308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/raw/refs/heads/main/csharp-version/mango.lnk"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856209/; classtype:trojan-activity;sid:84719309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/rtyui/refs/heads/main/fix_iex.ps1"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856210/; classtype:trojan-activity;sid:84719310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.163.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856196/; classtype:trojan-activity;sid:84719296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.229.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856195/; classtype:trojan-activity;sid:84719295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/main/macosx.zip.aes.part1"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856193/; classtype:trojan-activity;sid:84719293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/main/macosx.zip.aes.part2"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856194/; classtype:trojan-activity;sid:84719294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiiisiet65-sudo/loioionoaisk/main/download-macosx.cmd"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856192/; classtype:trojan-activity;sid:84719292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow"; depth:5; endswith; nocase; http.host; content:"34.83.130.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856191/; classtype:trojan-activity;sid:84719291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_bcdff299e4e8f207.msi"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856190/; classtype:trojan-activity;sid:84719290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a65f5594c8f995c4.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856187/; classtype:trojan-activity;sid:84719287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_55e3157424cdcb2d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856188/; classtype:trojan-activity;sid:84719288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_528254f3d9d973e0.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856189/; classtype:trojan-activity;sid:84719289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.28.150.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856186/; classtype:trojan-activity;sid:84719286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856185/; classtype:trojan-activity;sid:84719285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37af3c8e-329b-43a8-83af-f81cfd447f0e"; depth:37; endswith; nocase; http.host; content:"uuzhapr.attilahatar.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856184/; classtype:trojan-activity;sid:84719284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fae2ed0c9d7ec066.msi"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856183/; classtype:trojan-activity;sid:84719283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d381ccf1c3e3b11b.msi"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856182/; classtype:trojan-activity;sid:84719282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a46c88fac79954ea.msi"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856181/; classtype:trojan-activity;sid:84719281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.106.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856180/; classtype:trojan-activity;sid:84719280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.65.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856179/; classtype:trojan-activity;sid:84719279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3f877080-29f0-496b-b085-070abf72db46"; depth:37; endswith; nocase; http.host; content:"dbdndfs.artisourlifestyle.com"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856178/; classtype:trojan-activity;sid:84719278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.68.249.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856177/; classtype:trojan-activity;sid:84719277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.33.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856176/; classtype:trojan-activity;sid:84719276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.91.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856175/; classtype:trojan-activity;sid:84719275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856174/; classtype:trojan-activity;sid:84719274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856173/; classtype:trojan-activity;sid:84719273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.209.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856172/; classtype:trojan-activity;sid:84719272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.95.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856171/; classtype:trojan-activity;sid:84719271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.90.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856170/; classtype:trojan-activity;sid:84719270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.48.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856169/; classtype:trojan-activity;sid:84719269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d15816a5-6e4d-47ae-94f3-c6b74cd1bf18"; depth:37; endswith; nocase; http.host; content:"tuejpvg.agivedresphotography.com"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856168/; classtype:trojan-activity;sid:84719268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.186.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856167/; classtype:trojan-activity;sid:84719267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856166/; classtype:trojan-activity;sid:84719266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856165/; classtype:trojan-activity;sid:84719265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.127.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856164/; classtype:trojan-activity;sid:84719264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.95.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856163/; classtype:trojan-activity;sid:84719263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.48.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856162/; classtype:trojan-activity;sid:84719262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.186.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856161/; classtype:trojan-activity;sid:84719261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.33.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856160/; classtype:trojan-activity;sid:84719260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856159/; classtype:trojan-activity;sid:84719259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.196.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856158/; classtype:trojan-activity;sid:84719258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.116.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856157/; classtype:trojan-activity;sid:84719257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.8.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856156/; classtype:trojan-activity;sid:84719256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.88.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856155/; classtype:trojan-activity;sid:84719255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856154/; classtype:trojan-activity;sid:84719254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.214.181.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856153/; classtype:trojan-activity;sid:84719253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.100.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856152/; classtype:trojan-activity;sid:84719252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856151/; classtype:trojan-activity;sid:84719251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d64ed41-a13d-4d25-8e80-ac1702910cdd"; depth:37; endswith; nocase; http.host; content:"hsvisjx.ktsagarakis.gr"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856150/; classtype:trojan-activity;sid:84719250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.236.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856149/; classtype:trojan-activity;sid:84719249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"197.207.104.92"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856148/; classtype:trojan-activity;sid:84719248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"197.207.104.92"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856147/; classtype:trojan-activity;sid:84719247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.100.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856146/; classtype:trojan-activity;sid:84719246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.106.225.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856145/; classtype:trojan-activity;sid:84719245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.215.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856144/; classtype:trojan-activity;sid:84719244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.214.181.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856143/; classtype:trojan-activity;sid:84719243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/52668371-5f26-47c8-8978-a2cfd3584f24"; depth:37; endswith; nocase; http.host; content:"qsnovga.intelect.gr"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856142/; classtype:trojan-activity;sid:84719242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"49.71.122.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856141/; classtype:trojan-activity;sid:84719241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.203.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856140/; classtype:trojan-activity;sid:84719240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.145.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856139/; classtype:trojan-activity;sid:84719239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.183.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856138/; classtype:trojan-activity;sid:84719238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.23.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856137/; classtype:trojan-activity;sid:84719237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.243.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856136/; classtype:trojan-activity;sid:84719236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.134.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856135/; classtype:trojan-activity;sid:84719235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"49.71.122.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856134/; classtype:trojan-activity;sid:84719234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856133/; classtype:trojan-activity;sid:84719233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.203.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856132/; classtype:trojan-activity;sid:84719232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.243.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856131/; classtype:trojan-activity;sid:84719231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856130/; classtype:trojan-activity;sid:84719230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.115.183.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856129/; classtype:trojan-activity;sid:84719229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.134.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856128/; classtype:trojan-activity;sid:84719228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.241.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856127/; classtype:trojan-activity;sid:84719227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.23.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856126/; classtype:trojan-activity;sid:84719226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.49.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856125/; classtype:trojan-activity;sid:84719225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_acefecd764feb3fe.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856124/; classtype:trojan-activity;sid:84719224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.37.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856122/; classtype:trojan-activity;sid:84719222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.73.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856123/; classtype:trojan-activity;sid:84719223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eeffccbb-b6d6-48b7-a512-0be4e0652e27"; depth:37; endswith; nocase; http.host; content:"kccqafs.enviroment.gr"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856121/; classtype:trojan-activity;sid:84719221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.49.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856120/; classtype:trojan-activity;sid:84719220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.73.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856119/; classtype:trojan-activity;sid:84719219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.37.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856118/; classtype:trojan-activity;sid:84719218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.115.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856117/; classtype:trojan-activity;sid:84719217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/646efb00-ed18-4784-956c-a5f3db237f0a"; depth:37; endswith; nocase; http.host; content:"sqcbwqj.popi999.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856116/; classtype:trojan-activity;sid:84719216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856115/; classtype:trojan-activity;sid:84719215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856113/; classtype:trojan-activity;sid:84719213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.210.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856114/; classtype:trojan-activity;sid:84719214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.130.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856112/; classtype:trojan-activity;sid:84719212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bebbe3fd-a311-48ca-8d5a-a7441fae44c4"; depth:47; endswith; nocase; http.host; content:"qiwiqfdb.botvn.net"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856111/; classtype:trojan-activity;sid:84719211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1e08171-05ea-4277-a250-dbed2833f2af"; depth:37; endswith; nocase; http.host; content:"knmglbn.sm188dvlv.cfd"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856110/; classtype:trojan-activity;sid:84719210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856109/; classtype:trojan-activity;sid:84719209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.44.147.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856108/; classtype:trojan-activity;sid:84719208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.115.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856106/; classtype:trojan-activity;sid:84719206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.210.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856107/; classtype:trojan-activity;sid:84719207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.145.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856105/; classtype:trojan-activity;sid:84719205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856104/; classtype:trojan-activity;sid:84719204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.45.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856103/; classtype:trojan-activity;sid:84719203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856102/; classtype:trojan-activity;sid:84719202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.64.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856101/; classtype:trojan-activity;sid:84719201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.147.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856100/; classtype:trojan-activity;sid:84719200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.145.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856099/; classtype:trojan-activity;sid:84719199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.162.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856098/; classtype:trojan-activity;sid:84719198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.83.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856097/; classtype:trojan-activity;sid:84719197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.45.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856096/; classtype:trojan-activity;sid:84719196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7f639218-b1a2-41e6-9aef-deebcd81b79d"; depth:37; endswith; nocase; http.host; content:"lbcsuyq.payestation.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856095/; classtype:trojan-activity;sid:84719195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.172.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856094/; classtype:trojan-activity;sid:84719194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.236.74.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856093/; classtype:trojan-activity;sid:84719193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.66.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856092/; classtype:trojan-activity;sid:84719192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.41.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856091/; classtype:trojan-activity;sid:84719191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.147.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856090/; classtype:trojan-activity;sid:84719190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.64.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856089/; classtype:trojan-activity;sid:84719189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lmkjn.x86"; depth:10; endswith; nocase; http.host; content:"209.92.170.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856088/; classtype:trojan-activity;sid:84719188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.83.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_31; reference:url, urlhaus.abuse.ch/url/3856087/; classtype:trojan-activity;sid:84719187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.109.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856086/; classtype:trojan-activity;sid:84719186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9e7a933f-9255-4282-b3c3-95c00da62b9b"; depth:37; endswith; nocase; http.host; content:"ehshryo.zsatom.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856085/; classtype:trojan-activity;sid:84719185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.41.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856084/; classtype:trojan-activity;sid:84719184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.113.112.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856083/; classtype:trojan-activity;sid:84719183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.90.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856082/; classtype:trojan-activity;sid:84719182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.173.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856081/; classtype:trojan-activity;sid:84719181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.141.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856080/; classtype:trojan-activity;sid:84719180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.175.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856079/; classtype:trojan-activity;sid:84719179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3ee4df05132671e5.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856078/; classtype:trojan-activity;sid:84719178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.186.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856077/; classtype:trojan-activity;sid:84719177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.130.208.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856076/; classtype:trojan-activity;sid:84719176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.86.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856075/; classtype:trojan-activity;sid:84719175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.113.112.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856074/; classtype:trojan-activity;sid:84719174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/67c8b84d-67c8-4798-8315-53947d3727dc"; depth:37; endswith; nocase; http.host; content:"izrbtds.wlwyb.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856073/; classtype:trojan-activity;sid:84719173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.42.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856072/; classtype:trojan-activity;sid:84719172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.116.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856071/; classtype:trojan-activity;sid:84719171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=e1b54ddd-f669-4ca0-aedc-92c7a6cc4ce4"; depth:47; endswith; nocase; http.host; content:"b53jdkck.photoshopvn.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856070/; classtype:trojan-activity;sid:84719170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.186.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856069/; classtype:trojan-activity;sid:84719169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.158.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856068/; classtype:trojan-activity;sid:84719168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.156.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856067/; classtype:trojan-activity;sid:84719167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.235.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856066/; classtype:trojan-activity;sid:84719166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.42.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856065/; classtype:trojan-activity;sid:84719165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.86.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856064/; classtype:trojan-activity;sid:84719164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6121c2fc-8fc2-412a-92ee-741b50a2f413"; depth:37; endswith; nocase; http.host; content:"xjlghqc.baovietnam.me"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856063/; classtype:trojan-activity;sid:84719163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.0.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856062/; classtype:trojan-activity;sid:84719162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.158.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856061/; classtype:trojan-activity;sid:84719161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.175.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856060/; classtype:trojan-activity;sid:84719160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.0.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856059/; classtype:trojan-activity;sid:84719159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/59c935c1-e029-46a4-979e-1288a419164c"; depth:37; endswith; nocase; http.host; content:"psiwhza.baocongnghe.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856058/; classtype:trojan-activity;sid:84719158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.228.182.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856056/; classtype:trojan-activity;sid:84719156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.173.159.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856057/; classtype:trojan-activity;sid:84719157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.103.121.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856055/; classtype:trojan-activity;sid:84719155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.212.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856054/; classtype:trojan-activity;sid:84719154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.248.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856053/; classtype:trojan-activity;sid:84719153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/897602dd-4a4a-4f14-876d-5571178b5119"; depth:37; endswith; nocase; http.host; content:"raerscd.autotuongtac.biz"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856052/; classtype:trojan-activity;sid:84719152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.23.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856051/; classtype:trojan-activity;sid:84719151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.84.212.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856050/; classtype:trojan-activity;sid:84719150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=09063218-3263-4a1d-91f2-e9d48018b2d6"; depth:47; endswith; nocase; http.host; content:"45cbh9h6.liketudong.biz"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856049/; classtype:trojan-activity;sid:84719149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_31a41992cb5eafba.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856048/; classtype:trojan-activity;sid:84719148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.50.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856047/; classtype:trojan-activity;sid:84719147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/085ea1d6-65ee-4ae9-8890-37e422ddf547"; depth:37; endswith; nocase; http.host; content:"bxhnheh.vostrovape.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856046/; classtype:trojan-activity;sid:84719146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.131.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856045/; classtype:trojan-activity;sid:84719145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.131.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856044/; classtype:trojan-activity;sid:84719144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.135.133.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856043/; classtype:trojan-activity;sid:84719143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.67.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856042/; classtype:trojan-activity;sid:84719142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856041/; classtype:trojan-activity;sid:84719141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/682cbb9e-7c24-4382-bb15-b56f0a215231"; depth:37; endswith; nocase; http.host; content:"vjkyzqp.vapebeat.pk"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856040/; classtype:trojan-activity;sid:84719140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3qx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856039/; classtype:trojan-activity;sid:84719139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.153.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856038/; classtype:trojan-activity;sid:84719138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.231.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856037/; classtype:trojan-activity;sid:84719137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856036/; classtype:trojan-activity;sid:84719136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3f9e3bf5-c6e8-44f1-80ea-0192b5d601b8"; depth:37; endswith; nocase; http.host; content:"nwmhtzx.suslink.com.pk"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856035/; classtype:trojan-activity;sid:84719135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.153.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856034/; classtype:trojan-activity;sid:84719134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.3.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856033/; classtype:trojan-activity;sid:84719133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.17.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856032/; classtype:trojan-activity;sid:84719132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.116.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856031/; classtype:trojan-activity;sid:84719131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.94.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856030/; classtype:trojan-activity;sid:84719130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b91a468b-98f3-4c22-a03b-a0a2ecba32e6"; depth:37; endswith; nocase; http.host; content:"tnslzkh.sus.com.pk"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856029/; classtype:trojan-activity;sid:84719129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.3.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856028/; classtype:trojan-activity;sid:84719128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.172.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856027/; classtype:trojan-activity;sid:84719127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856025/; classtype:trojan-activity;sid:84719125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bbfe6631-3e15-46d7-8123-7ed859d6e330"; depth:47; endswith; nocase; http.host; content:"fxxqmo5b.letrungkien.info"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856026/; classtype:trojan-activity;sid:84719126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856022/; classtype:trojan-activity;sid:84719122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856023/; classtype:trojan-activity;sid:84719123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856024/; classtype:trojan-activity;sid:84719124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856012/; classtype:trojan-activity;sid:84719112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856013/; classtype:trojan-activity;sid:84719113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dbg"; depth:9; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856014/; classtype:trojan-activity;sid:84719114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856015/; classtype:trojan-activity;sid:84719115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/fuckjews.sh"; depth:17; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856016/; classtype:trojan-activity;sid:84719116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856017/; classtype:trojan-activity;sid:84719117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856018/; classtype:trojan-activity;sid:84719118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856019/; classtype:trojan-activity;sid:84719119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856020/; classtype:trojan-activity;sid:84719120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856021/; classtype:trojan-activity;sid:84719121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"87.120.92.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856011/; classtype:trojan-activity;sid:84719111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"92.248.231.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856010/; classtype:trojan-activity;sid:84719110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856009/; classtype:trojan-activity;sid:84719109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856005/; classtype:trojan-activity;sid:84719105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856006/; classtype:trojan-activity;sid:84719106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856007/; classtype:trojan-activity;sid:84719107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbg"; depth:4; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856008/; classtype:trojan-activity;sid:84719108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856000/; classtype:trojan-activity;sid:84719100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856001/; classtype:trojan-activity;sid:84719101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856002/; classtype:trojan-activity;sid:84719102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856003/; classtype:trojan-activity;sid:84719103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3856004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dbg"; depth:9; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3856004/; classtype:trojan-activity;sid:84719104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855995/; classtype:trojan-activity;sid:84719095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855996/; classtype:trojan-activity;sid:84719096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855997/; classtype:trojan-activity;sid:84719097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855998/; classtype:trojan-activity;sid:84719098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855999/; classtype:trojan-activity;sid:84719099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855994/; classtype:trojan-activity;sid:84719094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855990/; classtype:trojan-activity;sid:84719090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855991/; classtype:trojan-activity;sid:84719091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855992/; classtype:trojan-activity;sid:84719092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855993/; classtype:trojan-activity;sid:84719093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855983/; classtype:trojan-activity;sid:84719083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855984/; classtype:trojan-activity;sid:84719084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855985/; classtype:trojan-activity;sid:84719085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855986/; classtype:trojan-activity;sid:84719086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855987/; classtype:trojan-activity;sid:84719087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855988/; classtype:trojan-activity;sid:84719088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"shemaleshavefeelings.autos"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855989/; classtype:trojan-activity;sid:84719089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.dbg"; depth:15; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855982/; classtype:trojan-activity;sid:84719082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.mips"; depth:16; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855980/; classtype:trojan-activity;sid:84719080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.spc"; depth:15; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855981/; classtype:trojan-activity;sid:84719081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.x86_64"; depth:18; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855979/; classtype:trojan-activity;sid:84719079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.ppc"; depth:15; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855977/; classtype:trojan-activity;sid:84719077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.mpsl"; depth:16; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855978/; classtype:trojan-activity;sid:84719078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.arm"; depth:15; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855976/; classtype:trojan-activity;sid:84719076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.m68k"; depth:16; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855975/; classtype:trojan-activity;sid:84719075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.gnueabihf"; depth:21; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855973/; classtype:trojan-activity;sid:84719073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scanlisten"; depth:16; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855974/; classtype:trojan-activity;sid:84719074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cnc"; depth:9; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855972/; classtype:trojan-activity;sid:84719072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins.sh"; depth:13; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855968/; classtype:trojan-activity;sid:84719068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.sh4"; depth:15; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855969/; classtype:trojan-activity;sid:84719069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.x86"; depth:15; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855970/; classtype:trojan-activity;sid:84719070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mirai.arm7"; depth:16; endswith; nocase; http.host; content:"78.13.245.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855971/; classtype:trojan-activity;sid:84719071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.17.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855967/; classtype:trojan-activity;sid:84719067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.94.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855966/; classtype:trojan-activity;sid:84719066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.247.21.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855965/; classtype:trojan-activity;sid:84719065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.127.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855964/; classtype:trojan-activity;sid:84719064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.172.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855963/; classtype:trojan-activity;sid:84719063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.241.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855962/; classtype:trojan-activity;sid:84719062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.134.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855961/; classtype:trojan-activity;sid:84719061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fa00c508-ee31-4ada-97f3-fba9a6fc9417"; depth:37; endswith; nocase; http.host; content:"pxydleq.nbbmansehra.pk"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855960/; classtype:trojan-activity;sid:84719060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"66.212.186.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855959/; classtype:trojan-activity;sid:84719059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hazooks/areyouajew.sh"; depth:22; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855958/; classtype:trojan-activity;sid:84719058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855956/; classtype:trojan-activity;sid:84719056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855957/; classtype:trojan-activity;sid:84719057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855955/; classtype:trojan-activity;sid:84719055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855951/; classtype:trojan-activity;sid:84719051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855952/; classtype:trojan-activity;sid:84719052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855953/; classtype:trojan-activity;sid:84719053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855954/; classtype:trojan-activity;sid:84719054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855946/; classtype:trojan-activity;sid:84719046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855947/; classtype:trojan-activity;sid:84719047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855948/; classtype:trojan-activity;sid:84719048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855949/; classtype:trojan-activity;sid:84719049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855950/; classtype:trojan-activity;sid:84719050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"66.212.186.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855945/; classtype:trojan-activity;sid:84719045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855944/; classtype:trojan-activity;sid:84719044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855932/; classtype:trojan-activity;sid:84719032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855933/; classtype:trojan-activity;sid:84719033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_i686"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855934/; classtype:trojan-activity;sid:84719034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855935/; classtype:trojan-activity;sid:84719035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855936/; classtype:trojan-activity;sid:84719036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855937/; classtype:trojan-activity;sid:84719037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855938/; classtype:trojan-activity;sid:84719038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855939/; classtype:trojan-activity;sid:84719039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855940/; classtype:trojan-activity;sid:84719040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855941/; classtype:trojan-activity;sid:84719041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_i486"; depth:10; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855942/; classtype:trojan-activity;sid:84719042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"91.234.199.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855943/; classtype:trojan-activity;sid:84719043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/679ab62e-e928-4214-a141-b468c947d557"; depth:37; endswith; nocase; http.host; content:"dfuvstc.mrvapora.pk"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855931/; classtype:trojan-activity;sid:84719031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.13.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855930/; classtype:trojan-activity;sid:84719030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/mr/random.exe"; depth:20; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855929/; classtype:trojan-activity;sid:84719029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.13.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855928/; classtype:trojan-activity;sid:84719028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.11.56.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855927/; classtype:trojan-activity;sid:84719027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.11.56.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855926/; classtype:trojan-activity;sid:84719026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"209.99.185.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855925/; classtype:trojan-activity;sid:84719025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"209.99.187.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855924/; classtype:trojan-activity;sid:84719024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"209.99.184.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855923/; classtype:trojan-activity;sid:84719023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"209.99.184.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855922/; classtype:trojan-activity;sid:84719022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.134.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855921/; classtype:trojan-activity;sid:84719021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855920/; classtype:trojan-activity;sid:84719020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.13.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855919/; classtype:trojan-activity;sid:84719019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.70.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855918/; classtype:trojan-activity;sid:84719018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855917/; classtype:trojan-activity;sid:84719017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7bccd83a-0e71-42a4-9105-e59f941dbfd0"; depth:37; endswith; nocase; http.host; content:"palenyz.gulshans.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855916/; classtype:trojan-activity;sid:84719016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855915/; classtype:trojan-activity;sid:84719015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855914/; classtype:trojan-activity;sid:84719014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855913/; classtype:trojan-activity;sid:84719013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855911/; classtype:trojan-activity;sid:84719011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855912/; classtype:trojan-activity;sid:84719012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.76.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855910/; classtype:trojan-activity;sid:84719010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855909/; classtype:trojan-activity;sid:84719009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b49a5b16-07f6-4736-b9b3-63defcff7e20"; depth:47; endswith; nocase; http.host; content:"ouqk5pur.dvfb-vn.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855908/; classtype:trojan-activity;sid:84719008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.142.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855907/; classtype:trojan-activity;sid:84719007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a2e0810-1bf0-4a86-9454-675dc05e4e88"; depth:37; endswith; nocase; http.host; content:"mzapcfw.wlwyb.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855906/; classtype:trojan-activity;sid:84719006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855898/; classtype:trojan-activity;sid:84718998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855899/; classtype:trojan-activity;sid:84718999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855900/; classtype:trojan-activity;sid:84719000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rocketmq"; depth:9; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855901/; classtype:trojan-activity;sid:84719001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855902/; classtype:trojan-activity;sid:84719002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855903/; classtype:trojan-activity;sid:84719003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc_eb"; depth:7; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855904/; classtype:trojan-activity;sid:84719004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855905/; classtype:trojan-activity;sid:84719005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855895/; classtype:trojan-activity;sid:84718995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm5"; depth:9; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855896/; classtype:trojan-activity;sid:84718996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm6"; depth:9; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855897/; classtype:trojan-activity;sid:84718997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855893/; classtype:trojan-activity;sid:84718993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855894/; classtype:trojan-activity;sid:84718994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iphone"; depth:7; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855892/; classtype:trojan-activity;sid:84718992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855891/; classtype:trojan-activity;sid:84718991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goahead.sh"; depth:11; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855890/; classtype:trojan-activity;sid:84718990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nsh"; depth:4; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855886/; classtype:trojan-activity;sid:84718986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linnn"; depth:6; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855887/; classtype:trojan-activity;sid:84718987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruck"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855888/; classtype:trojan-activity;sid:84718988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.sh"; depth:6; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855889/; classtype:trojan-activity;sid:84718989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaa"; depth:4; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855883/; classtype:trojan-activity;sid:84718983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr"; depth:4; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855884/; classtype:trojan-activity;sid:84718984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855885/; classtype:trojan-activity;sid:84718985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855882/; classtype:trojan-activity;sid:84718982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b"; depth:2; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855880/; classtype:trojan-activity;sid:84718980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n"; depth:2; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855881/; classtype:trojan-activity;sid:84718981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rocketmq"; depth:9; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855879/; classtype:trojan-activity;sid:84718979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nsh"; depth:4; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855878/; classtype:trojan-activity;sid:84718978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goahead.sh"; depth:11; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855877/; classtype:trojan-activity;sid:84718977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n"; depth:2; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855869/; classtype:trojan-activity;sid:84718969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruck"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855870/; classtype:trojan-activity;sid:84718970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b"; depth:2; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855871/; classtype:trojan-activity;sid:84718971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855872/; classtype:trojan-activity;sid:84718972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855873/; classtype:trojan-activity;sid:84718973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855874/; classtype:trojan-activity;sid:84718974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaa"; depth:4; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855875/; classtype:trojan-activity;sid:84718975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr"; depth:4; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855876/; classtype:trojan-activity;sid:84718976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iphone"; depth:7; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855866/; classtype:trojan-activity;sid:84718966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855867/; classtype:trojan-activity;sid:84718967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.sh"; depth:6; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855868/; classtype:trojan-activity;sid:84718968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linnn"; depth:6; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855865/; classtype:trojan-activity;sid:84718965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855864/; classtype:trojan-activity;sid:84718964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855852/; classtype:trojan-activity;sid:84718952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855853/; classtype:trojan-activity;sid:84718953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855854/; classtype:trojan-activity;sid:84718954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855855/; classtype:trojan-activity;sid:84718955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855856/; classtype:trojan-activity;sid:84718956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855857/; classtype:trojan-activity;sid:84718957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc_eb"; depth:7; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855858/; classtype:trojan-activity;sid:84718958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855859/; classtype:trojan-activity;sid:84718959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855860/; classtype:trojan-activity;sid:84718960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855861/; classtype:trojan-activity;sid:84718961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855862/; classtype:trojan-activity;sid:84718962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855863/; classtype:trojan-activity;sid:84718963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855847/; classtype:trojan-activity;sid:84718947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855848/; classtype:trojan-activity;sid:84718948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855849/; classtype:trojan-activity;sid:84718949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855850/; classtype:trojan-activity;sid:84718950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855851/; classtype:trojan-activity;sid:84718951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.33.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855846/; classtype:trojan-activity;sid:84718946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5006bcd0978c0e4d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855845/; classtype:trojan-activity;sid:84718945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d8f635b29dd7dd17.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855844/; classtype:trojan-activity;sid:84718944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.142.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855843/; classtype:trojan-activity;sid:84718943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.89.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855842/; classtype:trojan-activity;sid:84718942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855841/; classtype:trojan-activity;sid:84718941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.76.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855840/; classtype:trojan-activity;sid:84718940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.83.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855839/; classtype:trojan-activity;sid:84718939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/152db9ed-6538-4409-872b-57148d987e4a"; depth:37; endswith; nocase; http.host; content:"kpckilf.visszateritok.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855838/; classtype:trojan-activity;sid:84718938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.83.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855837/; classtype:trojan-activity;sid:84718937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.89.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855836/; classtype:trojan-activity;sid:84718936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.155.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855835/; classtype:trojan-activity;sid:84718935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"220.112.31.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855834/; classtype:trojan-activity;sid:84718934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"103.213.112.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855833/; classtype:trojan-activity;sid:84718933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ir3s"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855828/; classtype:trojan-activity;sid:84718928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owh"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855829/; classtype:trojan-activity;sid:84718929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bfyl"; depth:5; endswith; nocase; http.host; content:"89.144.31.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855830/; classtype:trojan-activity;sid:84718930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zie"; depth:4; endswith; nocase; http.host; content:"89.144.31.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855831/; classtype:trojan-activity;sid:84718931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"static-103-160-197-150.unpl.net"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855832/; classtype:trojan-activity;sid:84718932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nck"; depth:4; endswith; nocase; http.host; content:"89.144.31.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855799/; classtype:trojan-activity;sid:84718899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jja4"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855800/; classtype:trojan-activity;sid:84718900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j1fj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855801/; classtype:trojan-activity;sid:84718901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tdsj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855802/; classtype:trojan-activity;sid:84718902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3utl"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855803/; classtype:trojan-activity;sid:84718903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lndr"; depth:5; endswith; nocase; http.host; content:"89.144.31.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855804/; classtype:trojan-activity;sid:84718904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ql9t"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855805/; classtype:trojan-activity;sid:84718905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zfg"; depth:4; endswith; nocase; http.host; content:"89.144.31.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855806/; classtype:trojan-activity;sid:84718906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0qbw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855807/; classtype:trojan-activity;sid:84718907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pnwl"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855808/; classtype:trojan-activity;sid:84718908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hxa"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855809/; classtype:trojan-activity;sid:84718909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855810/; classtype:trojan-activity;sid:84718910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855811/; classtype:trojan-activity;sid:84718911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hxq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855812/; classtype:trojan-activity;sid:84718912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t3sy"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855813/; classtype:trojan-activity;sid:84718913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"66.167.169.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855814/; classtype:trojan-activity;sid:84718914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rmx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855815/; classtype:trojan-activity;sid:84718915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaws"; depth:5; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855816/; classtype:trojan-activity;sid:84718916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i468"; depth:21; endswith; nocase; http.host; content:"vmi3208269.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855817/; classtype:trojan-activity;sid:84718917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nbo"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855818/; classtype:trojan-activity;sid:84718918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4kly"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855819/; classtype:trojan-activity;sid:84718919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"176.65.148.199.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855820/; classtype:trojan-activity;sid:84718920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5lky"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855821/; classtype:trojan-activity;sid:84718921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dza"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855822/; classtype:trojan-activity;sid:84718922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rhr"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855823/; classtype:trojan-activity;sid:84718923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855824/; classtype:trojan-activity;sid:84718924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnmo"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855825/; classtype:trojan-activity;sid:84718925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bhi"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855826/; classtype:trojan-activity;sid:84718926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.160.197.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855827/; classtype:trojan-activity;sid:84718927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.148.199.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855798/; classtype:trojan-activity;sid:84718898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/linksys"; depth:10; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855794/; classtype:trojan-activity;sid:84718894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855795/; classtype:trojan-activity;sid:84718895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gpon"; depth:5; endswith; nocase; http.host; content:"203.145.34.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855796/; classtype:trojan-activity;sid:84718896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855797/; classtype:trojan-activity;sid:84718897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"176.65.148.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855790/; classtype:trojan-activity;sid:84718890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.148.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855791/; classtype:trojan-activity;sid:84718891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"176.65.148.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855792/; classtype:trojan-activity;sid:84718892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"176.65.148.199.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855793/; classtype:trojan-activity;sid:84718893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"139.135.42.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855787/; classtype:trojan-activity;sid:84718887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"103.199.123.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855788/; classtype:trojan-activity;sid:84718888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"202.141.101.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855789/; classtype:trojan-activity;sid:84718889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/arm5"; depth:54; endswith; nocase; http.host; content:"103.252.89.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855784/; classtype:trojan-activity;sid:84718884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"112.238.239.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855785/; classtype:trojan-activity;sid:84718885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"59.103.106.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855786/; classtype:trojan-activity;sid:84718886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.155.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855783/; classtype:trojan-activity;sid:84718883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/66697340-c869-4120-83ad-85de1ae505fd"; depth:37; endswith; nocase; http.host; content:"gfdoxjo.zsatom.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855782/; classtype:trojan-activity;sid:84718882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.87.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855781/; classtype:trojan-activity;sid:84718881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.189.212.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855780/; classtype:trojan-activity;sid:84718880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xze2"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855779/; classtype:trojan-activity;sid:84718879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855776/; classtype:trojan-activity;sid:84718876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855777/; classtype:trojan-activity;sid:84718877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.136.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855778/; classtype:trojan-activity;sid:84718878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855774/; classtype:trojan-activity;sid:84718874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855775/; classtype:trojan-activity;sid:84718875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.189.165.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855773/; classtype:trojan-activity;sid:84718873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.87.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855772/; classtype:trojan-activity;sid:84718872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bytebytearm/launcher.bytearmor/releases/download/v3.1/launcher.bytearmor.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855771/; classtype:trojan-activity;sid:84718871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deanhhoach/xone-cs2-undetected-2026/releases/download/v1.2/xone.cs2.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855769/; classtype:trojan-activity;sid:84718869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kanebstuart/mod-manager/releases/download/download/json.mod.manager.v10.5.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855768/; classtype:trojan-activity;sid:84718868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kanebstuart/rusttweaker/releases/download/download/rusttweaker.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855767/; classtype:trojan-activity;sid:84718867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bytebytearm/14124/releases/download/v3.0/launcher.bytearmor.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855765/; classtype:trojan-activity;sid:84718865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/%d0%92%d0%be%d0%betse%d1%85e%d1%81ss64.zip"; depth:51; endswith; nocase; http.host; content:"roblox-execut.net"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855766/; classtype:trojan-activity;sid:84718866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kanebstuart/forza-horizon-mod/releases/download/download/fh6.mod.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855763/; classtype:trojan-activity;sid:84718863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kanebstuart/cs2-exloader/releases/download/download/phantom.cs2.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855764/; classtype:trojan-activity;sid:84718864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unicore.zip"; depth:12; endswith; nocase; http.host; content:"unicore.pw"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855762/; classtype:trojan-activity;sid:84718862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_53d088d9a3857540.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855761/; classtype:trojan-activity;sid:84718861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5f6659d9b41b28ab.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855755/; classtype:trojan-activity;sid:84718855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_2cf1bae0e7a0ed46.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855756/; classtype:trojan-activity;sid:84718856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_b8f479435ba21007.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855757/; classtype:trojan-activity;sid:84718857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d8256d51cc8fd874.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855758/; classtype:trojan-activity;sid:84718858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5798e3e4032addc6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855759/; classtype:trojan-activity;sid:84718859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_43214cd4b47ff4d1.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855760/; classtype:trojan-activity;sid:84718860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.136.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855754/; classtype:trojan-activity;sid:84718854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=68324316-aef0-49f1-b5c0-821c2dc05639"; depth:47; endswith; nocase; http.host; content:"x2jjzvnd.dichvuff.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855753/; classtype:trojan-activity;sid:84718853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e83e0e1a-dfda-4255-847e-5e38a00f7f46"; depth:37; endswith; nocase; http.host; content:"prgqvfu.payestation.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855752/; classtype:trojan-activity;sid:84718852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.189.165.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855751/; classtype:trojan-activity;sid:84718851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.116.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855750/; classtype:trojan-activity;sid:84718850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.40.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855749/; classtype:trojan-activity;sid:84718849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855748/; classtype:trojan-activity;sid:84718848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4be45d25-c5cc-4819-96b4-8562bec77294"; depth:37; endswith; nocase; http.host; content:"ujbhfgb.sm188dvlv.cfd"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855747/; classtype:trojan-activity;sid:84718847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.80.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855746/; classtype:trojan-activity;sid:84718846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.230.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855745/; classtype:trojan-activity;sid:84718845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.230.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855744/; classtype:trojan-activity;sid:84718844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855743/; classtype:trojan-activity;sid:84718843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.215.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855742/; classtype:trojan-activity;sid:84718842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01efab7f-a5cf-463a-98be-cb3e24dc251a"; depth:37; endswith; nocase; http.host; content:"pnniuwu.popi999.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855741/; classtype:trojan-activity;sid:84718841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.89.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855740/; classtype:trojan-activity;sid:84718840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ed52424f-0fd0-4955-bc4f-96fb693f4bb1"; depth:37; endswith; nocase; http.host; content:"llrxcyj.laborfotostudio.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855739/; classtype:trojan-activity;sid:84718839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7c8b783c-bb93-4a8d-933b-cf18e9bf2803"; depth:47; endswith; nocase; http.host; content:"e0vt7hv0.saostar.biz"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855738/; classtype:trojan-activity;sid:84718838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.6.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855737/; classtype:trojan-activity;sid:84718837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.206.65.133"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855736/; classtype:trojan-activity;sid:84718836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cba55641-a04c-447c-82f1-e7aeaf4b077a"; depth:37; endswith; nocase; http.host; content:"gadvzmy.lampaoszlopbolt.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855735/; classtype:trojan-activity;sid:84718835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.206.65.133"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855734/; classtype:trojan-activity;sid:84718834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3abb0b14-1aee-4f2b-b64d-d3f0f444bcda"; depth:37; endswith; nocase; http.host; content:"elmqfzy.zsatom.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855733/; classtype:trojan-activity;sid:84718833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.248.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855732/; classtype:trojan-activity;sid:84718832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.248.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855731/; classtype:trojan-activity;sid:84718831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.223.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855730/; classtype:trojan-activity;sid:84718830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.113.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855729/; classtype:trojan-activity;sid:84718829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855728/; classtype:trojan-activity;sid:84718828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.241.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855727/; classtype:trojan-activity;sid:84718827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1b7ad810-5252-4a35-a2e6-750851b6dbc6"; depth:37; endswith; nocase; http.host; content:"juiaaot.visszateritok.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855726/; classtype:trojan-activity;sid:84718826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.90.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855725/; classtype:trojan-activity;sid:84718825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.90.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855724/; classtype:trojan-activity;sid:84718824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=777f3bab-df0d-43b5-94ba-0d2b9a6c6b33"; depth:47; endswith; nocase; http.host; content:"81729sv5.stgsolar.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855723/; classtype:trojan-activity;sid:84718823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.70.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855722/; classtype:trojan-activity;sid:84718822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.152.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855721/; classtype:trojan-activity;sid:84718821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.87.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855720/; classtype:trojan-activity;sid:84718820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e6887422-069c-4a3b-a925-54344036de7c"; depth:37; endswith; nocase; http.host; content:"akvtmtx.technologiaiviz.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855719/; classtype:trojan-activity;sid:84718819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.99.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855718/; classtype:trojan-activity;sid:84718818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.216.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855717/; classtype:trojan-activity;sid:84718817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.222.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855716/; classtype:trojan-activity;sid:84718816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.32.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855715/; classtype:trojan-activity;sid:84718815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.99.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855714/; classtype:trojan-activity;sid:84718814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.157.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855713/; classtype:trojan-activity;sid:84718813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.39.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855712/; classtype:trojan-activity;sid:84718812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.216.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855711/; classtype:trojan-activity;sid:84718811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.120.153.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855710/; classtype:trojan-activity;sid:84718810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.210.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855709/; classtype:trojan-activity;sid:84718809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.222.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855708/; classtype:trojan-activity;sid:84718808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.39.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855707/; classtype:trojan-activity;sid:84718807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f279acd-9056-45aa-9e02-e12c43bb3c11"; depth:37; endswith; nocase; http.host; content:"vfqpsfq.webrevelem.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855706/; classtype:trojan-activity;sid:84718806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.210.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855705/; classtype:trojan-activity;sid:84718805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.157.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855704/; classtype:trojan-activity;sid:84718804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.103.116.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855703/; classtype:trojan-activity;sid:84718803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.120.153.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855702/; classtype:trojan-activity;sid:84718802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05c06f8b-fb56-43f1-9ad7-42bfea50cbc7"; depth:37; endswith; nocase; http.host; content:"zjhbvqq.wlwyb.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855701/; classtype:trojan-activity;sid:84718801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p"; depth:2; endswith; nocase; http.host; content:"89.144.31.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855700/; classtype:trojan-activity;sid:84718800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.84.215.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855699/; classtype:trojan-activity;sid:84718799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.103.116.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855698/; classtype:trojan-activity;sid:84718798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.130.242.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855697/; classtype:trojan-activity;sid:84718797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khh"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855694/; classtype:trojan-activity;sid:84718794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tvz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855695/; classtype:trojan-activity;sid:84718795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rj6"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855696/; classtype:trojan-activity;sid:84718796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.252.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855693/; classtype:trojan-activity;sid:84718793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855692/; classtype:trojan-activity;sid:84718792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.89.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855691/; classtype:trojan-activity;sid:84718791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.152.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855690/; classtype:trojan-activity;sid:84718790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.212.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855689/; classtype:trojan-activity;sid:84718789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=61bd4101-46cc-4a49-bee4-a2a619d7bd16"; depth:47; endswith; nocase; http.host; content:"pbm280yc.sieulike.biz"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855688/; classtype:trojan-activity;sid:84718788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855687/; classtype:trojan-activity;sid:84718787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.147.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855686/; classtype:trojan-activity;sid:84718786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.204.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855685/; classtype:trojan-activity;sid:84718785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.130.242.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855684/; classtype:trojan-activity;sid:84718784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7c3dda71-ab00-49cc-9d75-297de10f4939"; depth:37; endswith; nocase; http.host; content:"osljzcm.salesventure.co"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855683/; classtype:trojan-activity;sid:84718783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.11.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855682/; classtype:trojan-activity;sid:84718782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855681/; classtype:trojan-activity;sid:84718781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855679/; classtype:trojan-activity;sid:84718779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855680/; classtype:trojan-activity;sid:84718780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855677/; classtype:trojan-activity;sid:84718777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"87.121.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855678/; classtype:trojan-activity;sid:84718778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.32.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855676/; classtype:trojan-activity;sid:84718776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/install.exe"; depth:18; endswith; nocase; http.host; content:"192.253.248.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855674/; classtype:trojan-activity;sid:84718774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/update.exe"; depth:17; endswith; nocase; http.host; content:"192.253.248.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855675/; classtype:trojan-activity;sid:84718775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/192046e9-4a6f-4191-a8da-a5b061f2e9d8"; depth:37; endswith; nocase; http.host; content:"tvrtwkf.ricebowl.io"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855673/; classtype:trojan-activity;sid:84718773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.15.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855672/; classtype:trojan-activity;sid:84718772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.11.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855662/; classtype:trojan-activity;sid:84718762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/4.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855663/; classtype:trojan-activity;sid:84718763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/9.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855664/; classtype:trojan-activity;sid:84718764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/11.tok"; depth:18; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855665/; classtype:trojan-activity;sid:84718765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/6.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855666/; classtype:trojan-activity;sid:84718766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/10.tok"; depth:18; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855667/; classtype:trojan-activity;sid:84718767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/7.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855668/; classtype:trojan-activity;sid:84718768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/13.tok"; depth:18; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855669/; classtype:trojan-activity;sid:84718769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/12.tok"; depth:18; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855670/; classtype:trojan-activity;sid:84718770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/5.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855671/; classtype:trojan-activity;sid:84718771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/1.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855660/; classtype:trojan-activity;sid:84718760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/8.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855661/; classtype:trojan-activity;sid:84718761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.11.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855659/; classtype:trojan-activity;sid:84718759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/80a73b13-f9b7-42c8-bf3b-b9167028fc07"; depth:37; endswith; nocase; http.host; content:"pymyajs.pegaadvance.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855658/; classtype:trojan-activity;sid:84718758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.127.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855656/; classtype:trojan-activity;sid:84718756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.127.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855657/; classtype:trojan-activity;sid:84718757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.232.61.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855655/; classtype:trojan-activity;sid:84718755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=d724717c-e1f7-4f60-9409-b40d6e0ee8a3"; depth:47; endswith; nocase; http.host; content:"gzxrgq4a.saostar.biz"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855654/; classtype:trojan-activity;sid:84718754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ir"; depth:3; endswith; nocase; http.host; content:"91.92.240.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855653/; classtype:trojan-activity;sid:84718753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855652/; classtype:trojan-activity;sid:84718752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855650/; classtype:trojan-activity;sid:84718750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855651/; classtype:trojan-activity;sid:84718751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptex1.4.zip"; depth:15; endswith; nocase; http.host; content:"ultraviolence.buzz"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855649/; classtype:trojan-activity;sid:84718749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d05f3ded464d9a16.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855637/; classtype:trojan-activity;sid:84718737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ef1d0dbe00ece391.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855638/; classtype:trojan-activity;sid:84718738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_27dedf7c72f347c8.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855639/; classtype:trojan-activity;sid:84718739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1ded2dd1916ec7f1.msi"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855640/; classtype:trojan-activity;sid:84718740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d18f962e0a0063b1.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855641/; classtype:trojan-activity;sid:84718741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855642/; classtype:trojan-activity;sid:84718742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855643/; classtype:trojan-activity;sid:84718743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855644/; classtype:trojan-activity;sid:84718744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855645/; classtype:trojan-activity;sid:84718745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855646/; classtype:trojan-activity;sid:84718746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855647/; classtype:trojan-activity;sid:84718747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"games-point.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855648/; classtype:trojan-activity;sid:84718748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cook"; depth:5; endswith; nocase; http.host; content:"vanta.st"; depth:8; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855636/; classtype:trojan-activity;sid:84718736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_007230d483970d34.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855629/; classtype:trojan-activity;sid:84718729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fdd177b589499a08.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855630/; classtype:trojan-activity;sid:84718730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_873181172a2e4045.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855631/; classtype:trojan-activity;sid:84718731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_b4522797f49270b0.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855632/; classtype:trojan-activity;sid:84718732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_37e3bf5524188f8f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855633/; classtype:trojan-activity;sid:84718733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_9fe1bab4eaca687d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855634/; classtype:trojan-activity;sid:84718734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_c35f6e8f5c6feda7.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855635/; classtype:trojan-activity;sid:84718735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_0353b1d91cdd6b5a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855628/; classtype:trojan-activity;sid:84718728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/682e017e-e639-48d5-9c22-984d414de0ef"; depth:37; endswith; nocase; http.host; content:"tohiels.payestation.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855627/; classtype:trojan-activity;sid:84718727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.174.92"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855626/; classtype:trojan-activity;sid:84718726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.140.160.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855625/; classtype:trojan-activity;sid:84718725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mipsel"; depth:17; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855624/; classtype:trojan-activity;sid:84718724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/3.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855623/; classtype:trojan-activity;sid:84718723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.powerpc"; depth:18; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855622/; classtype:trojan-activity;sid:84718722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855619/; classtype:trojan-activity;sid:84718719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv5l"; depth:17; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855620/; classtype:trojan-activity;sid:84718720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv6l"; depth:17; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855621/; classtype:trojan-activity;sid:84718721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.x86_64"; depth:17; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855618/; classtype:trojan-activity;sid:84718718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.i586"; depth:15; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855614/; classtype:trojan-activity;sid:84718714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mips"; depth:15; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855615/; classtype:trojan-activity;sid:84718715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv4l"; depth:17; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855616/; classtype:trojan-activity;sid:84718716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv7l"; depth:17; endswith; nocase; http.host; content:"176.65.148.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855617/; classtype:trojan-activity;sid:84718717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nova.sh"; depth:8; endswith; nocase; http.host; content:"nova.dudos.cfd"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855613/; classtype:trojan-activity;sid:84718713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.174.92"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855612/; classtype:trojan-activity;sid:84718712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailhitler/2.tok"; depth:17; endswith; nocase; http.host; content:"45.74.7.123"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855611/; classtype:trojan-activity;sid:84718711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.168.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855610/; classtype:trojan-activity;sid:84718710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.45.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855609/; classtype:trojan-activity;sid:84718709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/83f4baab-9036-4dc7-b437-c61867b20cc5"; depth:37; endswith; nocase; http.host; content:"kzbxkhv.newspaperseng.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855608/; classtype:trojan-activity;sid:84718708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.140.160.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855607/; classtype:trojan-activity;sid:84718707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.168.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855606/; classtype:trojan-activity;sid:84718706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.33.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855605/; classtype:trojan-activity;sid:84718705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b98baf1b-7bba-4641-81d4-b38c19b9fa92"; depth:37; endswith; nocase; http.host; content:"oeyvwkv.hitsforge.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855604/; classtype:trojan-activity;sid:84718704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.4.232"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855603/; classtype:trojan-activity;sid:84718703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.53.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855602/; classtype:trojan-activity;sid:84718702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.134.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855601/; classtype:trojan-activity;sid:84718701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.45.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855600/; classtype:trojan-activity;sid:84718700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.248.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855599/; classtype:trojan-activity;sid:84718699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.104.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855598/; classtype:trojan-activity;sid:84718698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=42bab1f1-c925-4cfa-a62f-a7251a7e3a00"; depth:47; endswith; nocase; http.host; content:"sybxhd9s.stgsolar.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855597/; classtype:trojan-activity;sid:84718697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.11.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855596/; classtype:trojan-activity;sid:84718696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=862160bd-f5cf-4e24-968e-db4773bf36f6"; depth:47; endswith; nocase; http.host; content:"t5kfgfm1.stgsolar.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855595/; classtype:trojan-activity;sid:84718695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c841dc5d-d5c0-409d-b4d1-0c5d59e90e1c"; depth:37; endswith; nocase; http.host; content:"wjyfieh.evaz.io"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855594/; classtype:trojan-activity;sid:84718694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.248.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855593/; classtype:trojan-activity;sid:84718693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/47e13163-4936-44f4-9177-dca343b7f257"; depth:37; endswith; nocase; http.host; content:"bphiipa.evaz.io"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855592/; classtype:trojan-activity;sid:84718692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.33.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855591/; classtype:trojan-activity;sid:84718691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.106.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855590/; classtype:trojan-activity;sid:84718690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.249.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855589/; classtype:trojan-activity;sid:84718689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/41b0ae46-8deb-4d74-b66e-a09c129c2ee0"; depth:37; endswith; nocase; http.host; content:"ubydanl.doppe.io"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855588/; classtype:trojan-activity;sid:84718688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.104.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855587/; classtype:trojan-activity;sid:84718687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.149.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855586/; classtype:trojan-activity;sid:84718686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.249.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855585/; classtype:trojan-activity;sid:84718685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.85.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855584/; classtype:trojan-activity;sid:84718684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_662e996bd75d812c.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855583/; classtype:trojan-activity;sid:84718683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.224.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855582/; classtype:trojan-activity;sid:84718682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57f4c1c3-6ab2-4728-8462-c37c6b020a1d"; depth:37; endswith; nocase; http.host; content:"iscpbxp.datastella.co"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855581/; classtype:trojan-activity;sid:84718681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.149.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855580/; classtype:trojan-activity;sid:84718680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.85.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855579/; classtype:trojan-activity;sid:84718679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.224.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855578/; classtype:trojan-activity;sid:84718678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0e70ccd3-067b-4b8b-a1f1-735c9d5e0338"; depth:47; endswith; nocase; http.host; content:"2dzxuao7.parossag.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855577/; classtype:trojan-activity;sid:84718677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855576/; classtype:trojan-activity;sid:84718676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1911583-a43e-46de-b9ca-7c868ac518d6"; depth:37; endswith; nocase; http.host; content:"tspdegr.askvava.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855575/; classtype:trojan-activity;sid:84718675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855574/; classtype:trojan-activity;sid:84718674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.x86_64"; depth:12; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855572/; classtype:trojan-activity;sid:84718672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.x86"; depth:9; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855573/; classtype:trojan-activity;sid:84718673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a"; depth:2; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855566/; classtype:trojan-activity;sid:84718666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm7"; depth:10; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855567/; classtype:trojan-activity;sid:84718667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm6"; depth:10; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855568/; classtype:trojan-activity;sid:84718668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm4"; depth:10; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855569/; classtype:trojan-activity;sid:84718669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.mips"; depth:10; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855570/; classtype:trojan-activity;sid:84718670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.arm5"; depth:10; endswith; nocase; http.host; content:"169.40.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855571/; classtype:trojan-activity;sid:84718671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.243.140.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855565/; classtype:trojan-activity;sid:84718665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.13.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855564/; classtype:trojan-activity;sid:84718664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.201.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855563/; classtype:trojan-activity;sid:84718663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.149.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855562/; classtype:trojan-activity;sid:84718662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855561/; classtype:trojan-activity;sid:84718661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.240.70.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855560/; classtype:trojan-activity;sid:84718660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.73.18.206"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855559/; classtype:trojan-activity;sid:84718659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.149.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855558/; classtype:trojan-activity;sid:84718658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1f95373-7bb0-4684-93d4-90dcdd71debb"; depth:37; endswith; nocase; http.host; content:"qkexyga.wlwyb.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855557/; classtype:trojan-activity;sid:84718657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.51.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855555/; classtype:trojan-activity;sid:84718655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.249.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855556/; classtype:trojan-activity;sid:84718656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.201.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855553/; classtype:trojan-activity;sid:84718653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.243.140.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855554/; classtype:trojan-activity;sid:84718654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.34.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855552/; classtype:trojan-activity;sid:84718652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.13.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855551/; classtype:trojan-activity;sid:84718651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.44.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855550/; classtype:trojan-activity;sid:84718650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.194.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855549/; classtype:trojan-activity;sid:84718649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855548/; classtype:trojan-activity;sid:84718648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.51.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855547/; classtype:trojan-activity;sid:84718647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.44.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855545/; classtype:trojan-activity;sid:84718645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.34.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855546/; classtype:trojan-activity;sid:84718646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.200.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855544/; classtype:trojan-activity;sid:84718644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caca14f3-4858-4415-9712-95d512e77226"; depth:37; endswith; nocase; http.host; content:"dxclneq.webrevelem.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855543/; classtype:trojan-activity;sid:84718643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.183.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855542/; classtype:trojan-activity;sid:84718642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.240.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855541/; classtype:trojan-activity;sid:84718641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.200.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855539/; classtype:trojan-activity;sid:84718639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.95.231.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855540/; classtype:trojan-activity;sid:84718640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.220.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855538/; classtype:trojan-activity;sid:84718638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.183.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855537/; classtype:trojan-activity;sid:84718637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.18.206"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855536/; classtype:trojan-activity;sid:84718636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6e2d85f5-2c75-4159-a9a5-626a3ec33f86"; depth:37; endswith; nocase; http.host; content:"zphaxvq.technologiaiviz.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855535/; classtype:trojan-activity;sid:84718635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.220.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855534/; classtype:trojan-activity;sid:84718634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bdd96561-0d4c-4861-91e5-9c17ef41d80c"; depth:47; endswith; nocase; http.host; content:"cr9i8up3.stgsolar.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855533/; classtype:trojan-activity;sid:84718633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.240.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855532/; classtype:trojan-activity;sid:84718632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.252.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855531/; classtype:trojan-activity;sid:84718631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.85.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855530/; classtype:trojan-activity;sid:84718630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.95.23.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855529/; classtype:trojan-activity;sid:84718629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a9a9853-13b7-49c0-ab92-57c4e9a38497"; depth:37; endswith; nocase; http.host; content:"skqchmt.visszateritok.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855528/; classtype:trojan-activity;sid:84718628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.153.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855527/; classtype:trojan-activity;sid:84718627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/53862fa5-08e5-4aaa-95b1-ef21d9a3a5c0"; depth:37; endswith; nocase; http.host; content:"sdcpqrz.zsatom.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855526/; classtype:trojan-activity;sid:84718626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.239.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855525/; classtype:trojan-activity;sid:84718625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.239.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855524/; classtype:trojan-activity;sid:84718624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9451ad69-245f-4392-9bd9-a0f503befb91"; depth:37; endswith; nocase; http.host; content:"umrhrnh.lampaoszlopbolt.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855523/; classtype:trojan-activity;sid:84718623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.183.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855522/; classtype:trojan-activity;sid:84718622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7f2b9510-9693-4f68-8544-39830730a8a1"; depth:47; endswith; nocase; http.host; content:"i0gxewzq.webuyurcar.com.au"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_30; reference:url, urlhaus.abuse.ch/url/3855521/; classtype:trojan-activity;sid:84718621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855520/; classtype:trojan-activity;sid:84718620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a42a98da-b8ea-46fa-b824-e6f1ed6df1f2"; depth:37; endswith; nocase; http.host; content:"ujhtrjp.laborfotostudio.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855519/; classtype:trojan-activity;sid:84718619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.77.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855518/; classtype:trojan-activity;sid:84718618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.235.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855517/; classtype:trojan-activity;sid:84718617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.183.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855516/; classtype:trojan-activity;sid:84718616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.248.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855515/; classtype:trojan-activity;sid:84718615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.104.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855514/; classtype:trojan-activity;sid:84718614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855513/; classtype:trojan-activity;sid:84718613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.98.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855512/; classtype:trojan-activity;sid:84718612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.114.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855511/; classtype:trojan-activity;sid:84718611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5ec61287-dde9-4e74-84b7-3ebba7be0dbc"; depth:37; endswith; nocase; http.host; content:"rbbmdao.popi999.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855510/; classtype:trojan-activity;sid:84718610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.235.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855509/; classtype:trojan-activity;sid:84718609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855508/; classtype:trojan-activity;sid:84718608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ba3e4455ca48853a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855507/; classtype:trojan-activity;sid:84718607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.25.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855506/; classtype:trojan-activity;sid:84718606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855505/; classtype:trojan-activity;sid:84718605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.228.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855504/; classtype:trojan-activity;sid:84718604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.47.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855503/; classtype:trojan-activity;sid:84718603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855502/; classtype:trojan-activity;sid:84718602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a286ffd-d061-4747-b81a-ad9ca5b16ba3"; depth:37; endswith; nocase; http.host; content:"wjkhmcp.sm188dvlv.cfd"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855501/; classtype:trojan-activity;sid:84718601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855500/; classtype:trojan-activity;sid:84718600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.25.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855499/; classtype:trojan-activity;sid:84718599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.228.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855498/; classtype:trojan-activity;sid:84718598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.60.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855497/; classtype:trojan-activity;sid:84718597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.47.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855496/; classtype:trojan-activity;sid:84718596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"5.230.74.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855491/; classtype:trojan-activity;sid:84718591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"5.230.74.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855492/; classtype:trojan-activity;sid:84718592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_x64"; depth:13; endswith; nocase; http.host; content:"5.230.74.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855493/; classtype:trojan-activity;sid:84718593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"5.230.74.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855494/; classtype:trojan-activity;sid:84718594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"5.230.74.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855495/; classtype:trojan-activity;sid:84718595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"5.230.74.12"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855490/; classtype:trojan-activity;sid:84718590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=6101ae48-5dac-4758-a7f3-caf98bb9beca"; depth:47; endswith; nocase; http.host; content:"htcaqoat.universaltyresautos.com.au"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855489/; classtype:trojan-activity;sid:84718589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855488/; classtype:trojan-activity;sid:84718588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ae938762-7cde-4fab-aaf5-6dc401f7fec1"; depth:37; endswith; nocase; http.host; content:"nkqzyrf.sm188wing.cyou"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855487/; classtype:trojan-activity;sid:84718587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.241.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855486/; classtype:trojan-activity;sid:84718586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.60.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855485/; classtype:trojan-activity;sid:84718585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/09732ed4-0df6-4ba4-98bc-89853cfe3be9"; depth:37; endswith; nocase; http.host; content:"mdwkkvc.sm188login.rest"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855484/; classtype:trojan-activity;sid:84718584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.221.253.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855483/; classtype:trojan-activity;sid:84718583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.241.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855482/; classtype:trojan-activity;sid:84718582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.24.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855481/; classtype:trojan-activity;sid:84718581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855480/; classtype:trojan-activity;sid:84718580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.209.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855479/; classtype:trojan-activity;sid:84718579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.47.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855478/; classtype:trojan-activity;sid:84718578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.12.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855477/; classtype:trojan-activity;sid:84718577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.110.23.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855476/; classtype:trojan-activity;sid:84718576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.12.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855475/; classtype:trojan-activity;sid:84718575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61ac6212-3cc4-49c6-9fe7-16136ac33657"; depth:37; endswith; nocase; http.host; content:"ajrnaww.sm188login.cyou"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855474/; classtype:trojan-activity;sid:84718574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.127.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855473/; classtype:trojan-activity;sid:84718573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/07602255-bd71-4f4a-a2cd-34b29dd53d32"; depth:37; endswith; nocase; http.host; content:"phijdnv.sm188login.cyou"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855472/; classtype:trojan-activity;sid:84718572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.221.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855471/; classtype:trojan-activity;sid:84718571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aa5e77e8-f76a-4699-a140-18c101cea45a"; depth:37; endswith; nocase; http.host; content:"xdmvxmt.sm188login.cyou"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855470/; classtype:trojan-activity;sid:84718570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.215.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855469/; classtype:trojan-activity;sid:84718569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.127.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855468/; classtype:trojan-activity;sid:84718568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.102.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855467/; classtype:trojan-activity;sid:84718567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.134.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855466/; classtype:trojan-activity;sid:84718566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855465/; classtype:trojan-activity;sid:84718565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.56.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855464/; classtype:trojan-activity;sid:84718564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.24.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855463/; classtype:trojan-activity;sid:84718563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.215.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855462/; classtype:trojan-activity;sid:84718562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.255.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855461/; classtype:trojan-activity;sid:84718561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.221.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855460/; classtype:trojan-activity;sid:84718560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c28ad606-0cfc-4e1a-be32-a18cceb68a28"; depth:37; endswith; nocase; http.host; content:"cxaxqwe.sm188login.cfd"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855459/; classtype:trojan-activity;sid:84718559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=e0adb66b-50eb-42c6-9fff-74f872002aac"; depth:47; endswith; nocase; http.host; content:"635k6cma.uniquetilingsa.com.au"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855458/; classtype:trojan-activity;sid:84718558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ac1cd28e-1a92-496c-99b6-71bbf8851def"; depth:37; endswith; nocase; http.host; content:"gxhkg.sm188dvlv.skin"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855457/; classtype:trojan-activity;sid:84718557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.39.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855456/; classtype:trojan-activity;sid:84718556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/303ff662-de3b-4da7-a570-50e5970be474"; depth:37; endswith; nocase; http.host; content:"mjugj.sm188dvlv.hair"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855455/; classtype:trojan-activity;sid:84718555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855454/; classtype:trojan-activity;sid:84718554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"46.151.182.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855453/; classtype:trojan-activity;sid:84718553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"46.151.182.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855452/; classtype:trojan-activity;sid:84718552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"46.151.182.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855450/; classtype:trojan-activity;sid:84718550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"46.151.182.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855451/; classtype:trojan-activity;sid:84718551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.255.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855449/; classtype:trojan-activity;sid:84718549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.242.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855448/; classtype:trojan-activity;sid:84718548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5b113217-1aae-457f-b146-b38fef6bd1c2"; depth:37; endswith; nocase; http.host; content:"kftla.sm188login.sbs"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855447/; classtype:trojan-activity;sid:84718547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.242.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855446/; classtype:trojan-activity;sid:84718546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1cbb343a-23dd-4876-9df0-09664bdf1eba"; depth:37; endswith; nocase; http.host; content:"xxegq.sm188login.sbs"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855445/; classtype:trojan-activity;sid:84718545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.234.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855444/; classtype:trojan-activity;sid:84718544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.100.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855443/; classtype:trojan-activity;sid:84718543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.39.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855442/; classtype:trojan-activity;sid:84718542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/523b7965-c5ff-4276-9794-b8416e1b6dc7"; depth:37; endswith; nocase; http.host; content:"xsqil.sm188dvlv.skin"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855441/; classtype:trojan-activity;sid:84718541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.249.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855440/; classtype:trojan-activity;sid:84718540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.238.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855438/; classtype:trojan-activity;sid:84718538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.45.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855439/; classtype:trojan-activity;sid:84718539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.153.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855437/; classtype:trojan-activity;sid:84718537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.177.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855436/; classtype:trojan-activity;sid:84718536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"159.253.120.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855432/; classtype:trojan-activity;sid:84718532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"159.253.120.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855433/; classtype:trojan-activity;sid:84718533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"159.253.120.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855434/; classtype:trojan-activity;sid:84718534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"159.253.120.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855435/; classtype:trojan-activity;sid:84718535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"159.253.120.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855431/; classtype:trojan-activity;sid:84718531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"159.253.120.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855430/; classtype:trojan-activity;sid:84718530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.210.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855429/; classtype:trojan-activity;sid:84718529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.153.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855428/; classtype:trojan-activity;sid:84718528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.177.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855427/; classtype:trojan-activity;sid:84718527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.100.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855426/; classtype:trojan-activity;sid:84718526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.237.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855425/; classtype:trojan-activity;sid:84718525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.45.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855424/; classtype:trojan-activity;sid:84718524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.238.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855423/; classtype:trojan-activity;sid:84718523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c0f07c5b-1e5e-4724-b400-76d91d32b807"; depth:37; endswith; nocase; http.host; content:"rbzsq.sm188login.cfd"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855422/; classtype:trojan-activity;sid:84718522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.103.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855421/; classtype:trojan-activity;sid:84718521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.35.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855420/; classtype:trojan-activity;sid:84718520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=4e441814-11bf-4f62-a552-5a40a354f68e"; depth:47; endswith; nocase; http.host; content:"vekdf8au.srlashnbrow.com.au"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855419/; classtype:trojan-activity;sid:84718519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.65.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855418/; classtype:trojan-activity;sid:84718518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"159.253.120.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855417/; classtype:trojan-activity;sid:84718517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.237.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855416/; classtype:trojan-activity;sid:84718516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.237.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855415/; classtype:trojan-activity;sid:84718515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18ba4fc2-9cb5-4779-b456-85c6418ee76c"; depth:37; endswith; nocase; http.host; content:"jbyap.sm188login.cyou"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855414/; classtype:trojan-activity;sid:84718514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.153.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855413/; classtype:trojan-activity;sid:84718513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.103.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855412/; classtype:trojan-activity;sid:84718512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proto.mpsl"; depth:11; endswith; nocase; http.host; content:"202.71.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855407/; classtype:trojan-activity;sid:84718507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proto.arm6"; depth:11; endswith; nocase; http.host; content:"202.71.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855408/; classtype:trojan-activity;sid:84718508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proto.arm7"; depth:11; endswith; nocase; http.host; content:"202.71.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855409/; classtype:trojan-activity;sid:84718509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proto.arm5"; depth:11; endswith; nocase; http.host; content:"202.71.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855410/; classtype:trojan-activity;sid:84718510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proto.mips"; depth:11; endswith; nocase; http.host; content:"202.71.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855411/; classtype:trojan-activity;sid:84718511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"172.168.163.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855406/; classtype:trojan-activity;sid:84718506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rondo./xqe.sh"; depth:14; endswith; nocase; http.host; content:"204.10.194.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855404/; classtype:trojan-activity;sid:84718504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rondo./jbt.sh"; depth:14; endswith; nocase; http.host; content:"204.10.194.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855405/; classtype:trojan-activity;sid:84718505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.95.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855403/; classtype:trojan-activity;sid:84718503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.52.153.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855402/; classtype:trojan-activity;sid:84718502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.12.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855401/; classtype:trojan-activity;sid:84718501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.210.238.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855400/; classtype:trojan-activity;sid:84718500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.48.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855399/; classtype:trojan-activity;sid:84718499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855398/; classtype:trojan-activity;sid:84718498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.210.238.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855397/; classtype:trojan-activity;sid:84718497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3fa7e99e-af1b-4dd9-9c15-e99fea0b7efd"; depth:37; endswith; nocase; http.host; content:"pable.sm188login.rest"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855396/; classtype:trojan-activity;sid:84718496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.226.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855395/; classtype:trojan-activity;sid:84718495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.12.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855394/; classtype:trojan-activity;sid:84718494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.95.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855393/; classtype:trojan-activity;sid:84718493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855392/; classtype:trojan-activity;sid:84718492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.38.42.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855391/; classtype:trojan-activity;sid:84718491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855390/; classtype:trojan-activity;sid:84718490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855385/; classtype:trojan-activity;sid:84718485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855386/; classtype:trojan-activity;sid:84718486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855387/; classtype:trojan-activity;sid:84718487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855388/; classtype:trojan-activity;sid:84718488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855389/; classtype:trojan-activity;sid:84718489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855382/; classtype:trojan-activity;sid:84718482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855383/; classtype:trojan-activity;sid:84718483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"45.84.199.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855384/; classtype:trojan-activity;sid:84718484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.226.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855381/; classtype:trojan-activity;sid:84718481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/be700480-6f5d-49a1-ae90-89b497d0f5ec"; depth:37; endswith; nocase; http.host; content:"rzbve.sm188login.sbs"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855380/; classtype:trojan-activity;sid:84718480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.38.42.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855379/; classtype:trojan-activity;sid:84718479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.72.28.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855378/; classtype:trojan-activity;sid:84718478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=6f4cb37b-040c-41a5-b3c1-bbcb836171f3"; depth:47; endswith; nocase; http.host; content:"s61j30vp.snugglebloom.com.au"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855377/; classtype:trojan-activity;sid:84718477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.255.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855376/; classtype:trojan-activity;sid:84718476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a4422a79-8a7a-4e6a-8cca-5fa687d2b897"; depth:37; endswith; nocase; http.host; content:"advbc.sm188dvlv.hair"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855375/; classtype:trojan-activity;sid:84718475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.247.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855374/; classtype:trojan-activity;sid:84718474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.61.234"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855373/; classtype:trojan-activity;sid:84718473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.255.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855372/; classtype:trojan-activity;sid:84718472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; endswith; nocase; http.host; content:"8.218.120.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855371/; classtype:trojan-activity;sid:84718471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.247.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855370/; classtype:trojan-activity;sid:84718470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3310c827-f621-4684-98e6-4b5b043bdcc0"; depth:37; endswith; nocase; http.host; content:"zzksh.sm188dvlv.rest"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855369/; classtype:trojan-activity;sid:84718469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.0.246"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855368/; classtype:trojan-activity;sid:84718468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.210.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855367/; classtype:trojan-activity;sid:84718467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.0.246"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855366/; classtype:trojan-activity;sid:84718466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.220.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855365/; classtype:trojan-activity;sid:84718465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8e4b67f6-384e-4cff-b029-ae179948e31d"; depth:37; endswith; nocase; http.host; content:"wrjfn.wlwyb.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855364/; classtype:trojan-activity;sid:84718464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855363/; classtype:trojan-activity;sid:84718463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.76.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855362/; classtype:trojan-activity;sid:84718462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=|7c|26|7c|c=move0to0other0sc|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:175; endswith; nocase; http.host; content:"femilessn.top"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855361/; classtype:trojan-activity;sid:84718461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d96de9685eddc8d9.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855359/; classtype:trojan-activity;sid:84718459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_0d2d22ba78aa7fcd.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855360/; classtype:trojan-activity;sid:84718460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.76.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855358/; classtype:trojan-activity;sid:84718458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855357/; classtype:trojan-activity;sid:84718457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.215.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855356/; classtype:trojan-activity;sid:84718456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855355/; classtype:trojan-activity;sid:84718455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.103.121.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855354/; classtype:trojan-activity;sid:84718454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a054d958-c1f5-40b7-8de6-0a1e9a904c46"; depth:37; endswith; nocase; http.host; content:"wzpmw.webrevelem.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855353/; classtype:trojan-activity;sid:84718453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855352/; classtype:trojan-activity;sid:84718452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.176.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855351/; classtype:trojan-activity;sid:84718451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.215.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855350/; classtype:trojan-activity;sid:84718450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.221.253.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855349/; classtype:trojan-activity;sid:84718449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855348/; classtype:trojan-activity;sid:84718448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/df0a2bd973a1"; depth:15; endswith; nocase; http.host; content:"hexfiles.top"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855347/; classtype:trojan-activity;sid:84718447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/270ed203a388"; depth:15; endswith; nocase; http.host; content:"hexfiles.top"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855346/; classtype:trojan-activity;sid:84718446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=d985e9d3-06bd-4cf5-9b50-188c9451a6b6"; depth:47; endswith; nocase; http.host; content:"avjquzsd.seresniki.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855345/; classtype:trojan-activity;sid:84718445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.236.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855344/; classtype:trojan-activity;sid:84718444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.56.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855343/; classtype:trojan-activity;sid:84718443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855342/; classtype:trojan-activity;sid:84718442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.162.51.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855341/; classtype:trojan-activity;sid:84718441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef9b687c-b972-45f2-8479-af2e85dc341c"; depth:37; endswith; nocase; http.host; content:"tiemj.technologiaiviz.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855340/; classtype:trojan-activity;sid:84718440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.102.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855339/; classtype:trojan-activity;sid:84718439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855338/; classtype:trojan-activity;sid:84718438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_90f7a777377c2eee.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855337/; classtype:trojan-activity;sid:84718437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_9ccec9397e556e69.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855335/; classtype:trojan-activity;sid:84718435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3cd2ec64936efbf4.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855336/; classtype:trojan-activity;sid:84718436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8f99359c1d45a20b.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855334/; classtype:trojan-activity;sid:84718434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0095332-c29a-441b-a6a2-997df8e339e7/goog.ct"; depth:45; endswith; nocase; http.host; content:"jnyut.zsatom.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855333/; classtype:trojan-activity;sid:84718433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_cdd4d99f6260455f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855331/; classtype:trojan-activity;sid:84718431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e4b01466ba6c7a93.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855332/; classtype:trojan-activity;sid:84718432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855330/; classtype:trojan-activity;sid:84718430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.105.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855329/; classtype:trojan-activity;sid:84718429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"14.128.50.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855328/; classtype:trojan-activity;sid:84718428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855327/; classtype:trojan-activity;sid:84718427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"31.162.51.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855326/; classtype:trojan-activity;sid:84718426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855324/; classtype:trojan-activity;sid:84718424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.176.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855325/; classtype:trojan-activity;sid:84718425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/519431b8-bde5-4702-af31-65b311f9cd52"; depth:37; endswith; nocase; http.host; content:"hvpho.visszateritok.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855323/; classtype:trojan-activity;sid:84718423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.105.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855322/; classtype:trojan-activity;sid:84718422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.96.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855321/; classtype:trojan-activity;sid:84718421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855319/; classtype:trojan-activity;sid:84718419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.89.150.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855320/; classtype:trojan-activity;sid:84718420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.31.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855318/; classtype:trojan-activity;sid:84718418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.105.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855317/; classtype:trojan-activity;sid:84718417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.10.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855316/; classtype:trojan-activity;sid:84718416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.149.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855315/; classtype:trojan-activity;sid:84718415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.72.28.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855314/; classtype:trojan-activity;sid:84718414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.85.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855313/; classtype:trojan-activity;sid:84718413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bcaaf201-5fb2-4066-aaf0-779e6267e159"; depth:37; endswith; nocase; http.host; content:"tehpm.zsatom.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855312/; classtype:trojan-activity;sid:84718412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.89.150.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855311/; classtype:trojan-activity;sid:84718411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb24.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855310/; classtype:trojan-activity;sid:84718410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb26.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855302/; classtype:trojan-activity;sid:84718402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb15.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855303/; classtype:trojan-activity;sid:84718403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb30.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855304/; classtype:trojan-activity;sid:84718404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb28.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855305/; classtype:trojan-activity;sid:84718405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb27.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855306/; classtype:trojan-activity;sid:84718406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb16.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855307/; classtype:trojan-activity;sid:84718407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb14.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855308/; classtype:trojan-activity;sid:84718408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb29.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855309/; classtype:trojan-activity;sid:84718409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb17.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855300/; classtype:trojan-activity;sid:84718400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb20.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855301/; classtype:trojan-activity;sid:84718401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb21.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855295/; classtype:trojan-activity;sid:84718395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb19.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855296/; classtype:trojan-activity;sid:84718396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb18.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855297/; classtype:trojan-activity;sid:84718397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb23.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855298/; classtype:trojan-activity;sid:84718398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb22.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855299/; classtype:trojan-activity;sid:84718399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb11.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855292/; classtype:trojan-activity;sid:84718392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb12.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855293/; classtype:trojan-activity;sid:84718393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb13.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855294/; classtype:trojan-activity;sid:84718394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.31.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855291/; classtype:trojan-activity;sid:84718391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855290/; classtype:trojan-activity;sid:84718390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.100.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855289/; classtype:trojan-activity;sid:84718389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.96.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855287/; classtype:trojan-activity;sid:84718387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.149.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855288/; classtype:trojan-activity;sid:84718388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=2c0b51f8-977d-4aca-b8c0-5b5b488ac633"; depth:47; endswith; nocase; http.host; content:"dsc8ybog.schleer.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855286/; classtype:trojan-activity;sid:84718386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.15.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855284/; classtype:trojan-activity;sid:84718384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855285/; classtype:trojan-activity;sid:84718385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/649961c9-a4ad-47db-9ccf-090206987e4b"; depth:37; endswith; nocase; http.host; content:"qaezg.sm188akurat.sbs"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855283/; classtype:trojan-activity;sid:84718383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855282/; classtype:trojan-activity;sid:84718382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.26.195.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855281/; classtype:trojan-activity;sid:84718381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.100.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855280/; classtype:trojan-activity;sid:84718380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855279/; classtype:trojan-activity;sid:84718379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.173.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855278/; classtype:trojan-activity;sid:84718378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.10.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855277/; classtype:trojan-activity;sid:84718377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.15.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855276/; classtype:trojan-activity;sid:84718376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f51dd4fa-bba5-4107-ae67-8827e1131458"; depth:37; endswith; nocase; http.host; content:"mfrpd.sm188daftar.cfd"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855275/; classtype:trojan-activity;sid:84718375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/97018d57-874a-4e5a-a011-894d422e3a6f"; depth:37; endswith; nocase; http.host; content:"tooca.sm188daftar.skin"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855274/; classtype:trojan-activity;sid:84718374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.202.215.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855273/; classtype:trojan-activity;sid:84718373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.173.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855272/; classtype:trojan-activity;sid:84718372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.67.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855271/; classtype:trojan-activity;sid:84718371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.240.255.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855270/; classtype:trojan-activity;sid:84718370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.205.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855269/; classtype:trojan-activity;sid:84718369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855268/; classtype:trojan-activity;sid:84718368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.240.255.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855267/; classtype:trojan-activity;sid:84718367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.155.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855266/; classtype:trojan-activity;sid:84718366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.67.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855265/; classtype:trojan-activity;sid:84718365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.166.209.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855264/; classtype:trojan-activity;sid:84718364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.0.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855263/; classtype:trojan-activity;sid:84718363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.3.243"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855262/; classtype:trojan-activity;sid:84718362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b85b1637-1849-4b75-bdbe-a7c462b5a26e"; depth:37; endswith; nocase; http.host; content:"qbtnd.sm188dvlv.cfd"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855261/; classtype:trojan-activity;sid:84718361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855260/; classtype:trojan-activity;sid:84718360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855257/; classtype:trojan-activity;sid:84718357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855258/; classtype:trojan-activity;sid:84718358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855259/; classtype:trojan-activity;sid:84718359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855256/; classtype:trojan-activity;sid:84718356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855249/; classtype:trojan-activity;sid:84718349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855250/; classtype:trojan-activity;sid:84718350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855251/; classtype:trojan-activity;sid:84718351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855252/; classtype:trojan-activity;sid:84718352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855253/; classtype:trojan-activity;sid:84718353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855254/; classtype:trojan-activity;sid:84718354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.139.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855255/; classtype:trojan-activity;sid:84718355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855248/; classtype:trojan-activity;sid:84718348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=044148fa-e522-4250-85a3-8806814165d4"; depth:47; endswith; nocase; http.host; content:"nblvwres.stgsolar.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855247/; classtype:trojan-activity;sid:84718347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855246/; classtype:trojan-activity;sid:84718346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855245/; classtype:trojan-activity;sid:84718345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855239/; classtype:trojan-activity;sid:84718339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855240/; classtype:trojan-activity;sid:84718340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855241/; classtype:trojan-activity;sid:84718341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855242/; classtype:trojan-activity;sid:84718342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855243/; classtype:trojan-activity;sid:84718343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855244/; classtype:trojan-activity;sid:84718344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855238/; classtype:trojan-activity;sid:84718338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.6.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855237/; classtype:trojan-activity;sid:84718337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_666e9cf30b4ca362.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855236/; classtype:trojan-activity;sid:84718336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.250.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855235/; classtype:trojan-activity;sid:84718335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b9f5fb58-c055-435a-a1ca-5d1f6e5df1d0"; depth:37; endswith; nocase; http.host; content:"pixey.lampaoszlopbolt.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855234/; classtype:trojan-activity;sid:84718334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855233/; classtype:trojan-activity;sid:84718333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.66.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855232/; classtype:trojan-activity;sid:84718332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.9.25"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855231/; classtype:trojan-activity;sid:84718331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well/random.exe/"; depth:17; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855229/; classtype:trojan-activity;sid:84718329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom/random.exe"; depth:16; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855230/; classtype:trojan-activity;sid:84718330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cost/build.exe"; depth:15; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855225/; classtype:trojan-activity;sid:84718325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nah11/file.exe"; depth:15; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855226/; classtype:trojan-activity;sid:84718326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1e6327727d411740.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855227/; classtype:trojan-activity;sid:84718327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d369551b73a17113.msi/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855228/; classtype:trojan-activity;sid:84718328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.66.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855224/; classtype:trojan-activity;sid:84718324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7d01c44e3628c3f5.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855197/; classtype:trojan-activity;sid:84718297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_91aca91ebbe1b031.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855198/; classtype:trojan-activity;sid:84718298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_f82e3c02c153f34c.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855199/; classtype:trojan-activity;sid:84718299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/index.php"; depth:21; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855200/; classtype:trojan-activity;sid:84718300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_b0b4b0878640b39e.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855201/; classtype:trojan-activity;sid:84718301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8717422379/bkrjaut.exe07ab97d7aeesdb"; depth:43; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855202/; classtype:trojan-activity;sid:84718302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8370492159/5buqavl.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855203/; classtype:trojan-activity;sid:84718303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7377994722/cyqxspn.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855204/; classtype:trojan-activity;sid:84718304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_493059e7d0c25c4e.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855205/; classtype:trojan-activity;sid:84718305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8370492159/090uxhz.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855206/; classtype:trojan-activity;sid:84718306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_58172909a01f97ec.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855207/; classtype:trojan-activity;sid:84718307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ca18e602c7a72d9c.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855208/; classtype:trojan-activity;sid:84718308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7df0584ffde92dad.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855209/; classtype:trojan-activity;sid:84718309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_05e451303f19b057.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855210/; classtype:trojan-activity;sid:84718310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3128548b360e043a.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855211/; classtype:trojan-activity;sid:84718311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/xfsds2p.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855212/; classtype:trojan-activity;sid:84718312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8829a458a496e6ef.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855213/; classtype:trojan-activity;sid:84718313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fd7b5d0935bcfaad.exe/"; depth:49; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855214/; classtype:trojan-activity;sid:84718314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/am2.exe"; depth:12; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855215/; classtype:trojan-activity;sid:84718315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps/zcakwdnvadwd.ps1"; depth:20; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855216/; classtype:trojan-activity;sid:84718316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mem/program.exe"; depth:16; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855217/; classtype:trojan-activity;sid:84718317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/div/55.ps1"; depth:11; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855218/; classtype:trojan-activity;sid:84718318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/div/53.ps1"; depth:11; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855219/; classtype:trojan-activity;sid:84718319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nah11/file.exe/"; depth:16; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855220/; classtype:trojan-activity;sid:84718320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nah11/test.exe"; depth:15; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855221/; classtype:trojan-activity;sid:84718321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mem/program.exe/"; depth:17; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855222/; classtype:trojan-activity;sid:84718322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/at11/random.exe"; depth:16; endswith; nocase; http.host; content:"89.125.188.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855223/; classtype:trojan-activity;sid:84718323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/believepuppet"; depth:14; endswith; nocase; http.host; content:"paste.sensio.no"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855196/; classtype:trojan-activity;sid:84718296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gs/gamechanger.js"; depth:18; endswith; nocase; http.host; content:"kollins.co.za"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855195/; classtype:trojan-activity;sid:84718295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855194/; classtype:trojan-activity;sid:84718294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.65.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855193/; classtype:trojan-activity;sid:84718293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ns9-9zty-n247-ux3j/img_qehyar.png"; depth:35; endswith; nocase; http.host; content:"small-morning-8be0.fsocietyandtools.workers.dev"; depth:47; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855192/; classtype:trojan-activity;sid:84718292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stego_payload.png"; depth:18; endswith; nocase; http.host; content:"ritubohara.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855191/; classtype:trojan-activity;sid:84718291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imag.png"; depth:9; endswith; nocase; http.host; content:"ritubohara.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855190/; classtype:trojan-activity;sid:84718290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syst3md"; depth:8; endswith; nocase; http.host; content:"62.60.130.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855188/; classtype:trojan-activity;sid:84718288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log"; depth:4; endswith; nocase; http.host; content:"62.60.130.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855189/; classtype:trojan-activity;sid:84718289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855187/; classtype:trojan-activity;sid:84718287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=63e88b25-86dc-4131-a28f-69a71dca394e"; depth:47; endswith; nocase; http.host; content:"dvzzer4n.parossag.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855186/; classtype:trojan-activity;sid:84718286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.1.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855185/; classtype:trojan-activity;sid:84718285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.56.232.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855184/; classtype:trojan-activity;sid:84718284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a479652d-1bb1-45d0-a83a-94e4b238fe0d"; depth:37; endswith; nocase; http.host; content:"fjtdm.sm188wing.cyou"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855183/; classtype:trojan-activity;sid:84718283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.115.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855181/; classtype:trojan-activity;sid:84718281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855182/; classtype:trojan-activity;sid:84718282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.1.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855180/; classtype:trojan-activity;sid:84718280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20dcb803-2bfa-44e4-8390-def8fb97d642"; depth:37; endswith; nocase; http.host; content:"gzhcn.sm188login.sbs"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855179/; classtype:trojan-activity;sid:84718279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855178/; classtype:trojan-activity;sid:84718278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//mips"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855176/; classtype:trojan-activity;sid:84718276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u"; depth:2; endswith; nocase; http.host; content:"154.89.148.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855177/; classtype:trojan-activity;sid:84718277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//x86"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855170/; classtype:trojan-activity;sid:84718270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855171/; classtype:trojan-activity;sid:84718271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855172/; classtype:trojan-activity;sid:84718272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855173/; classtype:trojan-activity;sid:84718273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855174/; classtype:trojan-activity;sid:84718274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855175/; classtype:trojan-activity;sid:84718275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sh4"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855163/; classtype:trojan-activity;sid:84718263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sparc"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855164/; classtype:trojan-activity;sid:84718264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855165/; classtype:trojan-activity;sid:84718265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855166/; classtype:trojan-activity;sid:84718266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//m68k"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855167/; classtype:trojan-activity;sid:84718267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//ppc"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855168/; classtype:trojan-activity;sid:84718268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm6"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855169/; classtype:trojan-activity;sid:84718269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855155/; classtype:trojan-activity;sid:84718255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855156/; classtype:trojan-activity;sid:84718256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855157/; classtype:trojan-activity;sid:84718257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855158/; classtype:trojan-activity;sid:84718258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855159/; classtype:trojan-activity;sid:84718259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855160/; classtype:trojan-activity;sid:84718260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855161/; classtype:trojan-activity;sid:84718261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//i686"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855162/; classtype:trojan-activity;sid:84718262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips64"; depth:23; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855153/; classtype:trojan-activity;sid:84718253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.69.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855154/; classtype:trojan-activity;sid:84718254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sparc"; depth:22; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855152/; classtype:trojan-activity;sid:84718252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"159.65.6.197"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855151/; classtype:trojan-activity;sid:84718251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//x86_64"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855146/; classtype:trojan-activity;sid:84718246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arc"; depth:5; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855147/; classtype:trojan-activity;sid:84718247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//mipsl"; depth:7; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855148/; classtype:trojan-activity;sid:84718248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//mips64"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855149/; classtype:trojan-activity;sid:84718249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm7"; depth:6; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855150/; classtype:trojan-activity;sid:84718250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.144.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855145/; classtype:trojan-activity;sid:84718245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/npc"; depth:4; endswith; nocase; http.host; content:"38.47.108.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855144/; classtype:trojan-activity;sid:84718244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855137/; classtype:trojan-activity;sid:84718237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855138/; classtype:trojan-activity;sid:84718238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855139/; classtype:trojan-activity;sid:84718239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855140/; classtype:trojan-activity;sid:84718240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855141/; classtype:trojan-activity;sid:84718241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855142/; classtype:trojan-activity;sid:84718242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855143/; classtype:trojan-activity;sid:84718243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855133/; classtype:trojan-activity;sid:84718233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855134/; classtype:trojan-activity;sid:84718234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855135/; classtype:trojan-activity;sid:84718235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855136/; classtype:trojan-activity;sid:84718236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/kythy1.exe"; depth:20; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855131/; classtype:trojan-activity;sid:84718231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e3fba633-a8bf-4401-9a73-ea5cf79d0858"; depth:37; endswith; nocase; http.host; content:"zqyij.sm188login.rest"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855132/; classtype:trojan-activity;sid:84718232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855130/; classtype:trojan-activity;sid:84718230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nancore.msi"; depth:12; endswith; nocase; http.host; content:"admirable-dolphin-7483f8.netlify.app"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855129/; classtype:trojan-activity;sid:84718229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.226.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855128/; classtype:trojan-activity;sid:84718228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/crz.exe"; depth:17; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855127/; classtype:trojan-activity;sid:84718227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jufprujs.exe"; depth:22; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855126/; classtype:trojan-activity;sid:84718226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/kjljljw9.exe"; depth:22; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855125/; classtype:trojan-activity;sid:84718225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/kythy.exe"; depth:15; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855124/; classtype:trojan-activity;sid:84718224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/onbud.exe"; depth:19; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855119/; classtype:trojan-activity;sid:84718219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vwaht.exe"; depth:19; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855120/; classtype:trojan-activity;sid:84718220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/ljhkkuu7.exe"; depth:22; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855121/; classtype:trojan-activity;sid:84718221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/kuhjkuh9.exe"; depth:22; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855122/; classtype:trojan-activity;sid:84718222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/inus.exe"; depth:18; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855123/; classtype:trojan-activity;sid:84718223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/bjbh.exe"; depth:14; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855116/; classtype:trojan-activity;sid:84718216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/hnmh.exe"; depth:14; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855117/; classtype:trojan-activity;sid:84718217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/ojujn.exe"; depth:15; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855118/; classtype:trojan-activity;sid:84718218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/kliulij.exe"; depth:17; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855115/; classtype:trojan-activity;sid:84718215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/ww7.exe"; depth:17; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855113/; classtype:trojan-activity;sid:84718213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/gxjgd.exe"; depth:19; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855114/; classtype:trojan-activity;sid:84718214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cry.exe"; depth:17; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855111/; classtype:trojan-activity;sid:84718211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vibo.exe"; depth:18; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855112/; classtype:trojan-activity;sid:84718212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jghkyh7.exe"; depth:21; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855108/; classtype:trojan-activity;sid:84718208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vbiqp.exe"; depth:19; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855109/; classtype:trojan-activity;sid:84718209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/somaliacruises.exe"; depth:28; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855110/; classtype:trojan-activity;sid:84718210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/urgoy.exe"; depth:19; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855100/; classtype:trojan-activity;sid:84718200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/hkdfkhfd19.exe"; depth:24; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855101/; classtype:trojan-activity;sid:84718201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/beb.exe"; depth:17; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855102/; classtype:trojan-activity;sid:84718202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/hjbk.exe"; depth:14; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855103/; classtype:trojan-activity;sid:84718203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/jhgkuyyg.exe"; depth:18; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855104/; classtype:trojan-activity;sid:84718204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/u.exe"; depth:15; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855105/; classtype:trojan-activity;sid:84718205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jlffdd.exe"; depth:20; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855106/; classtype:trojan-activity;sid:84718206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cxmfd.exe"; depth:19; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855107/; classtype:trojan-activity;sid:84718207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vkkqj.exe"; depth:19; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855098/; classtype:trojan-activity;sid:84718198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/gkguied.exe"; depth:21; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855099/; classtype:trojan-activity;sid:84718199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/sdfdsf.exe"; depth:20; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855095/; classtype:trojan-activity;sid:84718195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/statingconnectors.exe"; depth:31; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855096/; classtype:trojan-activity;sid:84718196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jkhkj7.exe"; depth:20; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855097/; classtype:trojan-activity;sid:84718197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cuservice.exe"; depth:23; endswith; nocase; http.host; content:"host4file.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855094/; classtype:trojan-activity;sid:84718194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/crz.exe"; depth:17; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855093/; classtype:trojan-activity;sid:84718193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/beb.exe"; depth:17; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855091/; classtype:trojan-activity;sid:84718191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jufprujs.exe"; depth:22; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855092/; classtype:trojan-activity;sid:84718192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vibo.exe"; depth:18; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855087/; classtype:trojan-activity;sid:84718187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vwaht.exe"; depth:19; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855088/; classtype:trojan-activity;sid:84718188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/inus.exe"; depth:18; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855089/; classtype:trojan-activity;sid:84718189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/onbud.exe"; depth:19; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855090/; classtype:trojan-activity;sid:84718190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/bjbh.exe"; depth:14; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855081/; classtype:trojan-activity;sid:84718181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/u.exe"; depth:15; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855082/; classtype:trojan-activity;sid:84718182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/kjljljw9.exe"; depth:22; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855083/; classtype:trojan-activity;sid:84718183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jghkyh7.exe"; depth:21; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855084/; classtype:trojan-activity;sid:84718184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/kythy1.exe"; depth:20; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855085/; classtype:trojan-activity;sid:84718185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/ljhkkuu7.exe"; depth:22; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855086/; classtype:trojan-activity;sid:84718186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/hnmh.exe"; depth:14; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855080/; classtype:trojan-activity;sid:84718180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/ojujn.exe"; depth:15; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855076/; classtype:trojan-activity;sid:84718176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/hjbk.exe"; depth:14; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855077/; classtype:trojan-activity;sid:84718177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jkhkj7.exe"; depth:20; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855078/; classtype:trojan-activity;sid:84718178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/ww7.exe"; depth:17; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855079/; classtype:trojan-activity;sid:84718179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/gkguied.exe"; depth:21; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855070/; classtype:trojan-activity;sid:84718170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/kythy.exe"; depth:15; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855071/; classtype:trojan-activity;sid:84718171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/jhgkuyyg.exe"; depth:18; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855072/; classtype:trojan-activity;sid:84718172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/hkdfkhfd19.exe"; depth:24; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855073/; classtype:trojan-activity;sid:84718173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vbiqp.exe"; depth:19; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855074/; classtype:trojan-activity;sid:84718174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/kliulij.exe"; depth:17; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855075/; classtype:trojan-activity;sid:84718175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jlffdd.exe"; depth:20; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855069/; classtype:trojan-activity;sid:84718169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cuservice.exe"; depth:23; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855066/; classtype:trojan-activity;sid:84718166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/sdfdsf.exe"; depth:20; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855067/; classtype:trojan-activity;sid:84718167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/somaliacruises.exe"; depth:28; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855068/; classtype:trojan-activity;sid:84718168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/statingconnectors.exe"; depth:31; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855065/; classtype:trojan-activity;sid:84718165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/gxjgd.exe"; depth:19; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855063/; classtype:trojan-activity;sid:84718163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cxmfd.exe"; depth:19; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855064/; classtype:trojan-activity;sid:84718164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cry.exe"; depth:17; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855062/; classtype:trojan-activity;sid:84718162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/kuhjkuh9.exe"; depth:22; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855061/; classtype:trojan-activity;sid:84718161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/urgoy.exe"; depth:19; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855060/; classtype:trojan-activity;sid:84718160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vkkqj.exe"; depth:19; endswith; nocase; http.host; content:"cloud55file.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855059/; classtype:trojan-activity;sid:84718159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855057/; classtype:trojan-activity;sid:84718157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1490900873822474320/1508137801701658734/clean_nightcord.rar|3f|ex=6a19b847|7c|26|7c|is=6a1866c7|7c|26|7c|hm=c3b982c7ed7e8bbcce7b6b72b1a5d374bd71378806b528d3607242b9a0f844c3|7c|26|7c|"; depth:195; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855058/; classtype:trojan-activity;sid:84718158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7d01c44e3628c3f5.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855056/; classtype:trojan-activity;sid:84718156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"desktop-app.click"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855053/; classtype:trojan-activity;sid:84718153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug/loader.sh|3f|build=94dabb3c6bb6d13338b7dadcc1432c4a"; depth:58; endswith; nocase; http.host; content:"qw4c12qqqqoepwq.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855054/; classtype:trojan-activity;sid:84718154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_45d1704c898d14f8.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855055/; classtype:trojan-activity;sid:84718155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855048/; classtype:trojan-activity;sid:84718148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855049/; classtype:trojan-activity;sid:84718149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855050/; classtype:trojan-activity;sid:84718150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"31.56.209.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855051/; classtype:trojan-activity;sid:84718151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php|3f|a=dl|7c|26|7c|token=8caaf953d89478b8a7191eb32295c117a310b53ac9059d4ad69a1e397ec3b2d4|7c|26|7c|rv=ab62effa5c33ec478e5f054b773a4ee7|7c|26|7c|src=majesticlubricants.com|7c|26|7c|mode=cloudflare"; depth:208; endswith; nocase; http.host; content:"megamegalodon.click"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855052/; classtype:trojan-activity;sid:84718152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug/payload.applescript|3f|build=94dabb3c6bb6d13338b7dadcc1432c4a"; depth:68; endswith; nocase; http.host; content:"qw4c12qqqqoepwq.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855047/; classtype:trojan-activity;sid:84718147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_b0b4b0878640b39e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855038/; classtype:trojan-activity;sid:84718138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_23072663be1ad896.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855039/; classtype:trojan-activity;sid:84718139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_42a45fe118a2b7f7.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855040/; classtype:trojan-activity;sid:84718140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_759c91dbd997474a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855041/; classtype:trojan-activity;sid:84718141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_58172909a01f97ec.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855042/; classtype:trojan-activity;sid:84718142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1b5fffcbdaeda72e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855043/; classtype:trojan-activity;sid:84718143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_aa41fd6af11d1007.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855044/; classtype:trojan-activity;sid:84718144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5b4533c16578801d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855045/; classtype:trojan-activity;sid:84718145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1e6327727d411740.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855046/; classtype:trojan-activity;sid:84718146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f2dd47b5-0d5b-45ce-9af8-2ae01b6d3085"; depth:37; endswith; nocase; http.host; content:"nzaqn.sm188login.cyou"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855037/; classtype:trojan-activity;sid:84718137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.42.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855036/; classtype:trojan-activity;sid:84718136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.117.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855035/; classtype:trojan-activity;sid:84718135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d71363d-12e8-4281-826c-95ad27314a6d"; depth:37; endswith; nocase; http.host; content:"mzpyn.sm188login.cfd"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855034/; classtype:trojan-activity;sid:84718134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.149.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855033/; classtype:trojan-activity;sid:84718133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=20bb2940-3f79-4b97-92ed-730c00d1cdbe"; depth:47; endswith; nocase; http.host; content:"xqorxfh1.seresniki.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855032/; classtype:trojan-activity;sid:84718132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"206.237.30.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855031/; classtype:trojan-activity;sid:84718131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.115.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855030/; classtype:trojan-activity;sid:84718130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; endswith; nocase; http.host; content:"154.89.148.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855029/; classtype:trojan-activity;sid:84718129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; endswith; nocase; http.host; content:"154.89.148.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855027/; classtype:trojan-activity;sid:84718127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u"; depth:2; endswith; nocase; http.host; content:"154.89.148.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855028/; classtype:trojan-activity;sid:84718128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.72.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855026/; classtype:trojan-activity;sid:84718126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6e692ac2-d9aa-434b-89c2-e3c75d29488d"; depth:37; endswith; nocase; http.host; content:"uzysz.sm188dvlv.skin"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855025/; classtype:trojan-activity;sid:84718125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855024/; classtype:trojan-activity;sid:84718124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.13.149.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855023/; classtype:trojan-activity;sid:84718123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.115.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855022/; classtype:trojan-activity;sid:84718122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.42.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855021/; classtype:trojan-activity;sid:84718121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71252fbe-b657-46e0-8f80-32f07391f418"; depth:37; endswith; nocase; http.host; content:"slrsd.sm188dvlv.rest"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855020/; classtype:trojan-activity;sid:84718120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.24.10.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855019/; classtype:trojan-activity;sid:84718119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f826c31f-8654-463d-9077-915c8b55ec46"; depth:37; endswith; nocase; http.host; content:"skgya.sm188dvlv.hair"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855018/; classtype:trojan-activity;sid:84718118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.41.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855017/; classtype:trojan-activity;sid:84718117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.146.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855016/; classtype:trojan-activity;sid:84718116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.24.10.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855015/; classtype:trojan-activity;sid:84718115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/500c64d4-983b-40aa-9359-7b4041d6bb4b"; depth:37; endswith; nocase; http.host; content:"zntck.sm188dvlv.cfd"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855014/; classtype:trojan-activity;sid:84718114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.226.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855013/; classtype:trojan-activity;sid:84718113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.202.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855012/; classtype:trojan-activity;sid:84718112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.41.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855011/; classtype:trojan-activity;sid:84718111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.146.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855010/; classtype:trojan-activity;sid:84718110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=c217a950-baf0-4d7c-b7ae-9f9bd27266c6"; depth:47; endswith; nocase; http.host; content:"nwtca6gs.schleer.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855009/; classtype:trojan-activity;sid:84718109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0a9ac4b6-50ac-47fc-a3df-567b10ef68c1"; depth:37; endswith; nocase; http.host; content:"gvshj.sm188daftar.skin"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855008/; classtype:trojan-activity;sid:84718108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.73.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855007/; classtype:trojan-activity;sid:84718107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.202.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855006/; classtype:trojan-activity;sid:84718106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.120.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855005/; classtype:trojan-activity;sid:84718105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.119.182.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855004/; classtype:trojan-activity;sid:84718104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.190.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855003/; classtype:trojan-activity;sid:84718103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.73.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855002/; classtype:trojan-activity;sid:84718102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a4595256-e879-47e1-993c-080129317140"; depth:37; endswith; nocase; http.host; content:"txfbc.sm188daftar.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855001/; classtype:trojan-activity;sid:84718101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3855000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.244.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3855000/; classtype:trojan-activity;sid:84718100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.100.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854999/; classtype:trojan-activity;sid:84718099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.118.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854998/; classtype:trojan-activity;sid:84718098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/lterouter"; depth:13; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854997/; classtype:trojan-activity;sid:84718097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.183.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854996/; classtype:trojan-activity;sid:84718096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.119.182.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854995/; classtype:trojan-activity;sid:84718095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.190.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854994/; classtype:trojan-activity;sid:84718094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.98.97.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854993/; classtype:trojan-activity;sid:84718093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv7l"; depth:10; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854992/; classtype:trojan-activity;sid:84718092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv4l"; depth:10; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854991/; classtype:trojan-activity;sid:84718091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv5l"; depth:10; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854986/; classtype:trojan-activity;sid:84718086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mpsl"; depth:8; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854987/; classtype:trojan-activity;sid:84718087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/aarch64"; depth:11; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854988/; classtype:trojan-activity;sid:84718088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/x86_64"; depth:10; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854989/; classtype:trojan-activity;sid:84718089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv6l"; depth:10; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854990/; classtype:trojan-activity;sid:84718090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/m68k"; depth:8; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854984/; classtype:trojan-activity;sid:84718084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/sh4"; depth:7; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854985/; classtype:trojan-activity;sid:84718085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/ppc"; depth:7; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854982/; classtype:trojan-activity;sid:84718082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mips64"; depth:10; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854983/; classtype:trojan-activity;sid:84718083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05d41b41-46d1-468c-bfa6-7fed2af2275d"; depth:37; endswith; nocase; http.host; content:"vkdif.sm188daftar.cfd"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854981/; classtype:trojan-activity;sid:84718081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.183.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854980/; classtype:trojan-activity;sid:84718080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/tbk"; depth:7; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854979/; classtype:trojan-activity;sid:84718079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/x86"; depth:7; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854978/; classtype:trojan-activity;sid:84718078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mips"; depth:8; endswith; nocase; http.host; content:"51.81.104.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854977/; classtype:trojan-activity;sid:84718077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.77.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854976/; classtype:trojan-activity;sid:84718076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.98.97.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854975/; classtype:trojan-activity;sid:84718075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0b8b55bc-90c6-4674-b9a7-d9634de4dfdd"; depth:37; endswith; nocase; http.host; content:"chhul.sm188akurat.sbs"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854974/; classtype:trojan-activity;sid:84718074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.56.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854973/; classtype:trojan-activity;sid:84718073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.244.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854972/; classtype:trojan-activity;sid:84718072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.90.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854971/; classtype:trojan-activity;sid:84718071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.86.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854970/; classtype:trojan-activity;sid:84718070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.56.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854969/; classtype:trojan-activity;sid:84718069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3db4852f-3eb6-434c-9be6-75086eaf3c49"; depth:37; endswith; nocase; http.host; content:"jrszz.popi999.net"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854968/; classtype:trojan-activity;sid:84718068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.245.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854967/; classtype:trojan-activity;sid:84718067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.134.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854966/; classtype:trojan-activity;sid:84718066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=f30359cb-cca7-4996-875c-24c22a93ff96"; depth:47; endswith; nocase; http.host; content:"2c5gt5bd.seresniki.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854965/; classtype:trojan-activity;sid:84718065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.66.88"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854964/; classtype:trojan-activity;sid:84718064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f2bab7b1-1e71-474b-a669-9858138c4605"; depth:37; endswith; nocase; http.host; content:"eibnb.slotmacau188z.bond"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854963/; classtype:trojan-activity;sid:84718063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.3.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854962/; classtype:trojan-activity;sid:84718062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.144.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854961/; classtype:trojan-activity;sid:84718061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.86.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854960/; classtype:trojan-activity;sid:84718060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.87.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854959/; classtype:trojan-activity;sid:84718059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.66.88"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854958/; classtype:trojan-activity;sid:84718058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.134.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854957/; classtype:trojan-activity;sid:84718057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3a64119b-4c3f-40b7-aad1-5c56c49081c9"; depth:37; endswith; nocase; http.host; content:"yznfo.slotmacau188q.hair"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854956/; classtype:trojan-activity;sid:84718056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.87.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854955/; classtype:trojan-activity;sid:84718055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/70e21bb2-cd57-41b2-bd96-b02416d3dccc"; depth:37; endswith; nocase; http.host; content:"hunzm.slotmacau188k.sbs"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854954/; classtype:trojan-activity;sid:84718054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proto.x86"; depth:10; endswith; nocase; http.host; content:"202.71.14.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854953/; classtype:trojan-activity;sid:84718053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.240.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854952/; classtype:trojan-activity;sid:84718052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854951/; classtype:trojan-activity;sid:84718051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.240.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854950/; classtype:trojan-activity;sid:84718050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d45ab30c-80eb-411e-96d9-b0f931a7885a"; depth:37; endswith; nocase; http.host; content:"ywrav.slotmacau188ab.sbs"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854949/; classtype:trojan-activity;sid:84718049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.132.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854948/; classtype:trojan-activity;sid:84718048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.0.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854947/; classtype:trojan-activity;sid:84718047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.132.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_29; reference:url, urlhaus.abuse.ch/url/3854946/; classtype:trojan-activity;sid:84718046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd1ff812-8dd9-4c3a-a78e-9bda5b2ffe17"; depth:37; endswith; nocase; http.host; content:"gwfsj.ski123.net"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854945/; classtype:trojan-activity;sid:84718045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.44.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854944/; classtype:trojan-activity;sid:84718044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=41579c05-28f3-4ca5-809a-cf79197cb464"; depth:47; endswith; nocase; http.host; content:"gec56eyc.pczrt.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854943/; classtype:trojan-activity;sid:84718043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.16.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854942/; classtype:trojan-activity;sid:84718042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/62424427-a4a4-4914-9053-0ab3be1f63a5"; depth:37; endswith; nocase; http.host; content:"gahay.visszateritok.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854941/; classtype:trojan-activity;sid:84718041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.16.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854940/; classtype:trojan-activity;sid:84718040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.183.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854939/; classtype:trojan-activity;sid:84718039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d6d5a86e-2b8f-4497-9e20-09f07fabd040"; depth:37; endswith; nocase; http.host; content:"eyzfh.ksfogszabalyozas.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854938/; classtype:trojan-activity;sid:84718038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.207.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854937/; classtype:trojan-activity;sid:84718037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.254.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854936/; classtype:trojan-activity;sid:84718036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.114.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854935/; classtype:trojan-activity;sid:84718035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854934/; classtype:trojan-activity;sid:84718034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af865701-e4bf-4462-9222-d47c93cc2332"; depth:37; endswith; nocase; http.host; content:"febrn.laborfotostudio.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854933/; classtype:trojan-activity;sid:84718033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854932/; classtype:trojan-activity;sid:84718032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.254.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854931/; classtype:trojan-activity;sid:84718031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.178.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854930/; classtype:trojan-activity;sid:84718030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.176.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854929/; classtype:trojan-activity;sid:84718029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.83.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854928/; classtype:trojan-activity;sid:84718028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.114.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854927/; classtype:trojan-activity;sid:84718027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/273e0892-e361-4cb3-8939-92155a5f924b"; depth:37; endswith; nocase; http.host; content:"akfzi.lampaoszlopbolt.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854926/; classtype:trojan-activity;sid:84718026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bc6bae50-fdba-48c1-bcdb-429c08d10540"; depth:47; endswith; nocase; http.host; content:"hxoaa2b8.parossag.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854925/; classtype:trojan-activity;sid:84718025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.178.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854924/; classtype:trojan-activity;sid:84718024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854923/; classtype:trojan-activity;sid:84718023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.187.137.7"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854922/; classtype:trojan-activity;sid:84718022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.83.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854921/; classtype:trojan-activity;sid:84718021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.22.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854920/; classtype:trojan-activity;sid:84718020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854919/; classtype:trojan-activity;sid:84718019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.191.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854918/; classtype:trojan-activity;sid:84718018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.193.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854917/; classtype:trojan-activity;sid:84718017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3df77533-10c3-4773-8de7-65d9ce5a7973"; depth:37; endswith; nocase; http.host; content:"ulyow.legrandpartnerklub.hu"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854916/; classtype:trojan-activity;sid:84718016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.196.185.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854915/; classtype:trojan-activity;sid:84718015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.196.185.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854914/; classtype:trojan-activity;sid:84718014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.bat"; depth:9; endswith; nocase; http.host; content:"we.love.servers.at.ioflood.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854911/; classtype:trojan-activity;sid:84718011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.js"; depth:8; endswith; nocase; http.host; content:"we.love.servers.at.ioflood.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854912/; classtype:trojan-activity;sid:84718012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.vbs"; depth:9; endswith; nocase; http.host; content:"we.love.servers.at.ioflood.net"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854913/; classtype:trojan-activity;sid:84718013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.bat"; depth:9; endswith; nocase; http.host; content:"148.163.124.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854909/; classtype:trojan-activity;sid:84718009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.js"; depth:8; endswith; nocase; http.host; content:"148.163.124.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854910/; classtype:trojan-activity;sid:84718010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.vbs"; depth:9; endswith; nocase; http.host; content:"148.163.124.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854908/; classtype:trojan-activity;sid:84718008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854907/; classtype:trojan-activity;sid:84718007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854906/; classtype:trojan-activity;sid:84718006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854897/; classtype:trojan-activity;sid:84717997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854898/; classtype:trojan-activity;sid:84717998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854899/; classtype:trojan-activity;sid:84717999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854900/; classtype:trojan-activity;sid:84718000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854901/; classtype:trojan-activity;sid:84718001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854902/; classtype:trojan-activity;sid:84718002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854903/; classtype:trojan-activity;sid:84718003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854904/; classtype:trojan-activity;sid:84718004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"45.141.26.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854905/; classtype:trojan-activity;sid:84718005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.191.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854896/; classtype:trojan-activity;sid:84717996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854895/; classtype:trojan-activity;sid:84717995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4be3eaad-7dbf-4e92-81a6-b9731b084b38"; depth:37; endswith; nocase; http.host; content:"wiwcg.lelekbuvar.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854894/; classtype:trojan-activity;sid:84717994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.186.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854893/; classtype:trojan-activity;sid:84717993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mips"; depth:12; endswith; nocase; http.host; content:"146.19.213.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854891/; classtype:trojan-activity;sid:84717991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_amd64"; depth:13; endswith; nocase; http.host; content:"parisspinsnow.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854892/; classtype:trojan-activity;sid:84717992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_386"; depth:11; endswith; nocase; http.host; content:"146.19.213.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854890/; classtype:trojan-activity;sid:84717990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm7"; depth:12; endswith; nocase; http.host; content:"146.19.213.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854881/; classtype:trojan-activity;sid:84717981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm5"; depth:12; endswith; nocase; http.host; content:"146.19.213.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854882/; classtype:trojan-activity;sid:84717982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm5"; depth:12; endswith; nocase; http.host; content:"parisspinsnow.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854883/; classtype:trojan-activity;sid:84717983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm7"; depth:12; endswith; nocase; http.host; content:"parisspinsnow.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854884/; classtype:trojan-activity;sid:84717984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_amd64"; depth:13; endswith; nocase; http.host; content:"146.19.213.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854885/; classtype:trojan-activity;sid:84717985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mips"; depth:12; endswith; nocase; http.host; content:"parisspinsnow.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854886/; classtype:trojan-activity;sid:84717986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mipsle"; depth:14; endswith; nocase; http.host; content:"parisspinsnow.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854887/; classtype:trojan-activity;sid:84717987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_386"; depth:11; endswith; nocase; http.host; content:"parisspinsnow.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854888/; classtype:trojan-activity;sid:84717988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mipsle"; depth:14; endswith; nocase; http.host; content:"146.19.213.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854889/; classtype:trojan-activity;sid:84717989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm64"; depth:13; endswith; nocase; http.host; content:"146.19.213.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854879/; classtype:trojan-activity;sid:84717979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm64"; depth:13; endswith; nocase; http.host; content:"parisspinsnow.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854880/; classtype:trojan-activity;sid:84717980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.245.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854878/; classtype:trojan-activity;sid:84717978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4fc813e4-e453-4e2b-82bf-143da48069fe"; depth:37; endswith; nocase; http.host; content:"ucovu.lelekszepsegstudio.hu"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854877/; classtype:trojan-activity;sid:84717977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.186.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854876/; classtype:trojan-activity;sid:84717976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.169.231.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854875/; classtype:trojan-activity;sid:84717975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=46f6b009-5a99-4da7-b896-47750edede00"; depth:47; endswith; nocase; http.host; content:"2b2eg8hr.otthonfelujitasprogram2024.hu"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854874/; classtype:trojan-activity;sid:84717974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/97d4d20d-c486-4d48-ad99-8aebcfd58cb8"; depth:37; endswith; nocase; http.host; content:"wusjo.zsatom.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854873/; classtype:trojan-activity;sid:84717973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/78a66a83-9e77-43d1-897e-9522a5165e0a"; depth:37; endswith; nocase; http.host; content:"ncgxk.visszateritok.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854872/; classtype:trojan-activity;sid:84717972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a398c57-9c1c-4f36-8392-ce70ebccb1ce"; depth:37; endswith; nocase; http.host; content:"olakv.technologiaiviz.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854871/; classtype:trojan-activity;sid:84717971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.69.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854870/; classtype:trojan-activity;sid:84717970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.101.181.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854869/; classtype:trojan-activity;sid:84717969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.9.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854868/; classtype:trojan-activity;sid:84717968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.48.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854867/; classtype:trojan-activity;sid:84717967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d87c4f2-e62f-49db-9b40-c5b1f89c8ebd"; depth:37; endswith; nocase; http.host; content:"cklrd.webrevelem.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854866/; classtype:trojan-activity;sid:84717966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.77.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854865/; classtype:trojan-activity;sid:84717965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.179.240.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854864/; classtype:trojan-activity;sid:84717964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854863/; classtype:trojan-activity;sid:84717963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1c36e1a-62c8-4e83-9fb9-094e3abe8dde"; depth:37; endswith; nocase; http.host; content:"pyexv.yanis.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854862/; classtype:trojan-activity;sid:84717962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.48.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854861/; classtype:trojan-activity;sid:84717961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.101.181.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854860/; classtype:trojan-activity;sid:84717960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.164.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854859/; classtype:trojan-activity;sid:84717959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.110.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854858/; classtype:trojan-activity;sid:84717958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.179.240.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854857/; classtype:trojan-activity;sid:84717957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.173.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854856/; classtype:trojan-activity;sid:84717956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.55.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854855/; classtype:trojan-activity;sid:84717955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854853/; classtype:trojan-activity;sid:84717953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.254.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854854/; classtype:trojan-activity;sid:84717954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.22.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854852/; classtype:trojan-activity;sid:84717952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854851/; classtype:trojan-activity;sid:84717951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.181.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854850/; classtype:trojan-activity;sid:84717950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cae31968-5feb-4b7e-a5bf-e882433a1f9d"; depth:37; endswith; nocase; http.host; content:"ggtgi.wlwyb.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854849/; classtype:trojan-activity;sid:84717949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.110.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854848/; classtype:trojan-activity;sid:84717948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854846/; classtype:trojan-activity;sid:84717946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.55.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854847/; classtype:trojan-activity;sid:84717947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.254.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854845/; classtype:trojan-activity;sid:84717945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.173.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854844/; classtype:trojan-activity;sid:84717944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/838201a8-8dd2-4d37-a759-344d3733ef55"; depth:37; endswith; nocase; http.host; content:"apxij.zsatom.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854843/; classtype:trojan-activity;sid:84717943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.236.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854842/; classtype:trojan-activity;sid:84717942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=ab464c53-100e-4228-bb17-d78b5956a886"; depth:47; endswith; nocase; http.host; content:"5mk6bgje.stgsolar.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854841/; classtype:trojan-activity;sid:84717941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.101.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854840/; classtype:trojan-activity;sid:84717940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/87716bf1-74fe-42e1-8432-227afe7ee8bc"; depth:37; endswith; nocase; http.host; content:"ocjly.visszateritok.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854839/; classtype:trojan-activity;sid:84717939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.17.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854838/; classtype:trojan-activity;sid:84717938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.189.236.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854837/; classtype:trojan-activity;sid:84717937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.181.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854836/; classtype:trojan-activity;sid:84717936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.13.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854835/; classtype:trojan-activity;sid:84717935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.255.44.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854834/; classtype:trojan-activity;sid:84717934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.39.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854833/; classtype:trojan-activity;sid:84717933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57a076b3-aab4-4815-97fa-42fd12f1b699"; depth:37; endswith; nocase; http.host; content:"xjlft.visszateritok.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854832/; classtype:trojan-activity;sid:84717932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.13.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854831/; classtype:trojan-activity;sid:84717931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.21.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854830/; classtype:trojan-activity;sid:84717930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.113.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854829/; classtype:trojan-activity;sid:84717929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7664e16f-ca7a-4b61-8945-a8fd0f93d535"; depth:37; endswith; nocase; http.host; content:"syrzz.technologiaiviz.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854828/; classtype:trojan-activity;sid:84717928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.167.80.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854827/; classtype:trojan-activity;sid:84717927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.22.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854826/; classtype:trojan-activity;sid:84717926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4d9a24f-ecdf-453f-9f33-cd50a932f026"; depth:37; endswith; nocase; http.host; content:"jugha.webrevelem.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854825/; classtype:trojan-activity;sid:84717925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.230.42.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854824/; classtype:trojan-activity;sid:84717924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.36.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854823/; classtype:trojan-activity;sid:84717923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e54bce3b-8738-4b9f-816a-3fa5c5e8184b"; depth:37; endswith; nocase; http.host; content:"pbwmk.wlwyb.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854822/; classtype:trojan-activity;sid:84717922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"38.226.161.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854821/; classtype:trojan-activity;sid:84717921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=108c20ae-2f37-4225-a53d-ef4cb54cc586"; depth:47; endswith; nocase; http.host; content:"lpo88ruu.seresniki.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854820/; classtype:trojan-activity;sid:84717920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.165.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854819/; classtype:trojan-activity;sid:84717919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.165.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854818/; classtype:trojan-activity;sid:84717918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.165.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854817/; classtype:trojan-activity;sid:84717917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"193.26.115.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854816/; classtype:trojan-activity;sid:84717916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.26.115.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854815/; classtype:trojan-activity;sid:84717915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/899dcb3b-7bdb-473f-8556-3054cdc16cc1"; depth:37; endswith; nocase; http.host; content:"vbyiq.yanis.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854814/; classtype:trojan-activity;sid:84717914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.234.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854813/; classtype:trojan-activity;sid:84717913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63c104de-63af-452f-9d62-0d5e63fe8135"; depth:37; endswith; nocase; http.host; content:"hpxqt.accredit.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854812/; classtype:trojan-activity;sid:84717912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.232.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854811/; classtype:trojan-activity;sid:84717911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.207.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854810/; classtype:trojan-activity;sid:84717910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.205.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854809/; classtype:trojan-activity;sid:84717909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.42.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854808/; classtype:trojan-activity;sid:84717908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.250.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854807/; classtype:trojan-activity;sid:84717907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.207.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854806/; classtype:trojan-activity;sid:84717906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3ee4530b-403c-423c-819a-fb6ca4d406d3"; depth:37; endswith; nocase; http.host; content:"amici.addmagad.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854805/; classtype:trojan-activity;sid:84717905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.234.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854804/; classtype:trojan-activity;sid:84717904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.149.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854803/; classtype:trojan-activity;sid:84717903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.4.177"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854802/; classtype:trojan-activity;sid:84717902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.250.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854801/; classtype:trojan-activity;sid:84717901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k"; depth:2; endswith; nocase; http.host; content:"193.135.9.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854800/; classtype:trojan-activity;sid:84717900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.bin"; depth:12; endswith; nocase; http.host; content:"103.45.68.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854799/; classtype:trojan-activity;sid:84717899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"103.45.68.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854798/; classtype:trojan-activity;sid:84717898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.dll"; depth:6; endswith; nocase; http.host; content:"103.45.68.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854797/; classtype:trojan-activity;sid:84717897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4e33c999-8435-4a8e-a1a1-69d1c8140539"; depth:37; endswith; nocase; http.host; content:"tpgpd.vikstore.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854796/; classtype:trojan-activity;sid:84717896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.123.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854795/; classtype:trojan-activity;sid:84717895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854794/; classtype:trojan-activity;sid:84717894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.160.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854793/; classtype:trojan-activity;sid:84717893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854792/; classtype:trojan-activity;sid:84717892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.148.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854791/; classtype:trojan-activity;sid:84717891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.148.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854790/; classtype:trojan-activity;sid:84717890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=14adf0cc-405b-4699-b140-e58d098f0a1c"; depth:47; endswith; nocase; http.host; content:"kb2lqx8d.schleer.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854789/; classtype:trojan-activity;sid:84717889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.230.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854788/; classtype:trojan-activity;sid:84717888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.145.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854787/; classtype:trojan-activity;sid:84717887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/24fdbd4a-a7ca-4351-a165-d5bac8de3bda"; depth:37; endswith; nocase; http.host; content:"xvfxe.technologiaiviz.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854786/; classtype:trojan-activity;sid:84717886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.123.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854785/; classtype:trojan-activity;sid:84717885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/certificado.exe"; depth:16; endswith; nocase; http.host; content:"178.16.54.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854784/; classtype:trojan-activity;sid:84717884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854783/; classtype:trojan-activity;sid:84717883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.48.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854782/; classtype:trojan-activity;sid:84717882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_f49922ef9bcf1f82.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854781/; classtype:trojan-activity;sid:84717881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.160.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854780/; classtype:trojan-activity;sid:84717880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854779/; classtype:trojan-activity;sid:84717879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854772/; classtype:trojan-activity;sid:84717872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854773/; classtype:trojan-activity;sid:84717873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854774/; classtype:trojan-activity;sid:84717874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854775/; classtype:trojan-activity;sid:84717875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854776/; classtype:trojan-activity;sid:84717876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854777/; classtype:trojan-activity;sid:84717877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854778/; classtype:trojan-activity;sid:84717878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854771/; classtype:trojan-activity;sid:84717871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854766/; classtype:trojan-activity;sid:84717866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854767/; classtype:trojan-activity;sid:84717867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854768/; classtype:trojan-activity;sid:84717868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854769/; classtype:trojan-activity;sid:84717869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854770/; classtype:trojan-activity;sid:84717870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.48.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854765/; classtype:trojan-activity;sid:84717865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0cbf89cd-dfed-4996-8ee6-4ef05c6ef57c"; depth:37; endswith; nocase; http.host; content:"kiouc.visszateritok.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854764/; classtype:trojan-activity;sid:84717864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.145.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854763/; classtype:trojan-activity;sid:84717863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.113.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854762/; classtype:trojan-activity;sid:84717862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4f4ec34-639c-4538-bb33-d2a2a2ee559d"; depth:37; endswith; nocase; http.host; content:"igidw.visszateritok.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854761/; classtype:trojan-activity;sid:84717861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854760/; classtype:trojan-activity;sid:84717860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.167.80.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854759/; classtype:trojan-activity;sid:84717859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.105.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854758/; classtype:trojan-activity;sid:84717858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.100.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854757/; classtype:trojan-activity;sid:84717857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854751/; classtype:trojan-activity;sid:84717851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854752/; classtype:trojan-activity;sid:84717852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854753/; classtype:trojan-activity;sid:84717853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854754/; classtype:trojan-activity;sid:84717854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854755/; classtype:trojan-activity;sid:84717855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854756/; classtype:trojan-activity;sid:84717856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854749/; classtype:trojan-activity;sid:84717849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854750/; classtype:trojan-activity;sid:84717850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.55.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854748/; classtype:trojan-activity;sid:84717848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.55.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854747/; classtype:trojan-activity;sid:84717847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854744/; classtype:trojan-activity;sid:84717844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854745/; classtype:trojan-activity;sid:84717845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854746/; classtype:trojan-activity;sid:84717846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854743/; classtype:trojan-activity;sid:84717843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854741/; classtype:trojan-activity;sid:84717841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854742/; classtype:trojan-activity;sid:84717842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854732/; classtype:trojan-activity;sid:84717832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854733/; classtype:trojan-activity;sid:84717833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854734/; classtype:trojan-activity;sid:84717834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854735/; classtype:trojan-activity;sid:84717835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854736/; classtype:trojan-activity;sid:84717836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854737/; classtype:trojan-activity;sid:84717837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854738/; classtype:trojan-activity;sid:84717838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854739/; classtype:trojan-activity;sid:84717839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854740/; classtype:trojan-activity;sid:84717840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854730/; classtype:trojan-activity;sid:84717830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854731/; classtype:trojan-activity;sid:84717831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.142.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854729/; classtype:trojan-activity;sid:84717829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_05e451303f19b057.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854728/; classtype:trojan-activity;sid:84717828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.100.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854727/; classtype:trojan-activity;sid:84717827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0da84ce9-7ff6-4279-90d6-1c467de99519"; depth:37; endswith; nocase; http.host; content:"hrcox.zsatom.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854726/; classtype:trojan-activity;sid:84717826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.234.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854725/; classtype:trojan-activity;sid:84717825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854701/; classtype:trojan-activity;sid:84717801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854702/; classtype:trojan-activity;sid:84717802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854703/; classtype:trojan-activity;sid:84717803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklarm6"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854704/; classtype:trojan-activity;sid:84717804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerx86"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854705/; classtype:trojan-activity;sid:84717805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zersh4"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854706/; classtype:trojan-activity;sid:84717806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklsh4"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854707/; classtype:trojan-activity;sid:84717807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854708/; classtype:trojan-activity;sid:84717808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854709/; classtype:trojan-activity;sid:84717809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854710/; classtype:trojan-activity;sid:84717810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854711/; classtype:trojan-activity;sid:84717811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854712/; classtype:trojan-activity;sid:84717812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854713/; classtype:trojan-activity;sid:84717813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklm68k"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854714/; classtype:trojan-activity;sid:84717814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854715/; classtype:trojan-activity;sid:84717815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerm68k"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854716/; classtype:trojan-activity;sid:84717816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854717/; classtype:trojan-activity;sid:84717817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklppc"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854718/; classtype:trojan-activity;sid:84717818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerppc"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854719/; classtype:trojan-activity;sid:84717819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklarm5"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854720/; classtype:trojan-activity;sid:84717820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklmpsl"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854721/; classtype:trojan-activity;sid:84717821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854722/; classtype:trojan-activity;sid:84717822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854723/; classtype:trojan-activity;sid:84717823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklmips"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854724/; classtype:trojan-activity;sid:84717824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklspc"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854699/; classtype:trojan-activity;sid:84717799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklx86"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854700/; classtype:trojan-activity;sid:84717800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerlarm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854698/; classtype:trojan-activity;sid:84717798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854696/; classtype:trojan-activity;sid:84717796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerspc"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854697/; classtype:trojan-activity;sid:84717797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/a.dyno|3f|ref_type=heads"; depth:57; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854690/; classtype:trojan-activity;sid:84717790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/b.dyno|3f|inline=false"; depth:55; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854691/; classtype:trojan-activity;sid:84717791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/t.exe|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854692/; classtype:trojan-activity;sid:84717792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/v.exe|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854693/; classtype:trojan-activity;sid:84717793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/b.dyno|3f|ref_type=heads"; depth:57; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854694/; classtype:trojan-activity;sid:84717794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/ag2.bin|3f|ref_type=heads"; depth:58; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854695/; classtype:trojan-activity;sid:84717795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854689/; classtype:trojan-activity;sid:84717789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854687/; classtype:trojan-activity;sid:84717787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854688/; classtype:trojan-activity;sid:84717788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854682/; classtype:trojan-activity;sid:84717782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854683/; classtype:trojan-activity;sid:84717783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854684/; classtype:trojan-activity;sid:84717784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854685/; classtype:trojan-activity;sid:84717785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854686/; classtype:trojan-activity;sid:84717786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v"; depth:2; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854680/; classtype:trojan-activity;sid:84717780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854681/; classtype:trojan-activity;sid:84717781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zxc.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854678/; classtype:trojan-activity;sid:84717778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/weed"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854679/; classtype:trojan-activity;sid:84717779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z"; depth:2; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854677/; classtype:trojan-activity;sid:84717777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phi.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854676/; classtype:trojan-activity;sid:84717776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854675/; classtype:trojan-activity;sid:84717775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tot"; depth:4; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854674/; classtype:trojan-activity;sid:84717774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854673/; classtype:trojan-activity;sid:84717773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f"; depth:2; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854670/; classtype:trojan-activity;sid:84717770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splmips"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854671/; classtype:trojan-activity;sid:84717771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/esf"; depth:4; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854672/; classtype:trojan-activity;sid:84717772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/z"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854667/; classtype:trojan-activity;sid:84717767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bork"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854668/; classtype:trojan-activity;sid:84717768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854669/; classtype:trojan-activity;sid:84717769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854666/; classtype:trojan-activity;sid:84717766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wget.sh"; depth:13; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854665/; classtype:trojan-activity;sid:84717765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g"; depth:2; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854664/; classtype:trojan-activity;sid:84717764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ftpget.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854663/; classtype:trojan-activity;sid:84717763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854662/; classtype:trojan-activity;sid:84717762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b"; depth:2; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854661/; classtype:trojan-activity;sid:84717761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nabarm4"; depth:13; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854659/; classtype:trojan-activity;sid:84717759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nkppc"; depth:11; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854660/; classtype:trojan-activity;sid:84717760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854657/; classtype:trojan-activity;sid:84717757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854658/; classtype:trojan-activity;sid:84717758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854636/; classtype:trojan-activity;sid:84717736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854637/; classtype:trojan-activity;sid:84717737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854638/; classtype:trojan-activity;sid:84717738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854639/; classtype:trojan-activity;sid:84717739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854640/; classtype:trojan-activity;sid:84717740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nksh4"; depth:11; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854641/; classtype:trojan-activity;sid:84717741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm4"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854642/; classtype:trojan-activity;sid:84717742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jklarm4"; depth:13; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854643/; classtype:trojan-activity;sid:84717743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zerarm4"; depth:13; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854644/; classtype:trojan-activity;sid:84717744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854645/; classtype:trojan-activity;sid:84717745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nkx86"; depth:11; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854646/; classtype:trojan-activity;sid:84717746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854647/; classtype:trojan-activity;sid:84717747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854648/; classtype:trojan-activity;sid:84717748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854649/; classtype:trojan-activity;sid:84717749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854650/; classtype:trojan-activity;sid:84717750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854651/; classtype:trojan-activity;sid:84717751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854652/; classtype:trojan-activity;sid:84717752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854653/; classtype:trojan-activity;sid:84717753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splm68k"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854654/; classtype:trojan-activity;sid:84717754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854655/; classtype:trojan-activity;sid:84717755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854656/; classtype:trojan-activity;sid:84717756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm7"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854617/; classtype:trojan-activity;sid:84717717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854618/; classtype:trojan-activity;sid:84717718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854619/; classtype:trojan-activity;sid:84717719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm5"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854620/; classtype:trojan-activity;sid:84717720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerarm5"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854621/; classtype:trojan-activity;sid:84717721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splmpsl"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854622/; classtype:trojan-activity;sid:84717722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm6"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854623/; classtype:trojan-activity;sid:84717723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerarm7"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854624/; classtype:trojan-activity;sid:84717724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerarm"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854625/; classtype:trojan-activity;sid:84717725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854626/; classtype:trojan-activity;sid:84717726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854627/; classtype:trojan-activity;sid:84717727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splarm"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854628/; classtype:trojan-activity;sid:84717728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splspc"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854629/; classtype:trojan-activity;sid:84717729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zermpsl"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854630/; classtype:trojan-activity;sid:84717730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerarm6"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854631/; classtype:trojan-activity;sid:84717731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splx86"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854632/; classtype:trojan-activity;sid:84717732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splsh4"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854633/; classtype:trojan-activity;sid:84717733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zermips"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854634/; classtype:trojan-activity;sid:84717734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/splppc"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854635/; classtype:trojan-activity;sid:84717735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854611/; classtype:trojan-activity;sid:84717711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854612/; classtype:trojan-activity;sid:84717712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854613/; classtype:trojan-activity;sid:84717713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm"; depth:13; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854614/; classtype:trojan-activity;sid:84717714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.64.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854615/; classtype:trojan-activity;sid:84717715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbg"; depth:4; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854616/; classtype:trojan-activity;sid:84717716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.142.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854610/; classtype:trojan-activity;sid:84717710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.238.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854608/; classtype:trojan-activity;sid:84717708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.234.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854609/; classtype:trojan-activity;sid:84717709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm5"; depth:14; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854599/; classtype:trojan-activity;sid:84717699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854600/; classtype:trojan-activity;sid:84717700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854601/; classtype:trojan-activity;sid:84717701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854602/; classtype:trojan-activity;sid:84717702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854603/; classtype:trojan-activity;sid:84717703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854604/; classtype:trojan-activity;sid:84717704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854605/; classtype:trojan-activity;sid:84717705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854606/; classtype:trojan-activity;sid:84717706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854607/; classtype:trojan-activity;sid:84717707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm6"; depth:14; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854597/; classtype:trojan-activity;sid:84717697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.spc"; depth:13; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854598/; classtype:trojan-activity;sid:84717698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.m68k"; depth:14; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854595/; classtype:trojan-activity;sid:84717695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854596/; classtype:trojan-activity;sid:84717696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854591/; classtype:trojan-activity;sid:84717691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854592/; classtype:trojan-activity;sid:84717692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854593/; classtype:trojan-activity;sid:84717693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854594/; classtype:trojan-activity;sid:84717694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/invoice.zip|3f|ref_type=heads"; depth:60; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854590/; classtype:trojan-activity;sid:84717690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854587/; classtype:trojan-activity;sid:84717687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854588/; classtype:trojan-activity;sid:84717688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854589/; classtype:trojan-activity;sid:84717689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854585/; classtype:trojan-activity;sid:84717685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854586/; classtype:trojan-activity;sid:84717686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854578/; classtype:trojan-activity;sid:84717678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854579/; classtype:trojan-activity;sid:84717679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854580/; classtype:trojan-activity;sid:84717680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854581/; classtype:trojan-activity;sid:84717681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854582/; classtype:trojan-activity;sid:84717682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854583/; classtype:trojan-activity;sid:84717683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/c/umpdc.dll|3f|inline=false"; depth:58; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854584/; classtype:trojan-activity;sid:84717684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854575/; classtype:trojan-activity;sid:84717675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.mips"; depth:14; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854576/; classtype:trojan-activity;sid:84717676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854577/; classtype:trojan-activity;sid:84717677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854557/; classtype:trojan-activity;sid:84717657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.mpsl"; depth:14; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854558/; classtype:trojan-activity;sid:84717658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.ppc"; depth:13; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854559/; classtype:trojan-activity;sid:84717659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854560/; classtype:trojan-activity;sid:84717660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm7"; depth:14; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854561/; classtype:trojan-activity;sid:84717661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854562/; classtype:trojan-activity;sid:84717662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.12.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854563/; classtype:trojan-activity;sid:84717663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adb.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854564/; classtype:trojan-activity;sid:84717664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854565/; classtype:trojan-activity;sid:84717665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854566/; classtype:trojan-activity;sid:84717666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.spc"; depth:8; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854567/; classtype:trojan-activity;sid:84717667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854568/; classtype:trojan-activity;sid:84717668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854569/; classtype:trojan-activity;sid:84717669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854570/; classtype:trojan-activity;sid:84717670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854571/; classtype:trojan-activity;sid:84717671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854572/; classtype:trojan-activity;sid:84717672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854573/; classtype:trojan-activity;sid:84717673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854574/; classtype:trojan-activity;sid:84717674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cat.sh"; depth:12; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854556/; classtype:trojan-activity;sid:84717656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.sh4"; depth:13; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854554/; classtype:trojan-activity;sid:84717654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854555/; classtype:trojan-activity;sid:84717655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.x86"; depth:13; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854552/; classtype:trojan-activity;sid:84717652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854553/; classtype:trojan-activity;sid:84717653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854545/; classtype:trojan-activity;sid:84717645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854546/; classtype:trojan-activity;sid:84717646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854547/; classtype:trojan-activity;sid:84717647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854548/; classtype:trojan-activity;sid:84717648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854549/; classtype:trojan-activity;sid:84717649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854550/; classtype:trojan-activity;sid:84717650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854551/; classtype:trojan-activity;sid:84717651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854544/; classtype:trojan-activity;sid:84717644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.42.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854543/; classtype:trojan-activity;sid:84717643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2db55997-ff39-4599-9c03-2f14ad03e180"; depth:37; endswith; nocase; http.host; content:"hfikf.webrevelem.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854542/; classtype:trojan-activity;sid:84717642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/loader.zip|3f|ref_type=heads"; depth:59; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854541/; classtype:trojan-activity;sid:84717641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/fqxwnir05yr2"; depth:19; endswith; nocase; http.host; content:"tempshare.su"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854540/; classtype:trojan-activity;sid:84717640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/dk.zip|3f|ref_type=heads"; depth:55; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854538/; classtype:trojan-activity;sid:84717638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/test.zip|3f|ref_type=heads"; depth:57; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854539/; classtype:trojan-activity;sid:84717639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/s/s.exe|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854536/; classtype:trojan-activity;sid:84717636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/vcruntime140.dll|3f|ref_type=heads"; depth:65; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854537/; classtype:trojan-activity;sid:84717637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/br.exe|3f|ref_type=heads"; depth:57; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854527/; classtype:trojan-activity;sid:84717627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/dk2.zip|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854528/; classtype:trojan-activity;sid:84717628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/c.exe|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854529/; classtype:trojan-activity;sid:84717629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/c/c.exe|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854530/; classtype:trojan-activity;sid:84717630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/a.zip|3f|ref_type=heads"; depth:54; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854531/; classtype:trojan-activity;sid:84717631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/sd.exe|3f|ref_type=heads"; depth:57; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854532/; classtype:trojan-activity;sid:84717632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/r.zip|3f|ref_type=heads"; depth:54; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854533/; classtype:trojan-activity;sid:84717633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/sno.exe|3f|ref_type=heads"; depth:58; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854534/; classtype:trojan-activity;sid:84717634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/b.exe|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854535/; classtype:trojan-activity;sid:84717635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/s/demo.exe|3f|ref_type=heads"; depth:59; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854524/; classtype:trojan-activity;sid:84717624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/c/c.exe|3f|inline=false"; depth:54; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854525/; classtype:trojan-activity;sid:84717625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/b/b.exe|3f|ref_type=heads"; depth:56; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854526/; classtype:trojan-activity;sid:84717626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/umpdc.dll|3f|ref_type=heads"; depth:58; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854519/; classtype:trojan-activity;sid:84717619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/c/umpdc.dll|3f|ref_type=heads"; depth:60; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854520/; classtype:trojan-activity;sid:84717620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/icudt63.dll|3f|ref_type=heads"; depth:60; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854521/; classtype:trojan-activity;sid:84717621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/b/umpdc.dll|3f|ref_type=heads"; depth:60; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854522/; classtype:trojan-activity;sid:84717622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/d/umpdc.dll|3f|ref_type=heads"; depth:60; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854523/; classtype:trojan-activity;sid:84717623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/c/demo.exe|3f|inline=false"; depth:57; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854516/; classtype:trojan-activity;sid:84717616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/1.zip|3f|ref_type=heads|7c|26|7c|inline=false"; depth:76; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854517/; classtype:trojan-activity;sid:84717617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/jajaja/umpdc.dll|3f|ref_type=heads"; depth:65; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854518/; classtype:trojan-activity;sid:84717618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|id=1m9ujcruela6f-mvxjmznsktxdbef-ryv|7c|26|7c|export=download|7c|26|7c|authuser=0"; depth:94; endswith; nocase; http.host; content:"drive.usercontent.google.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854515/; classtype:trojan-activity;sid:84717615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoangdepzaivcl/ccc/-/raw/main/pulsar.sln|3f|ref_type=heads|7c|26|7c|inline=false"; depth:81; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854514/; classtype:trojan-activity;sid:84717614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_855aa1dda650d7c3.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854513/; classtype:trojan-activity;sid:84717613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.15.124.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854512/; classtype:trojan-activity;sid:84717612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=5c64133e-3a4b-4023-8190-4d1c5acbf9aa"; depth:47; endswith; nocase; http.host; content:"p5f6dr8y.padelconstruct.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854511/; classtype:trojan-activity;sid:84717611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.13.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854510/; classtype:trojan-activity;sid:84717610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e17ba43e-388d-4b0a-a33c-6b3791df1330"; depth:37; endswith; nocase; http.host; content:"gptjr.visszateritok.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854509/; classtype:trojan-activity;sid:84717609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.91.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854508/; classtype:trojan-activity;sid:84717608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.230.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854507/; classtype:trojan-activity;sid:84717607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e73a9f1c-6303-4bad-bc8e-b9eb408a220a"; depth:37; endswith; nocase; http.host; content:"zhxtq.visszateritok.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854506/; classtype:trojan-activity;sid:84717606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.200.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854505/; classtype:trojan-activity;sid:84717605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.91.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854504/; classtype:trojan-activity;sid:84717604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.200.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854503/; classtype:trojan-activity;sid:84717603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.60.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854502/; classtype:trojan-activity;sid:84717602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f99ab23b-06a2-4854-a391-7671809bbcc1"; depth:37; endswith; nocase; http.host; content:"igyom.technologiaiviz.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854501/; classtype:trojan-activity;sid:84717601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.109.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854500/; classtype:trojan-activity;sid:84717600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.166.221.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854499/; classtype:trojan-activity;sid:84717599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.201.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854498/; classtype:trojan-activity;sid:84717598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.125.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854497/; classtype:trojan-activity;sid:84717597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.166.209.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854496/; classtype:trojan-activity;sid:84717596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854495/; classtype:trojan-activity;sid:84717595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab22851d-fd74-470b-aaa7-d979e9ccb886"; depth:37; endswith; nocase; http.host; content:"uswai.vikstore.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854494/; classtype:trojan-activity;sid:84717594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.109.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854493/; classtype:trojan-activity;sid:84717593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.13.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854492/; classtype:trojan-activity;sid:84717592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.62.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854491/; classtype:trojan-activity;sid:84717591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.201.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854490/; classtype:trojan-activity;sid:84717590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.186.231.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854489/; classtype:trojan-activity;sid:84717589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.82.111.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854488/; classtype:trojan-activity;sid:84717588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3489fa83-0770-4118-a33c-310fcc21d1fa"; depth:37; endswith; nocase; http.host; content:"mrlls.aileadfactory.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854487/; classtype:trojan-activity;sid:84717587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.22.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854486/; classtype:trojan-activity;sid:84717586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.231.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854485/; classtype:trojan-activity;sid:84717585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.66.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854484/; classtype:trojan-activity;sid:84717584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.82.111.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854483/; classtype:trojan-activity;sid:84717583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.9.35.137"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854482/; classtype:trojan-activity;sid:84717582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4c7dcdde-ee62-448f-95c6-d297b8b850e3"; depth:37; endswith; nocase; http.host; content:"cajya.addmagad.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854481/; classtype:trojan-activity;sid:84717581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.125.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854480/; classtype:trojan-activity;sid:84717580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.176.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854479/; classtype:trojan-activity;sid:84717579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.64.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854478/; classtype:trojan-activity;sid:84717578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.155.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854477/; classtype:trojan-activity;sid:84717577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.176.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854476/; classtype:trojan-activity;sid:84717576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.200.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854475/; classtype:trojan-activity;sid:84717575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854474/; classtype:trojan-activity;sid:84717574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.9.35.137"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854473/; classtype:trojan-activity;sid:84717573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854463/; classtype:trojan-activity;sid:84717563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854464/; classtype:trojan-activity;sid:84717564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854465/; classtype:trojan-activity;sid:84717565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854466/; classtype:trojan-activity;sid:84717566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854467/; classtype:trojan-activity;sid:84717567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854468/; classtype:trojan-activity;sid:84717568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shcript.sh"; depth:11; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854469/; classtype:trojan-activity;sid:84717569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854470/; classtype:trojan-activity;sid:84717570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854471/; classtype:trojan-activity;sid:84717571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854472/; classtype:trojan-activity;sid:84717572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"boatbeach.online"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854462/; classtype:trojan-activity;sid:84717562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.187.137.7"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854461/; classtype:trojan-activity;sid:84717561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3a9cdd3b-9bb1-45f2-8fad-80c77805dadb"; depth:37; endswith; nocase; http.host; content:"snonc.accredit.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854460/; classtype:trojan-activity;sid:84717560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"148.170.135.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854459/; classtype:trojan-activity;sid:84717559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.155.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854458/; classtype:trojan-activity;sid:84717558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.66.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854457/; classtype:trojan-activity;sid:84717557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.238.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854456/; classtype:trojan-activity;sid:84717556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.41.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854455/; classtype:trojan-activity;sid:84717555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6458715c-380a-49d1-b680-4621ee8bc4b0"; depth:37; endswith; nocase; http.host; content:"dkhgk.zaszlorudbolt.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854454/; classtype:trojan-activity;sid:84717554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"148.170.135.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854453/; classtype:trojan-activity;sid:84717553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.99.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854452/; classtype:trojan-activity;sid:84717552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854451/; classtype:trojan-activity;sid:84717551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.254.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854450/; classtype:trojan-activity;sid:84717550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.41.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854449/; classtype:trojan-activity;sid:84717549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35167c62-3437-46f7-808b-bacd88cd8306"; depth:37; endswith; nocase; http.host; content:"vggil.yanis.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854448/; classtype:trojan-activity;sid:84717548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.165.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854447/; classtype:trojan-activity;sid:84717547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854446/; classtype:trojan-activity;sid:84717546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.149.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854445/; classtype:trojan-activity;sid:84717545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.240.165.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854444/; classtype:trojan-activity;sid:84717544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d369551b73a17113.msi"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854443/; classtype:trojan-activity;sid:84717543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.255.44.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854442/; classtype:trojan-activity;sid:84717542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"5.255.102.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854441/; classtype:trojan-activity;sid:84717541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"5.255.102.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854440/; classtype:trojan-activity;sid:84717540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7118a056-2ee6-4bd6-a0b6-6a5ce2a68090"; depth:37; endswith; nocase; http.host; content:"xawur.workoutwithdorci.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854439/; classtype:trojan-activity;sid:84717539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854438/; classtype:trojan-activity;sid:84717538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=021cb5cc-7d5e-4dce-bd9a-e29f73661662"; depth:47; endswith; nocase; http.host; content:"2vmkhs7s.riherino.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854437/; classtype:trojan-activity;sid:84717537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.240.165.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854436/; classtype:trojan-activity;sid:84717536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854435/; classtype:trojan-activity;sid:84717535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.108.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854434/; classtype:trojan-activity;sid:84717534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.200.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854433/; classtype:trojan-activity;sid:84717533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f60efd87-ce39-4480-8b2c-64d3f1a81a37"; depth:37; endswith; nocase; http.host; content:"afnsw.wlwyb.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854432/; classtype:trojan-activity;sid:84717532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.70.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854431/; classtype:trojan-activity;sid:84717531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.244.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854430/; classtype:trojan-activity;sid:84717530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"admin.hbdhfijnsgjnds.top"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854429/; classtype:trojan-activity;sid:84717529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854428/; classtype:trojan-activity;sid:84717528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=71d3fa29-5500-4960-9af8-03a286b27f0d"; depth:47; endswith; nocase; http.host; content:"g6zaqd6k.schleer.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854427/; classtype:trojan-activity;sid:84717527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.117.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854426/; classtype:trojan-activity;sid:84717526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.244.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854425/; classtype:trojan-activity;sid:84717525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2351f3ab-b686-481a-8851-3581f1c0e4ae"; depth:37; endswith; nocase; http.host; content:"miixn.wilhelmglobal.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854424/; classtype:trojan-activity;sid:84717524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.230.117.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854423/; classtype:trojan-activity;sid:84717523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.148.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854422/; classtype:trojan-activity;sid:84717522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.45.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854421/; classtype:trojan-activity;sid:84717521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854420/; classtype:trojan-activity;sid:84717520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854419/; classtype:trojan-activity;sid:84717519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854418/; classtype:trojan-activity;sid:84717518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.108.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854417/; classtype:trojan-activity;sid:84717517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9264b5e0-3b45-4b1c-90e2-88163780329b"; depth:37; endswith; nocase; http.host; content:"yjkjr.westinvesteuropa.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854416/; classtype:trojan-activity;sid:84717516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.64.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854415/; classtype:trojan-activity;sid:84717515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.148.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854414/; classtype:trojan-activity;sid:84717514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.76.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854413/; classtype:trojan-activity;sid:84717513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.125.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854412/; classtype:trojan-activity;sid:84717512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.181.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854411/; classtype:trojan-activity;sid:84717511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.72.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854410/; classtype:trojan-activity;sid:84717510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854409/; classtype:trojan-activity;sid:84717509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_f82e3c02c153f34c.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854408/; classtype:trojan-activity;sid:84717508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cf023057-c5f4-40c4-ad45-80df6993e956"; depth:37; endswith; nocase; http.host; content:"hwujn.welovevent.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854407/; classtype:trojan-activity;sid:84717507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.79.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854406/; classtype:trojan-activity;sid:84717506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.72.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854405/; classtype:trojan-activity;sid:84717505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.ashx"; depth:11; endswith; nocase; http.host; content:"azurenetfiles.net"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854404/; classtype:trojan-activity;sid:84717504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=14anap4vh2de4bcbl0hej1xdo25edli0w"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854403/; classtype:trojan-activity;sid:84717503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.125.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854402/; classtype:trojan-activity;sid:84717502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.97.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854401/; classtype:trojan-activity;sid:84717501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8ff8ae87-f176-4531-a5de-767bbf9e743a"; depth:37; endswith; nocase; http.host; content:"elsms.webgondozas.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854400/; classtype:trojan-activity;sid:84717500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekinohore/tekirat/blob/main/itsukamirat.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854399/; classtype:trojan-activity;sid:84717499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_493059e7d0c25c4e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854396/; classtype:trojan-activity;sid:84717496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_145a9d07fe09fc20.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854397/; classtype:trojan-activity;sid:84717497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enmadorokuro625-ui/medapp/blob/main/setup.bat"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854398/; classtype:trojan-activity;sid:84717498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7e4df19583e6a8e7.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854392/; classtype:trojan-activity;sid:84717492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7df0584ffde92dad.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854393/; classtype:trojan-activity;sid:84717493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_6d302aeaf98e0e26.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854394/; classtype:trojan-activity;sid:84717494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_4505eed11e44ee10.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854395/; classtype:trojan-activity;sid:84717495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.x86"; depth:20; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854387/; classtype:trojan-activity;sid:84717487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.m68k"; depth:21; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854388/; classtype:trojan-activity;sid:84717488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.arm5"; depth:21; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854389/; classtype:trojan-activity;sid:84717489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.ppc"; depth:20; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854390/; classtype:trojan-activity;sid:84717490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.sh4"; depth:20; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854391/; classtype:trojan-activity;sid:84717491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.mpsl"; depth:21; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854385/; classtype:trojan-activity;sid:84717485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.arm"; depth:20; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854386/; classtype:trojan-activity;sid:84717486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.mips"; depth:21; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854382/; classtype:trojan-activity;sid:84717482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.arm6"; depth:21; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854383/; classtype:trojan-activity;sid:84717483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.arm7"; depth:21; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854384/; classtype:trojan-activity;sid:84717484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854381/; classtype:trojan-activity;sid:84717481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.arc"; depth:20; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854374/; classtype:trojan-activity;sid:84717474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.x86_64"; depth:23; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854375/; classtype:trojan-activity;sid:84717475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.i686"; depth:21; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854376/; classtype:trojan-activity;sid:84717476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.mips64"; depth:23; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854377/; classtype:trojan-activity;sid:84717477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854378/; classtype:trojan-activity;sid:84717478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854379/; classtype:trojan-activity;sid:84717479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854380/; classtype:trojan-activity;sid:84717480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uranium/uranium.sparc"; depth:22; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854373/; classtype:trojan-activity;sid:84717473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"177.86.229.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854372/; classtype:trojan-activity;sid:84717472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.64.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854371/; classtype:trojan-activity;sid:84717471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.79.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854370/; classtype:trojan-activity;sid:84717470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.147.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854369/; classtype:trojan-activity;sid:84717469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well/random.exe"; depth:16; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854368/; classtype:trojan-activity;sid:84717468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.43.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854367/; classtype:trojan-activity;sid:84717467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.2.95"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854366/; classtype:trojan-activity;sid:84717466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.181.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854365/; classtype:trojan-activity;sid:84717465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8d688e0a-1f07-4db9-8544-68bd018259df"; depth:37; endswith; nocase; http.host; content:"siase.webermann.hu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854364/; classtype:trojan-activity;sid:84717464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"177.86.229.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854363/; classtype:trojan-activity;sid:84717463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.2.95"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854362/; classtype:trojan-activity;sid:84717462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.248.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854361/; classtype:trojan-activity;sid:84717461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.35.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854360/; classtype:trojan-activity;sid:84717460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.77.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854359/; classtype:trojan-activity;sid:84717459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=5dab695a-9c2c-4779-8aec-0e5f8baf20ab"; depth:47; endswith; nocase; http.host; content:"2718gc20.seresniki.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854358/; classtype:trojan-activity;sid:84717458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854357/; classtype:trojan-activity;sid:84717457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.5.249"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854356/; classtype:trojan-activity;sid:84717456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06b752c5-c9f4-4312-841a-66a147c5fefc"; depth:37; endswith; nocase; http.host; content:"dqgrg.vrtigo.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854355/; classtype:trojan-activity;sid:84717455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.77.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854354/; classtype:trojan-activity;sid:84717454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.248.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854353/; classtype:trojan-activity;sid:84717453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854352/; classtype:trojan-activity;sid:84717452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.254.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854351/; classtype:trojan-activity;sid:84717451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.104.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854350/; classtype:trojan-activity;sid:84717450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ad7bd207-8d54-46d0-94c8-d1156f22e21b"; depth:37; endswith; nocase; http.host; content:"gbhij.vilagom.hu"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854349/; classtype:trojan-activity;sid:84717449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.35.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854348/; classtype:trojan-activity;sid:84717448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.85.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854347/; classtype:trojan-activity;sid:84717447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.5.249"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854346/; classtype:trojan-activity;sid:84717446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.252.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854345/; classtype:trojan-activity;sid:84717445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.87.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854344/; classtype:trojan-activity;sid:84717444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/006c94e2-9c2f-4246-8771-49312d121304"; depth:37; endswith; nocase; http.host; content:"ycnvr.vikstore.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854343/; classtype:trojan-activity;sid:84717443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.223.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854342/; classtype:trojan-activity;sid:84717442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.104.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854341/; classtype:trojan-activity;sid:84717441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.73.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854340/; classtype:trojan-activity;sid:84717440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.87.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854339/; classtype:trojan-activity;sid:84717439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.118.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854338/; classtype:trojan-activity;sid:84717438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9aeb35c5-ee7c-4edf-ae00-c387a3219ee1"; depth:37; endswith; nocase; http.host; content:"vorro.vigaf.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854337/; classtype:trojan-activity;sid:84717437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.223.193"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854336/; classtype:trojan-activity;sid:84717436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.204.201"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854335/; classtype:trojan-activity;sid:84717435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.85.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854334/; classtype:trojan-activity;sid:84717434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.118.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854333/; classtype:trojan-activity;sid:84717433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.118.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854332/; classtype:trojan-activity;sid:84717432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.101.181.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854331/; classtype:trojan-activity;sid:84717431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.10.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854330/; classtype:trojan-activity;sid:84717430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.250.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854329/; classtype:trojan-activity;sid:84717429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"209.200.246.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854324/; classtype:trojan-activity;sid:84717424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"209.200.246.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854325/; classtype:trojan-activity;sid:84717425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"209.200.246.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854326/; classtype:trojan-activity;sid:84717426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"209.200.246.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854327/; classtype:trojan-activity;sid:84717427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"209.200.246.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854328/; classtype:trojan-activity;sid:84717428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2cfeb8f-7d34-47f2-835e-087faf8183a9"; depth:37; endswith; nocase; http.host; content:"pyzoi.ceremoniavezeto.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854323/; classtype:trojan-activity;sid:84717423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.166.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854322/; classtype:trojan-activity;sid:84717422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.204.201"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854321/; classtype:trojan-activity;sid:84717421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=2cbc0fec-ff00-46a5-be37-e0d3144b7366"; depth:47; endswith; nocase; http.host; content:"7orku7ut.taxrundo.sk"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854320/; classtype:trojan-activity;sid:84717420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.166.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854319/; classtype:trojan-activity;sid:84717419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.140.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854318/; classtype:trojan-activity;sid:84717418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.250.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854317/; classtype:trojan-activity;sid:84717417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.101.181.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854316/; classtype:trojan-activity;sid:84717416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69fa3392-0e6c-41aa-ad7f-bacbbbb9373f"; depth:37; endswith; nocase; http.host; content:"ooeet.cannaturalgroup.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854315/; classtype:trojan-activity;sid:84717415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.105.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854314/; classtype:trojan-activity;sid:84717414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.118.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854313/; classtype:trojan-activity;sid:84717413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.105.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854312/; classtype:trojan-activity;sid:84717412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.110.210"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854311/; classtype:trojan-activity;sid:84717411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.75.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854310/; classtype:trojan-activity;sid:84717410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.140.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854309/; classtype:trojan-activity;sid:84717409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/22a5bb62-8fab-46d7-8219-c34720bf5b59"; depth:37; endswith; nocase; http.host; content:"xosum.butoralberlet.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854308/; classtype:trojan-activity;sid:84717408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.arm"; depth:25; endswith; nocase; http.host; content:"38.79.154.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854306/; classtype:trojan-activity;sid:84717406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.arm7"; depth:26; endswith; nocase; http.host; content:"38.79.154.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854307/; classtype:trojan-activity;sid:84717407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854305/; classtype:trojan-activity;sid:84717405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.13.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854304/; classtype:trojan-activity;sid:84717404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.37.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854303/; classtype:trojan-activity;sid:84717403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.201.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854302/; classtype:trojan-activity;sid:84717402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ad46eee6-7297-4f37-a642-267b965edf5a"; depth:37; endswith; nocase; http.host; content:"gvsob.buborekjatszohaz.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854301/; classtype:trojan-activity;sid:84717401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.242.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854300/; classtype:trojan-activity;sid:84717400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.156.208.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854299/; classtype:trojan-activity;sid:84717399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.37.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854298/; classtype:trojan-activity;sid:84717398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854297/; classtype:trojan-activity;sid:84717397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.13.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854296/; classtype:trojan-activity;sid:84717396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.116.75.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854295/; classtype:trojan-activity;sid:84717395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.231.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854294/; classtype:trojan-activity;sid:84717394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/005621e6-914d-4872-a253-9ceff3a6962e"; depth:37; endswith; nocase; http.host; content:"oyazs.brssolar.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854293/; classtype:trojan-activity;sid:84717393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854292/; classtype:trojan-activity;sid:84717392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.54.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854291/; classtype:trojan-activity;sid:84717391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.109.81.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854290/; classtype:trojan-activity;sid:84717390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"150.116.75.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854289/; classtype:trojan-activity;sid:84717389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854288/; classtype:trojan-activity;sid:84717388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cac4a6c9-f3a8-4e9e-be63-7de2e84344e4"; depth:37; endswith; nocase; http.host; content:"mfvea.bognartransport.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854287/; classtype:trojan-activity;sid:84717387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.86.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854286/; classtype:trojan-activity;sid:84717386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b463bd29-39ca-493f-8b84-43a2709f2a9f"; depth:47; endswith; nocase; http.host; content:"y4hvadqo.taxrundo.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854285/; classtype:trojan-activity;sid:84717385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.54.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854284/; classtype:trojan-activity;sid:84717384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.76.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854283/; classtype:trojan-activity;sid:84717383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854282/; classtype:trojan-activity;sid:84717382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a2875854-f58a-4d23-98e4-6ee026a4d3c4"; depth:37; endswith; nocase; http.host; content:"mtuvm.akonyvelod.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854281/; classtype:trojan-activity;sid:84717381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854280/; classtype:trojan-activity;sid:84717380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854279/; classtype:trojan-activity;sid:84717379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.80.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854278/; classtype:trojan-activity;sid:84717378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.76.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854277/; classtype:trojan-activity;sid:84717377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2fcdb899-5518-4970-86ab-8da8cd7ccd8c"; depth:37; endswith; nocase; http.host; content:"burwu.akonyvelod.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854276/; classtype:trojan-activity;sid:84717376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_28; reference:url, urlhaus.abuse.ch/url/3854275/; classtype:trojan-activity;sid:84717375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.64.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854274/; classtype:trojan-activity;sid:84717374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4f995fb6-d47a-48ce-aae3-1e238857ce88"; depth:37; endswith; nocase; http.host; content:"owqrh.akonyvelod.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854273/; classtype:trojan-activity;sid:84717373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854272/; classtype:trojan-activity;sid:84717372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854262/; classtype:trojan-activity;sid:84717362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854263/; classtype:trojan-activity;sid:84717363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854264/; classtype:trojan-activity;sid:84717364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854265/; classtype:trojan-activity;sid:84717365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shcript.sh"; depth:11; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854266/; classtype:trojan-activity;sid:84717366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854267/; classtype:trojan-activity;sid:84717367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854268/; classtype:trojan-activity;sid:84717368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854269/; classtype:trojan-activity;sid:84717369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854270/; classtype:trojan-activity;sid:84717370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854271/; classtype:trojan-activity;sid:84717371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.80.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854261/; classtype:trojan-activity;sid:84717361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.171.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854260/; classtype:trojan-activity;sid:84717360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.64.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854259/; classtype:trojan-activity;sid:84717359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.55.203.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854258/; classtype:trojan-activity;sid:84717358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fc3af604-8905-468d-b8b8-3b2212f3f7d0"; depth:37; endswith; nocase; http.host; content:"utwli.almasiklima.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854257/; classtype:trojan-activity;sid:84717357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"139.218.43.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854256/; classtype:trojan-activity;sid:84717356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.124.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854255/; classtype:trojan-activity;sid:84717355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.143.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854254/; classtype:trojan-activity;sid:84717354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854253/; classtype:trojan-activity;sid:84717353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=8cc3f2c1-fa75-494e-aac4-19fe60ee20d0"; depth:47; endswith; nocase; http.host; content:"4dfx0u7r.stgsolar.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854252/; classtype:trojan-activity;sid:84717352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"139.218.43.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854251/; classtype:trojan-activity;sid:84717351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.143.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854250/; classtype:trojan-activity;sid:84717350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854249/; classtype:trojan-activity;sid:84717349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.34.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854248/; classtype:trojan-activity;sid:84717348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.117.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854247/; classtype:trojan-activity;sid:84717347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8c5337eb-b174-42f5-868b-406456f29212"; depth:37; endswith; nocase; http.host; content:"tukwp.bni-ai.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854246/; classtype:trojan-activity;sid:84717346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.78.35.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854245/; classtype:trojan-activity;sid:84717345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.250.17.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854244/; classtype:trojan-activity;sid:84717344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/508c2e6f-f27e-435b-aeb2-d0c26b7a6718"; depth:37; endswith; nocase; http.host; content:"saxjb.bninolimit.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854243/; classtype:trojan-activity;sid:84717343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.22.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854242/; classtype:trojan-activity;sid:84717342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.250.17.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854241/; classtype:trojan-activity;sid:84717341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.22.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854240/; classtype:trojan-activity;sid:84717340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.225.58.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854239/; classtype:trojan-activity;sid:84717339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.37.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854238/; classtype:trojan-activity;sid:84717338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.243.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854237/; classtype:trojan-activity;sid:84717337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.37.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854236/; classtype:trojan-activity;sid:84717336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.33.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854235/; classtype:trojan-activity;sid:84717335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1ccd458f-fd9b-46d3-bb0f-46d2c4a79496"; depth:37; endswith; nocase; http.host; content:"vlhxe.bognartransport.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854234/; classtype:trojan-activity;sid:84717334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.33.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854233/; classtype:trojan-activity;sid:84717333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.79.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854232/; classtype:trojan-activity;sid:84717332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.248.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854231/; classtype:trojan-activity;sid:84717331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=86070a2b-b8c6-47ac-9016-fd461811ef17"; depth:47; endswith; nocase; http.host; content:"s9fsvyxk.seresniki.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854230/; classtype:trojan-activity;sid:84717330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.243.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854229/; classtype:trojan-activity;sid:84717329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.33.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854228/; classtype:trojan-activity;sid:84717328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4f884129-2bb5-439b-8c14-1bb19a1e1b24"; depth:37; endswith; nocase; http.host; content:"ogoba.bohochal.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854227/; classtype:trojan-activity;sid:84717327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.79.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854226/; classtype:trojan-activity;sid:84717326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.117.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854225/; classtype:trojan-activity;sid:84717325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svchost.vbs"; depth:12; endswith; nocase; http.host; content:"91.92.42.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854224/; classtype:trojan-activity;sid:84717324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.x86"; depth:15; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854222/; classtype:trojan-activity;sid:84717322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.arm5n"; depth:17; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854223/; classtype:trojan-activity;sid:84717323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainclass.txt"; depth:102; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854221/; classtype:trojan-activity;sid:84717321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainpure31agosto.txt"; depth:109; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854216/; classtype:trojan-activity;sid:84717316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/envifa.vbs"; depth:11; endswith; nocase; http.host; content:"188.126.90.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854217/; classtype:trojan-activity;sid:84717317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainnuevo_documento_de_texto.txt"; depth:121; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854218/; classtype:trojan-activity;sid:84717318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainpurelogbase.txt"; depth:108; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854219/; classtype:trojan-activity;sid:84717319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/rodriakd-8413d.appspot.com/o/dll%2fmsbuild.txt|3f|alt=media|7c|26|7c|token=984ee921-1647-4fd6-a4df-ef3e9fea927b"; depth:117; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854220/; classtype:trojan-activity;sid:84717320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proceso.vbs"; depth:12; endswith; nocase; http.host; content:"91.92.42.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854212/; classtype:trojan-activity;sid:84717312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener1.vbs"; depth:14; endswith; nocase; http.host; content:"91.92.42.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854213/; classtype:trojan-activity;sid:84717313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener2.vbs"; depth:14; endswith; nocase; http.host; content:"188.126.90.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854214/; classtype:trojan-activity;sid:84717314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/main/tumfuf.txt"; depth:104; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854215/; classtype:trojan-activity;sid:84717315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/mainx31agosto.txt"; depth:106; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854210/; classtype:trojan-activity;sid:84717310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"91.92.42.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854211/; classtype:trojan-activity;sid:84717311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/main31agosto.txt"; depth:105; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854208/; classtype:trojan-activity;sid:84717308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notificaciones-judiciales-rama-judicial-colombia1/rama-judicial-del-poder-publico/-/raw/maintumfuf.txt"; depth:103; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854209/; classtype:trojan-activity;sid:84717309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.m68k"; depth:16; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854203/; classtype:trojan-activity;sid:84717303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.spc"; depth:15; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854204/; classtype:trojan-activity;sid:84717304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm7"; depth:14; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854205/; classtype:trojan-activity;sid:84717305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.arm7"; depth:16; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854206/; classtype:trojan-activity;sid:84717306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.mpsl"; depth:16; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854207/; classtype:trojan-activity;sid:84717307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/loader"; depth:12; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854189/; classtype:trojan-activity;sid:84717289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.sh4"; depth:15; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854190/; classtype:trojan-activity;sid:84717290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.i686"; depth:16; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854191/; classtype:trojan-activity;sid:84717291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm5"; depth:14; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854192/; classtype:trojan-activity;sid:84717292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.spc"; depth:13; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854193/; classtype:trojan-activity;sid:84717293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.mips"; depth:14; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854194/; classtype:trojan-activity;sid:84717294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.x86_64"; depth:18; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854195/; classtype:trojan-activity;sid:84717295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm6"; depth:14; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854196/; classtype:trojan-activity;sid:84717296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.sh4"; depth:13; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854197/; classtype:trojan-activity;sid:84717297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.arm"; depth:15; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854198/; classtype:trojan-activity;sid:84717298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.arm"; depth:13; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854199/; classtype:trojan-activity;sid:84717299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.225.58.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854200/; classtype:trojan-activity;sid:84717300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.arm6"; depth:16; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854201/; classtype:trojan-activity;sid:84717301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.x86"; depth:13; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854202/; classtype:trojan-activity;sid:84717302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.m68k"; depth:14; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854184/; classtype:trojan-activity;sid:84717284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.ppc"; depth:15; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854185/; classtype:trojan-activity;sid:84717285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.ppc"; depth:13; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854186/; classtype:trojan-activity;sid:84717286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/akiru.mips"; depth:16; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854187/; classtype:trojan-activity;sid:84717287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.mpsl"; depth:14; endswith; nocase; http.host; content:"89.190.156.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854188/; classtype:trojan-activity;sid:84717288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_bda03f73cdea7e4e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854183/; classtype:trojan-activity;sid:84717283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system1.vbs"; depth:12; endswith; nocase; http.host; content:"64.89.160.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854182/; classtype:trojan-activity;sid:84717282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cabeto850128/comicsam/refs/heads/main/kisbj4ddvg.pif"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854181/; classtype:trojan-activity;sid:84717281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system2.vbs"; depth:12; endswith; nocase; http.host; content:"64.89.160.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854178/; classtype:trojan-activity;sid:84717278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cabeto850128/comicsam/refs/heads/main/cdbhhfa.html"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854179/; classtype:trojan-activity;sid:84717279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/rodriakd-8413d.appspot.com/o/dll%2f1%20link%20dll.txt|3f|alt=media|7c|26|7c|token=e7389ad2-4ad9-4fb7-bf60-2a502bbb6c6c"; depth:124; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854180/; classtype:trojan-activity;sid:84717280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system.vbs"; depth:11; endswith; nocase; http.host; content:"64.89.160.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854177/; classtype:trojan-activity;sid:84717277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a62e1f9-5dca-4435-8a65-5ae7ab614b5d"; depth:37; endswith; nocase; http.host; content:"kqfna.bonuszugynokseg.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854176/; classtype:trojan-activity;sid:84717276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.147.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854175/; classtype:trojan-activity;sid:84717275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1/enix.r"; depth:10; endswith; nocase; http.host; content:"153.80.242.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854174/; classtype:trojan-activity;sid:84717274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawk.r"; depth:7; endswith; nocase; http.host; content:"nitrogateway.digital"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854173/; classtype:trojan-activity;sid:84717273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vzuk.ocx"; depth:9; endswith; nocase; http.host; content:"153.80.242.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854169/; classtype:trojan-activity;sid:84717269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vzuk.ocx"; depth:9; endswith; nocase; http.host; content:"nitrogateway.digital"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854170/; classtype:trojan-activity;sid:84717270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1/enix.r"; depth:10; endswith; nocase; http.host; content:"nitrogateway.digital"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854171/; classtype:trojan-activity;sid:84717271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xawk.r"; depth:7; endswith; nocase; http.host; content:"153.80.242.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854172/; classtype:trojan-activity;sid:84717272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.183.128.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854167/; classtype:trojan-activity;sid:84717267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.230.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854168/; classtype:trojan-activity;sid:84717268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.71.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854166/; classtype:trojan-activity;sid:84717266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/share/officeclicktorun.exe"; depth:27; endswith; nocase; http.host; content:"20.96.177.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854165/; classtype:trojan-activity;sid:84717265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_25_05_2026.lnk"; depth:32; endswith; nocase; http.host; content:"65.20.105.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854163/; classtype:trojan-activity;sid:84717263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hailbot.elf"; depth:12; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854164/; classtype:trojan-activity;sid:84717264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"65.20.105.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854162/; classtype:trojan-activity;sid:84717262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cv/msedge.exe"; depth:14; endswith; nocase; http.host; content:"13.36.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854156/; classtype:trojan-activity;sid:84717256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/ghy/refs/heads/main/kkardsd.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854157/; classtype:trojan-activity;sid:84717257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slaytonms/ab/refs/heads/main/adkksfa.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854158/; classtype:trojan-activity;sid:84717258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/kl/refs/heads/main/mkfpiik.txt"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854159/; classtype:trojan-activity;sid:84717259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"65.20.105.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854160/; classtype:trojan-activity;sid:84717260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"65.20.105.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854161/; classtype:trojan-activity;sid:84717261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cv/system32/agent.x64%20%281%29.bin"; depth:36; endswith; nocase; http.host; content:"13.36.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854150/; classtype:trojan-activity;sid:84717250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cv/package.bin"; depth:15; endswith; nocase; http.host; content:"13.36.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854151/; classtype:trojan-activity;sid:84717251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cv/system32/beacon_x64.bin"; depth:27; endswith; nocase; http.host; content:"13.36.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854152/; classtype:trojan-activity;sid:84717252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cv/system32/agent2.x64%20%281%29.bin"; depth:37; endswith; nocase; http.host; content:"13.36.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854153/; classtype:trojan-activity;sid:84717253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cv/package2.bin"; depth:16; endswith; nocase; http.host; content:"13.36.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854154/; classtype:trojan-activity;sid:84717254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cv/system32/beacon2_x64.bin"; depth:28; endswith; nocase; http.host; content:"13.36.168.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854155/; classtype:trojan-activity;sid:84717255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/job/refs/heads/main/fhhkmoo.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854148/; classtype:trojan-activity;sid:84717248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.97.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854149/; classtype:trojan-activity;sid:84717249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/ap/refs/heads/main/kdmmnri.txt"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854147/; classtype:trojan-activity;sid:84717247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slaytonms/gt/refs/heads/main/djkpodd.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854146/; classtype:trojan-activity;sid:84717246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slaytonms/nb/refs/heads/main/srdmaik.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854142/; classtype:trojan-activity;sid:84717242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slaytonms/hy/refs/heads/main/cabdcfo.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854143/; classtype:trojan-activity;sid:84717243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slaytonms/df/refs/heads/main/oicajon.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854144/; classtype:trojan-activity;sid:84717244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slaytonms/hi/refs/heads/main/peokjfs.txt"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854145/; classtype:trojan-activity;sid:84717245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854133/; classtype:trojan-activity;sid:84717233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854134/; classtype:trojan-activity;sid:84717234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854135/; classtype:trojan-activity;sid:84717235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854136/; classtype:trojan-activity;sid:84717236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854137/; classtype:trojan-activity;sid:84717237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854138/; classtype:trojan-activity;sid:84717238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854139/; classtype:trojan-activity;sid:84717239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854140/; classtype:trojan-activity;sid:84717240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854141/; classtype:trojan-activity;sid:84717241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854130/; classtype:trojan-activity;sid:84717230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854131/; classtype:trojan-activity;sid:84717231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"50.56.159.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854132/; classtype:trojan-activity;sid:84717232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.159.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854129/; classtype:trojan-activity;sid:84717229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.arm7"; depth:15; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854122/; classtype:trojan-activity;sid:84717222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.amd64"; depth:16; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854123/; classtype:trojan-activity;sid:84717223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.ppc64"; depth:16; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854124/; classtype:trojan-activity;sid:84717224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.arm5"; depth:15; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854125/; classtype:trojan-activity;sid:84717225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.mips"; depth:15; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854126/; classtype:trojan-activity;sid:84717226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife-bot"; depth:14; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854127/; classtype:trojan-activity;sid:84717227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.mipsle"; depth:17; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854128/; classtype:trojan-activity;sid:84717228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.arm6"; depth:15; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854119/; classtype:trojan-activity;sid:84717219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.386"; depth:14; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854120/; classtype:trojan-activity;sid:84717220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.mips64"; depth:17; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854121/; classtype:trojan-activity;sid:84717221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.147.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854113/; classtype:trojan-activity;sid:84717213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.s390x"; depth:16; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854114/; classtype:trojan-activity;sid:84717214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.arm64"; depth:16; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854115/; classtype:trojan-activity;sid:84717215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.ppc64le"; depth:18; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854116/; classtype:trojan-activity;sid:84717216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.mips64le"; depth:19; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854117/; classtype:trojan-activity;sid:84717217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.riscv64"; depth:18; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854118/; classtype:trojan-activity;sid:84717218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wife.loong64"; depth:18; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854112/; classtype:trojan-activity;sid:84717212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/loader.sh"; depth:15; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854110/; classtype:trojan-activity;sid:84717210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854111/; classtype:trojan-activity;sid:84717211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/761207d2-e403-4d7e-aa7e-d9cdcb8dafbf"; depth:37; endswith; nocase; http.host; content:"dpkrz.boutiqbar.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854109/; classtype:trojan-activity;sid:84717209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/img_20260527_082143_803.png"; depth:31; endswith; nocase; http.host; content:"malqen.life"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854108/; classtype:trojan-activity;sid:84717208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.70.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854106/; classtype:trojan-activity;sid:84717206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.156.208.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854107/; classtype:trojan-activity;sid:84717207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d2182cb-9cb4-4e68-839a-5cfa8dd7a030"; depth:37; endswith; nocase; http.host; content:"hwhza.brandbuilder.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854105/; classtype:trojan-activity;sid:84717205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.183.128.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854104/; classtype:trojan-activity;sid:84717204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.8.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854103/; classtype:trojan-activity;sid:84717203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.189.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854102/; classtype:trojan-activity;sid:84717202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854100/; classtype:trojan-activity;sid:84717200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854101/; classtype:trojan-activity;sid:84717201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854094/; classtype:trojan-activity;sid:84717194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854095/; classtype:trojan-activity;sid:84717195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854096/; classtype:trojan-activity;sid:84717196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854097/; classtype:trojan-activity;sid:84717197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854098/; classtype:trojan-activity;sid:84717198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854099/; classtype:trojan-activity;sid:84717199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854093/; classtype:trojan-activity;sid:84717193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.159.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854092/; classtype:trojan-activity;sid:84717192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3128548b360e043a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854091/; classtype:trojan-activity;sid:84717191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/09eb6f88-5a2c-49e2-bb09-a18c8dce16cd"; depth:37; endswith; nocase; http.host; content:"moxii.brssolar.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854090/; classtype:trojan-activity;sid:84717190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mipsel"; depth:17; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854087/; classtype:trojan-activity;sid:84717187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.powerpc"; depth:18; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854088/; classtype:trojan-activity;sid:84717188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv5l"; depth:17; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854089/; classtype:trojan-activity;sid:84717189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.i686"; depth:15; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854085/; classtype:trojan-activity;sid:84717185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv6l"; depth:17; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854086/; classtype:trojan-activity;sid:84717186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854071/; classtype:trojan-activity;sid:84717171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854072/; classtype:trojan-activity;sid:84717172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854073/; classtype:trojan-activity;sid:84717173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854074/; classtype:trojan-activity;sid:84717174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854075/; classtype:trojan-activity;sid:84717175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854076/; classtype:trojan-activity;sid:84717176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854077/; classtype:trojan-activity;sid:84717177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854078/; classtype:trojan-activity;sid:84717178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854079/; classtype:trojan-activity;sid:84717179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.i586"; depth:15; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854080/; classtype:trojan-activity;sid:84717180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.x86_64"; depth:17; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854081/; classtype:trojan-activity;sid:84717181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854082/; classtype:trojan-activity;sid:84717182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854083/; classtype:trojan-activity;sid:84717183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.sh4"; depth:14; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854084/; classtype:trojan-activity;sid:84717184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv4l"; depth:17; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854069/; classtype:trojan-activity;sid:84717169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"api.ddenv.site"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854070/; classtype:trojan-activity;sid:84717170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mips"; depth:15; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854068/; classtype:trojan-activity;sid:84717168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv7l"; depth:17; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854067/; classtype:trojan-activity;sid:84717167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nova.sh"; depth:8; endswith; nocase; http.host; content:"nova.podril1ak2.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854066/; classtype:trojan-activity;sid:84717166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_b314a5b92cad7945.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854063/; classtype:trojan-activity;sid:84717163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e78c57fc414ef9d6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854064/; classtype:trojan-activity;sid:84717164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3189730eb8536284.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854065/; classtype:trojan-activity;sid:84717165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a0ce04a1-5903-41e2-a2c8-498e2a2ce0ad"; depth:37; endswith; nocase; http.host; content:"ulpin.brssolar.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854062/; classtype:trojan-activity;sid:84717162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=14afd51a-6e12-4177-8360-6c1803824a97"; depth:47; endswith; nocase; http.host; content:"h89kbhtt.schleer.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854061/; classtype:trojan-activity;sid:84717161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.252.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854060/; classtype:trojan-activity;sid:84717160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.146.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854059/; classtype:trojan-activity;sid:84717159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854058/; classtype:trojan-activity;sid:84717158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.159.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854057/; classtype:trojan-activity;sid:84717157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.112.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854056/; classtype:trojan-activity;sid:84717156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854055/; classtype:trojan-activity;sid:84717155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a7170539-aeaf-4941-af91-70556592b5a1"; depth:37; endswith; nocase; http.host; content:"vafcj.buborekjatszohaz.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854054/; classtype:trojan-activity;sid:84717154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.5.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854053/; classtype:trojan-activity;sid:84717153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.116.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854052/; classtype:trojan-activity;sid:84717152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.189.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854051/; classtype:trojan-activity;sid:84717151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d080caac829757bf.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854050/; classtype:trojan-activity;sid:84717150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854049/; classtype:trojan-activity;sid:84717149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.21.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854048/; classtype:trojan-activity;sid:84717148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/39b14918-1457-435f-b2ce-04f079d00ad2"; depth:37; endswith; nocase; http.host; content:"bvabf.budapesthandmade.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854047/; classtype:trojan-activity;sid:84717147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.112.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854046/; classtype:trojan-activity;sid:84717146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/down/api/javae"; depth:18; endswith; nocase; http.host; content:"download.logltech.workers.dev"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854045/; classtype:trojan-activity;sid:84717145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/down/api/kworker"; depth:20; endswith; nocase; http.host; content:"download.logltech.workers.dev"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854044/; classtype:trojan-activity;sid:84717144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/down/api/cb.txt"; depth:19; endswith; nocase; http.host; content:"download.logltech.workers.dev"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854043/; classtype:trojan-activity;sid:84717143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.86.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854042/; classtype:trojan-activity;sid:84717142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.116.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854041/; classtype:trojan-activity;sid:84717141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.100.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854040/; classtype:trojan-activity;sid:84717140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a665ccf-93a5-4eca-8139-a515f6d1ec37"; depth:37; endswith; nocase; http.host; content:"eujvn.business360.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854039/; classtype:trojan-activity;sid:84717139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.5.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854038/; classtype:trojan-activity;sid:84717138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.89.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854037/; classtype:trojan-activity;sid:84717137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.30.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854036/; classtype:trojan-activity;sid:84717136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.89.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854035/; classtype:trojan-activity;sid:84717135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854034/; classtype:trojan-activity;sid:84717134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.96.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854033/; classtype:trojan-activity;sid:84717133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27078e7d-17f3-401a-b989-cb7365e8add4"; depth:37; endswith; nocase; http.host; content:"kqekr.butoralberlet.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854032/; classtype:trojan-activity;sid:84717132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.193.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854031/; classtype:trojan-activity;sid:84717131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.36.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854030/; classtype:trojan-activity;sid:84717130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b32393a0-395d-466c-9ba6-ea459dd2bef6"; depth:47; endswith; nocase; http.host; content:"rwxe9b0g.riherino.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854029/; classtype:trojan-activity;sid:84717129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.155.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854028/; classtype:trojan-activity;sid:84717128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854027/; classtype:trojan-activity;sid:84717127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mips"; depth:15; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854026/; classtype:trojan-activity;sid:84717126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854025/; classtype:trojan-activity;sid:84717125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv4l"; depth:17; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854023/; classtype:trojan-activity;sid:84717123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.i586"; depth:15; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854024/; classtype:trojan-activity;sid:84717124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.x86_64"; depth:17; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854022/; classtype:trojan-activity;sid:84717122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv7l"; depth:17; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854016/; classtype:trojan-activity;sid:84717116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.powerpc"; depth:18; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854017/; classtype:trojan-activity;sid:84717117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mipsel"; depth:17; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854018/; classtype:trojan-activity;sid:84717118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.i686"; depth:15; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854019/; classtype:trojan-activity;sid:84717119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv5l"; depth:17; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854020/; classtype:trojan-activity;sid:84717120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv6l"; depth:17; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854021/; classtype:trojan-activity;sid:84717121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nova.sh"; depth:8; endswith; nocase; http.host; content:"176.65.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854015/; classtype:trojan-activity;sid:84717115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dec"; depth:4; endswith; nocase; http.host; content:"95.182.98.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854013/; classtype:trojan-activity;sid:84717113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dec"; depth:4; endswith; nocase; http.host; content:"46.8.70.117"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854014/; classtype:trojan-activity;sid:84717114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.193.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854012/; classtype:trojan-activity;sid:84717112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00ff738b-1c03-4a90-a2e4-62d337019bf9"; depth:37; endswith; nocase; http.host; content:"gbowm.cannatural.cz"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854011/; classtype:trojan-activity;sid:84717111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854010/; classtype:trojan-activity;sid:84717110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"95.182.98.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854008/; classtype:trojan-activity;sid:84717108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"46.8.70.117"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854009/; classtype:trojan-activity;sid:84717109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.28.117"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854007/; classtype:trojan-activity;sid:84717107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.30.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854001/; classtype:trojan-activity;sid:84717101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854002/; classtype:trojan-activity;sid:84717102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854003/; classtype:trojan-activity;sid:84717103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854004/; classtype:trojan-activity;sid:84717104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854005/; classtype:trojan-activity;sid:84717105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854006/; classtype:trojan-activity;sid:84717106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853999/; classtype:trojan-activity;sid:84717099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3854000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.233.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3854000/; classtype:trojan-activity;sid:84717100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853992/; classtype:trojan-activity;sid:84717092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853993/; classtype:trojan-activity;sid:84717093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853994/; classtype:trojan-activity;sid:84717094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853995/; classtype:trojan-activity;sid:84717095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853996/; classtype:trojan-activity;sid:84717096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853997/; classtype:trojan-activity;sid:84717097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"45.156.24.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853998/; classtype:trojan-activity;sid:84717098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.159.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853991/; classtype:trojan-activity;sid:84717091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31b18793-c225-4c9e-85ad-b15c2c83055e"; depth:37; endswith; nocase; http.host; content:"lhxly.cannatural.eu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853990/; classtype:trojan-activity;sid:84717090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.14.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853989/; classtype:trojan-activity;sid:84717089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853988/; classtype:trojan-activity;sid:84717088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f1c2ccfa-4dcb-4c66-a355-7b03985210ff"; depth:37; endswith; nocase; http.host; content:"pshcd.cannaturalgroup.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853987/; classtype:trojan-activity;sid:84717087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.128.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853986/; classtype:trojan-activity;sid:84717086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.179.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853985/; classtype:trojan-activity;sid:84717085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.233.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853984/; classtype:trojan-activity;sid:84717084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.231.97.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853983/; classtype:trojan-activity;sid:84717083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.196.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853982/; classtype:trojan-activity;sid:84717082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/apk"; depth:13; endswith; nocase; http.host; content:"transporteloggi.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853981/; classtype:trojan-activity;sid:84717081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853978/; classtype:trojan-activity;sid:84717078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853979/; classtype:trojan-activity;sid:84717079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853980/; classtype:trojan-activity;sid:84717080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853976/; classtype:trojan-activity;sid:84717076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"103.77.246.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853977/; classtype:trojan-activity;sid:84717077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1097eaa-17b5-43b0-a822-bd27ec6a065a"; depth:37; endswith; nocase; http.host; content:"acmdo.ceremoniavezeto.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853975/; classtype:trojan-activity;sid:84717075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.160.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853974/; classtype:trojan-activity;sid:84717074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853973/; classtype:trojan-activity;sid:84717073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.36.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853972/; classtype:trojan-activity;sid:84717072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.196.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853971/; classtype:trojan-activity;sid:84717071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.179.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853970/; classtype:trojan-activity;sid:84717070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.128.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853969/; classtype:trojan-activity;sid:84717069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm7"; depth:9; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853968/; classtype:trojan-activity;sid:84717068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e50808f8-9957-487d-901d-644cd955dd6f"; depth:37; endswith; nocase; http.host; content:"pchfp.vigaf.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853967/; classtype:trojan-activity;sid:84717067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=3c19de24-b0eb-4da0-adcb-e17586d61e99"; depth:47; endswith; nocase; http.host; content:"vhngezbf.pleasuredome.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853966/; classtype:trojan-activity;sid:84717066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.45.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853965/; classtype:trojan-activity;sid:84717065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.36.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853964/; classtype:trojan-activity;sid:84717064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.11.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853963/; classtype:trojan-activity;sid:84717063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853962/; classtype:trojan-activity;sid:84717062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.198.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853961/; classtype:trojan-activity;sid:84717061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.15.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853960/; classtype:trojan-activity;sid:84717060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"185.14.92.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853955/; classtype:trojan-activity;sid:84717055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"185.14.92.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853956/; classtype:trojan-activity;sid:84717056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"185.14.92.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853957/; classtype:trojan-activity;sid:84717057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"185.14.92.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853958/; classtype:trojan-activity;sid:84717058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"185.14.92.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853959/; classtype:trojan-activity;sid:84717059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853953/; classtype:trojan-activity;sid:84717053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853954/; classtype:trojan-activity;sid:84717054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853946/; classtype:trojan-activity;sid:84717046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853947/; classtype:trojan-activity;sid:84717047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853948/; classtype:trojan-activity;sid:84717048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853949/; classtype:trojan-activity;sid:84717049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/arm4"; depth:9; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853950/; classtype:trojan-activity;sid:84717050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/arc"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853951/; classtype:trojan-activity;sid:84717051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/sparc"; depth:10; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853952/; classtype:trojan-activity;sid:84717052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853944/; classtype:trojan-activity;sid:84717044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853945/; classtype:trojan-activity;sid:84717045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853941/; classtype:trojan-activity;sid:84717041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853942/; classtype:trojan-activity;sid:84717042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853943/; classtype:trojan-activity;sid:84717043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"185.14.92.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853935/; classtype:trojan-activity;sid:84717035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/mips64"; depth:11; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853936/; classtype:trojan-activity;sid:84717036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853937/; classtype:trojan-activity;sid:84717037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853938/; classtype:trojan-activity;sid:84717038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853939/; classtype:trojan-activity;sid:84717039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/i586"; depth:9; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853940/; classtype:trojan-activity;sid:84717040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853932/; classtype:trojan-activity;sid:84717032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853933/; classtype:trojan-activity;sid:84717033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853934/; classtype:trojan-activity;sid:84717034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/249e700d-2a53-4f2d-b478-f2cbe9096a8c"; depth:37; endswith; nocase; http.host; content:"itdrr.vikstore.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853931/; classtype:trojan-activity;sid:84717031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.198.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853930/; classtype:trojan-activity;sid:84717030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.51.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853929/; classtype:trojan-activity;sid:84717029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9aea8de0-c80c-4a9b-8777-d92d66366619"; depth:37; endswith; nocase; http.host; content:"cknkl.vilagom.hu"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853928/; classtype:trojan-activity;sid:84717028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.107.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853927/; classtype:trojan-activity;sid:84717027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.11.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853926/; classtype:trojan-activity;sid:84717026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.51.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853925/; classtype:trojan-activity;sid:84717025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.81.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853924/; classtype:trojan-activity;sid:84717024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.81.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853923/; classtype:trojan-activity;sid:84717023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.237.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853922/; classtype:trojan-activity;sid:84717022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.142.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853921/; classtype:trojan-activity;sid:84717021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.159.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853920/; classtype:trojan-activity;sid:84717020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.198.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853919/; classtype:trojan-activity;sid:84717019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.231.97.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853918/; classtype:trojan-activity;sid:84717018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.90.255"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853917/; classtype:trojan-activity;sid:84717017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61310fd8-887f-4a6d-924f-ab178012390e"; depth:37; endswith; nocase; http.host; content:"qhnhv.vrtigo.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853916/; classtype:trojan-activity;sid:84717016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.172.186.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853914/; classtype:trojan-activity;sid:84717014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.103.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853915/; classtype:trojan-activity;sid:84717015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.84.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853913/; classtype:trojan-activity;sid:84717013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.106.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853912/; classtype:trojan-activity;sid:84717012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853911/; classtype:trojan-activity;sid:84717011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853910/; classtype:trojan-activity;sid:84717010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fd7b5d0935bcfaad.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853909/; classtype:trojan-activity;sid:84717009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.198.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853908/; classtype:trojan-activity;sid:84717008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bcdf020e-8ee1-4649-b03c-c8b8631d11a8"; depth:47; endswith; nocase; http.host; content:"kc7s4uri.padelconstruct.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853907/; classtype:trojan-activity;sid:84717007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.84.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853906/; classtype:trojan-activity;sid:84717006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.106.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853905/; classtype:trojan-activity;sid:84717005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.190.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853904/; classtype:trojan-activity;sid:84717004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7fa86faf-7f2f-40b3-8493-621c02e8de1a"; depth:37; endswith; nocase; http.host; content:"xdsop.v-vill.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853903/; classtype:trojan-activity;sid:84717003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.174.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853902/; classtype:trojan-activity;sid:84717002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.149.126.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853901/; classtype:trojan-activity;sid:84717001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.200.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853900/; classtype:trojan-activity;sid:84717000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.238.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853899/; classtype:trojan-activity;sid:84716999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4a02f294-66ea-4f88-8268-749e80b99708"; depth:37; endswith; nocase; http.host; content:"dwchg.webermann.hu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853898/; classtype:trojan-activity;sid:84716998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.84.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853897/; classtype:trojan-activity;sid:84716997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.244.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853896/; classtype:trojan-activity;sid:84716996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853895/; classtype:trojan-activity;sid:84716995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.174.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853894/; classtype:trojan-activity;sid:84716994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853893/; classtype:trojan-activity;sid:84716993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.149.126.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853892/; classtype:trojan-activity;sid:84716992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.238.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853891/; classtype:trojan-activity;sid:84716991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853890/; classtype:trojan-activity;sid:84716990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a44f43f1-dc49-4a45-b725-33106ce13f94"; depth:37; endswith; nocase; http.host; content:"reoen.webgondozas.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853889/; classtype:trojan-activity;sid:84716989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=5d9c0e3e-94c4-491c-90c9-d40ee3cc5396"; depth:47; endswith; nocase; http.host; content:"0i2th72t.system-horizon.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853888/; classtype:trojan-activity;sid:84716988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.206.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853887/; classtype:trojan-activity;sid:84716987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.11.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853886/; classtype:trojan-activity;sid:84716986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.113.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853885/; classtype:trojan-activity;sid:84716985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853877/; classtype:trojan-activity;sid:84716977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853878/; classtype:trojan-activity;sid:84716978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853879/; classtype:trojan-activity;sid:84716979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853880/; classtype:trojan-activity;sid:84716980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.powerpc"; depth:12; endswith; nocase; http.host; content:"176.65.139.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853881/; classtype:trojan-activity;sid:84716981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853882/; classtype:trojan-activity;sid:84716982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853883/; classtype:trojan-activity;sid:84716983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853884/; classtype:trojan-activity;sid:84716984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.61.234"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853876/; classtype:trojan-activity;sid:84716976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853874/; classtype:trojan-activity;sid:84716974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_armv7l"; depth:11; endswith; nocase; http.host; content:"176.65.139.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853875/; classtype:trojan-activity;sid:84716975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7c486fcd-32e9-4621-b44c-6421cf72c27c"; depth:37; endswith; nocase; http.host; content:"ltewn.welovevent.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853873/; classtype:trojan-activity;sid:84716973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kla.sh"; depth:12; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853872/; classtype:trojan-activity;sid:84716972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"213.21.233.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853871/; classtype:trojan-activity;sid:84716971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853869/; classtype:trojan-activity;sid:84716969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853870/; classtype:trojan-activity;sid:84716970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.sh4"; depth:15; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853867/; classtype:trojan-activity;sid:84716967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.x86"; depth:15; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853868/; classtype:trojan-activity;sid:84716968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853854/; classtype:trojan-activity;sid:84716954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853855/; classtype:trojan-activity;sid:84716955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm5"; depth:16; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853856/; classtype:trojan-activity;sid:84716956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm"; depth:15; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853857/; classtype:trojan-activity;sid:84716957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853858/; classtype:trojan-activity;sid:84716958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm64"; depth:10; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853859/; classtype:trojan-activity;sid:84716959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm7"; depth:16; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853860/; classtype:trojan-activity;sid:84716960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.ppc"; depth:15; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853861/; classtype:trojan-activity;sid:84716961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853862/; classtype:trojan-activity;sid:84716962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853863/; classtype:trojan-activity;sid:84716963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.m68k"; depth:16; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853864/; classtype:trojan-activity;sid:84716964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.mpsl"; depth:13; endswith; nocase; http.host; content:"176.65.139.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853865/; classtype:trojan-activity;sid:84716965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm7"; depth:13; endswith; nocase; http.host; content:"176.65.139.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853866/; classtype:trojan-activity;sid:84716966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853851/; classtype:trojan-activity;sid:84716951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm5"; depth:13; endswith; nocase; http.host; content:"176.65.139.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853852/; classtype:trojan-activity;sid:84716952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rebirth.arm6"; depth:13; endswith; nocase; http.host; content:"176.65.139.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853853/; classtype:trojan-activity;sid:84716953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm6"; depth:16; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853847/; classtype:trojan-activity;sid:84716947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.mpsl"; depth:16; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853848/; classtype:trojan-activity;sid:84716948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.x86_64"; depth:18; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853849/; classtype:trojan-activity;sid:84716949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.mips"; depth:16; endswith; nocase; http.host; content:"176.65.139.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853850/; classtype:trojan-activity;sid:84716950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853846/; classtype:trojan-activity;sid:84716946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853841/; classtype:trojan-activity;sid:84716941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853842/; classtype:trojan-activity;sid:84716942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853843/; classtype:trojan-activity;sid:84716943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853844/; classtype:trojan-activity;sid:84716944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853845/; classtype:trojan-activity;sid:84716945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853838/; classtype:trojan-activity;sid:84716938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853839/; classtype:trojan-activity;sid:84716939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853840/; classtype:trojan-activity;sid:84716940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.97.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853837/; classtype:trojan-activity;sid:84716937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.206.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853836/; classtype:trojan-activity;sid:84716936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/themekit/scripts/zilliqa.exe"; depth:29; endswith; nocase; http.host; content:"www.hippamsas.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853834/; classtype:trojan-activity;sid:84716934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/vendor/bright.exe"; depth:21; endswith; nocase; http.host; content:"www.hippamsas.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853835/; classtype:trojan-activity;sid:84716935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/vendor/s_folder.exe"; depth:23; endswith; nocase; http.host; content:"www.hippamsas.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853833/; classtype:trojan-activity;sid:84716933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"185.14.92.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853831/; classtype:trojan-activity;sid:84716931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/vendor/verge.exe"; depth:20; endswith; nocase; http.host; content:"www.hippamsas.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853832/; classtype:trojan-activity;sid:84716932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/53e7000c-a636-4a84-9654-46b720c162ea"; depth:37; endswith; nocase; http.host; content:"uulte.westinvesteuropa.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853830/; classtype:trojan-activity;sid:84716930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.231.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853828/; classtype:trojan-activity;sid:84716928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.231.76"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853829/; classtype:trojan-activity;sid:84716929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/50cd1484-b174-4953-85c0-d7cbdbf72a27"; depth:37; endswith; nocase; http.host; content:"mzwum.wilhelmglobal.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853826/; classtype:trojan-activity;sid:84716926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z.zip"; depth:6; endswith; nocase; http.host; content:"swing-nutten-hon-parameter.trycloudflare.com"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853822/; classtype:trojan-activity;sid:84716922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z.zip"; depth:6; endswith; nocase; http.host; content:"acre-ripe-exit-partial.trycloudflare.com"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853823/; classtype:trojan-activity;sid:84716923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z.zip"; depth:6; endswith; nocase; http.host; content:"swing-nutten-hon-parameter.trycloudflare.com"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853824/; classtype:trojan-activity;sid:84716924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z.zip"; depth:6; endswith; nocase; http.host; content:"acre-ripe-exit-partial.trycloudflare.com"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853825/; classtype:trojan-activity;sid:84716925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.97.63"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853821/; classtype:trojan-activity;sid:84716921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853820/; classtype:trojan-activity;sid:84716920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.8.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853819/; classtype:trojan-activity;sid:84716919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853817/; classtype:trojan-activity;sid:84716917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853818/; classtype:trojan-activity;sid:84716918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853816/; classtype:trojan-activity;sid:84716916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.24.12.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853815/; classtype:trojan-activity;sid:84716915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c5c29ee6-a48f-42ec-a6cd-aa86153ae5be"; depth:37; endswith; nocase; http.host; content:"cwzbp.wlwyb.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853814/; classtype:trojan-activity;sid:84716914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.135.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853813/; classtype:trojan-activity;sid:84716913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.187.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853812/; classtype:trojan-activity;sid:84716912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.243.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853811/; classtype:trojan-activity;sid:84716911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.135.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853810/; classtype:trojan-activity;sid:84716910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.187.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853809/; classtype:trojan-activity;sid:84716909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=45e067f8-5d8a-47c8-af64-1a38eae03e0f"; depth:47; endswith; nocase; http.host; content:"gplca9pf.script-bridge.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853808/; classtype:trojan-activity;sid:84716908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.97.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853807/; classtype:trojan-activity;sid:84716907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.24.12.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853806/; classtype:trojan-activity;sid:84716906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.38.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853805/; classtype:trojan-activity;sid:84716905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853804/; classtype:trojan-activity;sid:84716904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cdeb7eb-1fdf-4afd-a9bc-0c8c1b50a871"; depth:37; endswith; nocase; http.host; content:"dxblg.workoutwithdorci.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853803/; classtype:trojan-activity;sid:84716903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.66.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853802/; classtype:trojan-activity;sid:84716902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.97.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853801/; classtype:trojan-activity;sid:84716901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853800/; classtype:trojan-activity;sid:84716900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.38.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853799/; classtype:trojan-activity;sid:84716899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e533891c-5614-4757-9573-2afacc45f625"; depth:37; endswith; nocase; http.host; content:"kbjqa.wpsmart.app"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853798/; classtype:trojan-activity;sid:84716898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.166.38.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853797/; classtype:trojan-activity;sid:84716897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/script.js"; depth:10; endswith; nocase; http.host; content:"get-1o8.pages.dev"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853796/; classtype:trojan-activity;sid:84716896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/script.ps1"; depth:11; endswith; nocase; http.host; content:"get-1o8.pages.dev"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853795/; classtype:trojan-activity;sid:84716895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/putty.exe"; depth:10; endswith; nocase; http.host; content:"get-1o8.pages.dev"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853794/; classtype:trojan-activity;sid:84716894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.202.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853793/; classtype:trojan-activity;sid:84716893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.15.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853792/; classtype:trojan-activity;sid:84716892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f8853b0-fa0d-4d60-83a6-1d8709d8f8ec"; depth:37; endswith; nocase; http.host; content:"xjmes.yanis.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853791/; classtype:trojan-activity;sid:84716891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.202.183"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853790/; classtype:trojan-activity;sid:84716890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; endswith; nocase; http.host; content:"kevtel.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853789/; classtype:trojan-activity;sid:84716889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.138.235.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853788/; classtype:trojan-activity;sid:84716888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.24.142.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853787/; classtype:trojan-activity;sid:84716887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b477b678-d90a-4ddd-852f-0240dfa3dafb"; depth:37; endswith; nocase; http.host; content:"qxyvx.yanisrea.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853786/; classtype:trojan-activity;sid:84716886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853785/; classtype:trojan-activity;sid:84716885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.41.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853784/; classtype:trojan-activity;sid:84716884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"photobookadm.pro"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853783/; classtype:trojan-activity;sid:84716883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.39.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853782/; classtype:trojan-activity;sid:84716882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7a109b51-cc53-4f31-9c7a-5e75671b9285"; depth:47; endswith; nocase; http.host; content:"3822lbt1.stack-sphere.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853781/; classtype:trojan-activity;sid:84716881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.243.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853780/; classtype:trojan-activity;sid:84716880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.138.235.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853779/; classtype:trojan-activity;sid:84716879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0ec95e1b-636b-44aa-b2fe-01976395f3e6"; depth:37; endswith; nocase; http.host; content:"cadcr.zaszlorudbolt.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853778/; classtype:trojan-activity;sid:84716878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.51.73"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853777/; classtype:trojan-activity;sid:84716877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.6.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853776/; classtype:trojan-activity;sid:84716876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.220.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853774/; classtype:trojan-activity;sid:84716874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853775/; classtype:trojan-activity;sid:84716875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.171.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853773/; classtype:trojan-activity;sid:84716873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.220.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853772/; classtype:trojan-activity;sid:84716872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.127.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853771/; classtype:trojan-activity;sid:84716871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/85cd0e80-9b17-4fb2-a3dc-062184a66c41"; depth:37; endswith; nocase; http.host; content:"vkoqp.accredit.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853770/; classtype:trojan-activity;sid:84716870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.171.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853769/; classtype:trojan-activity;sid:84716869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.mips"; depth:26; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853768/; classtype:trojan-activity;sid:84716868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.ppc"; depth:25; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853767/; classtype:trojan-activity;sid:84716867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.mpsl"; depth:26; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853757/; classtype:trojan-activity;sid:84716857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.arm6"; depth:26; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853758/; classtype:trojan-activity;sid:84716858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.sh4"; depth:25; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853759/; classtype:trojan-activity;sid:84716859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.i686"; depth:26; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853760/; classtype:trojan-activity;sid:84716860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.x86"; depth:25; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853761/; classtype:trojan-activity;sid:84716861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.arm"; depth:25; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853762/; classtype:trojan-activity;sid:84716862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.m68k"; depth:26; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853763/; classtype:trojan-activity;sid:84716863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.arm5"; depth:26; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853764/; classtype:trojan-activity;sid:84716864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.x86_64"; depth:28; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853765/; classtype:trojan-activity;sid:84716865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00101010101001/morte.arm7"; depth:26; endswith; nocase; http.host; content:"185.150.25.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853766/; classtype:trojan-activity;sid:84716866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.236.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853756/; classtype:trojan-activity;sid:84716856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.41.126"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853755/; classtype:trojan-activity;sid:84716855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.239.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853754/; classtype:trojan-activity;sid:84716854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b058129c-e3ac-4fa4-bbb2-6df8c449d9da"; depth:37; endswith; nocase; http.host; content:"ekyso.addmagad.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853753/; classtype:trojan-activity;sid:84716853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.127.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853752/; classtype:trojan-activity;sid:84716852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.50.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853751/; classtype:trojan-activity;sid:84716851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.9.91"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853750/; classtype:trojan-activity;sid:84716850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.137.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853749/; classtype:trojan-activity;sid:84716849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.166.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853748/; classtype:trojan-activity;sid:84716848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.227.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853747/; classtype:trojan-activity;sid:84716847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.apk"; depth:9; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853746/; classtype:trojan-activity;sid:84716846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853745/; classtype:trojan-activity;sid:84716845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.229.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853744/; classtype:trojan-activity;sid:84716844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.ppc440"; depth:12; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853743/; classtype:trojan-activity;sid:84716843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i468"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853742/; classtype:trojan-activity;sid:84716842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853740/; classtype:trojan-activity;sid:84716840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853741/; classtype:trojan-activity;sid:84716841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853739/; classtype:trojan-activity;sid:84716839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.199.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853738/; classtype:trojan-activity;sid:84716838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.239.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853737/; classtype:trojan-activity;sid:84716837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a4da285d-eafb-4441-9958-c922ec4d899e"; depth:37; endswith; nocase; http.host; content:"djwof.ady26.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853736/; classtype:trojan-activity;sid:84716836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.50.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853735/; classtype:trojan-activity;sid:84716835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.227.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853734/; classtype:trojan-activity;sid:84716834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/releases/download/7/systemcleaner.exe"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853732/; classtype:trojan-activity;sid:84716832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/sysdrive.exe"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853731/; classtype:trojan-activity;sid:84716831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/systemhosting.exe"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853730/; classtype:trojan-activity;sid:84716830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/servicetask.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853729/; classtype:trojan-activity;sid:84716829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/systemhost.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853726/; classtype:trojan-activity;sid:84716826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/systemhelper.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853727/; classtype:trojan-activity;sid:84716827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/systemupdate.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853728/; classtype:trojan-activity;sid:84716828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/updatemanager.exe"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853725/; classtype:trojan-activity;sid:84716825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/update.vbs"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853722/; classtype:trojan-activity;sid:84716822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromawashere/security/raw/refs/heads/main/sysupdate.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853723/; classtype:trojan-activity;sid:84716823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d"; depth:2; endswith; nocase; http.host; content:"ryfsowiu.icu"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853724/; classtype:trojan-activity;sid:84716824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mailrealfedex-svga/uploader/raw/refs/heads/main/finale.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853721/; classtype:trojan-activity;sid:84716821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8829a458a496e6ef.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853720/; classtype:trojan-activity;sid:84716820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_6a61761773ab6938.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853719/; classtype:trojan-activity;sid:84716819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.77.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853718/; classtype:trojan-activity;sid:84716818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.166.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853717/; classtype:trojan-activity;sid:84716817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2f0b49db-726b-4d2e-a77e-9e74b7aafed4"; depth:37; endswith; nocase; http.host; content:"odauc.aiteszt.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853716/; classtype:trojan-activity;sid:84716816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.77.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853715/; classtype:trojan-activity;sid:84716815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=4fa0cd40-746a-4d85-9769-1e07f5cfa133"; depth:47; endswith; nocase; http.host; content:"peqe8mvw.byte-foundry.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853714/; classtype:trojan-activity;sid:84716814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ad2d598-4b7c-4abf-bc1e-430dd5d9933d"; depth:37; endswith; nocase; http.host; content:"gutdp.aileadfactory.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853713/; classtype:trojan-activity;sid:84716813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.9.91"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853712/; classtype:trojan-activity;sid:84716812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.127.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853711/; classtype:trojan-activity;sid:84716811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.146.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853710/; classtype:trojan-activity;sid:84716810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.127.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853709/; classtype:trojan-activity;sid:84716809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.48.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853706/; classtype:trojan-activity;sid:84716806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b01fdfb0-0c54-4cdb-8a4d-6bbf7174a8bf"; depth:37; endswith; nocase; http.host; content:"dgppz.ady26.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853707/; classtype:trojan-activity;sid:84716807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.48.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853708/; classtype:trojan-activity;sid:84716808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.179.228.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853705/; classtype:trojan-activity;sid:84716805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.90.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853704/; classtype:trojan-activity;sid:84716804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27979d02-79f1-4d06-af04-6a8a9aba0111"; depth:37; endswith; nocase; http.host; content:"fanlo.addmagad.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853703/; classtype:trojan-activity;sid:84716803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.252.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853702/; classtype:trojan-activity;sid:84716802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.162.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853701/; classtype:trojan-activity;sid:84716801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/62cb720d-ab04-49ec-a37f-bef1a8d65c4e"; depth:37; endswith; nocase; http.host; content:"godww.accredit.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853700/; classtype:trojan-activity;sid:84716800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.77.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853699/; classtype:trojan-activity;sid:84716799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff7e0135-61f2-439a-8354-d1a83fb93b2f"; depth:37; endswith; nocase; http.host; content:"mvqex.zaszlorudbolt.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853698/; classtype:trojan-activity;sid:84716798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.200.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853697/; classtype:trojan-activity;sid:84716797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=5bc07832-feaa-4893-b2a7-2f2c0a07d343"; depth:47; endswith; nocase; http.host; content:"h3mraocc.telemetry-harbor.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853696/; classtype:trojan-activity;sid:84716796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.139.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853695/; classtype:trojan-activity;sid:84716795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.77.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853694/; classtype:trojan-activity;sid:84716794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.0.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853693/; classtype:trojan-activity;sid:84716793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.24.142.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853692/; classtype:trojan-activity;sid:84716792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5b4a1662-7b9e-40ed-92bc-5a8849e27432"; depth:37; endswith; nocase; http.host; content:"ywcga.yanisrea.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853691/; classtype:trojan-activity;sid:84716791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.129.138.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853690/; classtype:trojan-activity;sid:84716790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.171.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853689/; classtype:trojan-activity;sid:84716789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.139.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853688/; classtype:trojan-activity;sid:84716788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.251.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853687/; classtype:trojan-activity;sid:84716787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.171.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853686/; classtype:trojan-activity;sid:84716786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2900d15a-81b4-4b1d-82d4-ca0806bdccee"; depth:37; endswith; nocase; http.host; content:"wehmr.yanis.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853685/; classtype:trojan-activity;sid:84716785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.114.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853684/; classtype:trojan-activity;sid:84716784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.167.193.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853683/; classtype:trojan-activity;sid:84716783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853676/; classtype:trojan-activity;sid:84716776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853677/; classtype:trojan-activity;sid:84716777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853678/; classtype:trojan-activity;sid:84716778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mpsl"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853679/; classtype:trojan-activity;sid:84716779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853680/; classtype:trojan-activity;sid:84716780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853681/; classtype:trojan-activity;sid:84716781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853682/; classtype:trojan-activity;sid:84716782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853668/; classtype:trojan-activity;sid:84716768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853669/; classtype:trojan-activity;sid:84716769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853670/; classtype:trojan-activity;sid:84716770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853671/; classtype:trojan-activity;sid:84716771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853672/; classtype:trojan-activity;sid:84716772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853673/; classtype:trojan-activity;sid:84716773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853674/; classtype:trojan-activity;sid:84716774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"143.198.83.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853675/; classtype:trojan-activity;sid:84716775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.141.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853667/; classtype:trojan-activity;sid:84716767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.251.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853666/; classtype:trojan-activity;sid:84716766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.129.138.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853665/; classtype:trojan-activity;sid:84716765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.167.193.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853664/; classtype:trojan-activity;sid:84716764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.125.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853663/; classtype:trojan-activity;sid:84716763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.36.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853662/; classtype:trojan-activity;sid:84716762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.167.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853661/; classtype:trojan-activity;sid:84716761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.241.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853660/; classtype:trojan-activity;sid:84716760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.141.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853659/; classtype:trojan-activity;sid:84716759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.92.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853658/; classtype:trojan-activity;sid:84716758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.176.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853657/; classtype:trojan-activity;sid:84716757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/f4parrn.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853656/; classtype:trojan-activity;sid:84716756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8d902d0-d6d9-4143-8a75-ba32b1fc0d8c"; depth:37; endswith; nocase; http.host; content:"qzfcl.wpsmart.app"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853655/; classtype:trojan-activity;sid:84716755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.92.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853654/; classtype:trojan-activity;sid:84716754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.85.101"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853653/; classtype:trojan-activity;sid:84716753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.11.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853652/; classtype:trojan-activity;sid:84716752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=613824ad-ec1d-4437-9ecb-4c74b1c92e22"; depth:47; endswith; nocase; http.host; content:"155b3nro.proxy-cascade.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853651/; classtype:trojan-activity;sid:84716751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.176.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853650/; classtype:trojan-activity;sid:84716750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4084b335-6edc-4e77-86d7-cec246567866"; depth:37; endswith; nocase; http.host; content:"hcfll.workoutwithdorci.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853649/; classtype:trojan-activity;sid:84716749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.15.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853648/; classtype:trojan-activity;sid:84716748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.114.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853647/; classtype:trojan-activity;sid:84716747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.111.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853646/; classtype:trojan-activity;sid:84716746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.221.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853645/; classtype:trojan-activity;sid:84716745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.114.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853644/; classtype:trojan-activity;sid:84716744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.114.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853643/; classtype:trojan-activity;sid:84716743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.11.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853642/; classtype:trojan-activity;sid:84716742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0b569bfa-d1ed-42dd-8f89-2ba5d324c8e6"; depth:37; endswith; nocase; http.host; content:"xjmrl.wlwyb.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853641/; classtype:trojan-activity;sid:84716741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.247.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853640/; classtype:trojan-activity;sid:84716740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853639/; classtype:trojan-activity;sid:84716739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/907234c0-4026-4109-ba8e-59e373bb7159"; depth:37; endswith; nocase; http.host; content:"numqi.wilhelmglobal.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_27; reference:url, urlhaus.abuse.ch/url/3853638/; classtype:trojan-activity;sid:84716738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.247.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853637/; classtype:trojan-activity;sid:84716737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.31.201.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853636/; classtype:trojan-activity;sid:84716736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853635/; classtype:trojan-activity;sid:84716735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=1d9656b9-bbf3-490a-989d-b60facd1a733"; depth:47; endswith; nocase; http.host; content:"z9sb13jt.cloud-beacon.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853634/; classtype:trojan-activity;sid:84716734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.163.246.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853633/; classtype:trojan-activity;sid:84716733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.36.182"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853632/; classtype:trojan-activity;sid:84716732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8016dccb-266a-42d6-a9f0-eca4832db678"; depth:37; endswith; nocase; http.host; content:"vpufr.westinvesteuropa.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853631/; classtype:trojan-activity;sid:84716731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.189.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853630/; classtype:trojan-activity;sid:84716730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.23.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853629/; classtype:trojan-activity;sid:84716729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.36.182"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853628/; classtype:trojan-activity;sid:84716728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.31.201.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853627/; classtype:trojan-activity;sid:84716727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/513b443b-8405-4e82-a917-537c1eb95180"; depth:37; endswith; nocase; http.host; content:"gijjr.welovevent.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853626/; classtype:trojan-activity;sid:84716726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.71.131.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853625/; classtype:trojan-activity;sid:84716725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.189.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853624/; classtype:trojan-activity;sid:84716724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.65.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853623/; classtype:trojan-activity;sid:84716723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7da9b8c9-ea8a-4a94-b015-6380ffdb47b3"; depth:37; endswith; nocase; http.host; content:"iwojm.webgondozas.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853622/; classtype:trojan-activity;sid:84716722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.66.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853621/; classtype:trojan-activity;sid:84716721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.223.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853620/; classtype:trojan-activity;sid:84716720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7640890992/e7rwnpz.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853618/; classtype:trojan-activity;sid:84716718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7774414118/t0hvtp7.msi"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853619/; classtype:trojan-activity;sid:84716719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.83.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853616/; classtype:trojan-activity;sid:84716716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.178.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853617/; classtype:trojan-activity;sid:84716717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.65.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853615/; classtype:trojan-activity;sid:84716715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/53faf5c5-5efb-4e00-be13-ae74428f0084"; depth:37; endswith; nocase; http.host; content:"zsdmb.webermann.hu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853614/; classtype:trojan-activity;sid:84716714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/utt.sh"; depth:7; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853613/; classtype:trojan-activity;sid:84716713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toto.sh"; depth:8; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853612/; classtype:trojan-activity;sid:84716712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8c6896b1-b38b-48ff-a6d7-7d911e8a136b"; depth:37; endswith; nocase; http.host; content:"fksdx.v-vill.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853611/; classtype:trojan-activity;sid:84716711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.178.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853610/; classtype:trojan-activity;sid:84716710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.158.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853609/; classtype:trojan-activity;sid:84716709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.66.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853608/; classtype:trojan-activity;sid:84716708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.225.47.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853607/; classtype:trojan-activity;sid:84716707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.90.255"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853606/; classtype:trojan-activity;sid:84716706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=203d3e0c-fc7d-4944-9da6-d7386eec1227"; depth:47; endswith; nocase; http.host; content:"347hoy7r.signal-frontier.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853605/; classtype:trojan-activity;sid:84716705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.158.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853604/; classtype:trojan-activity;sid:84716704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.85.101"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853603/; classtype:trojan-activity;sid:84716703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.60.196"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853602/; classtype:trojan-activity;sid:84716702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a79f99ef-ab49-4a34-8757-08458ddadc15"; depth:37; endswith; nocase; http.host; content:"bjxbx.vrtigo.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853601/; classtype:trojan-activity;sid:84716701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpswww.tcs.comwhat-we-doindustriespublic-servicessolutiontcs-sovereignsecure-cloudness.php"; depth:93; endswith; nocase; http.host; content:"0000153.0000255.0000011.0000125"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853600/; classtype:trojan-activity;sid:84716700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.113.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853599/; classtype:trojan-activity;sid:84716699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e259fabc-1007-4d80-b467-058958de7944"; depth:37; endswith; nocase; http.host; content:"jkjey.vizhoszivattyu.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853598/; classtype:trojan-activity;sid:84716698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.54.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853597/; classtype:trojan-activity;sid:84716697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.18.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853596/; classtype:trojan-activity;sid:84716696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.203.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853595/; classtype:trojan-activity;sid:84716695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.240.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853594/; classtype:trojan-activity;sid:84716694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.77.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853593/; classtype:trojan-activity;sid:84716693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a952f06-404a-426c-8934-1b7a534928ac"; depth:37; endswith; nocase; http.host; content:"kqrde.vilagom.hu"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853592/; classtype:trojan-activity;sid:84716692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.143.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853591/; classtype:trojan-activity;sid:84716691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.18.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853590/; classtype:trojan-activity;sid:84716690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.85.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853589/; classtype:trojan-activity;sid:84716689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.205.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853588/; classtype:trojan-activity;sid:84716688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.161.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853587/; classtype:trojan-activity;sid:84716687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.4.2"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853586/; classtype:trojan-activity;sid:84716686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.77.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853585/; classtype:trojan-activity;sid:84716685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7f151d58-332c-4f37-910a-d5947af518ed"; depth:37; endswith; nocase; http.host; content:"cdpus.vikstore.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853584/; classtype:trojan-activity;sid:84716684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/img_193010.png"; depth:19; endswith; nocase; http.host; content:"172.245.209.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853583/; classtype:trojan-activity;sid:84716683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.40.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853582/; classtype:trojan-activity;sid:84716682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853581/; classtype:trojan-activity;sid:84716681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.4.2"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853580/; classtype:trojan-activity;sid:84716680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_082539.png"; depth:15; endswith; nocase; http.host; content:"primultesst.infinityfreeapp.com"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853579/; classtype:trojan-activity;sid:84716679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_181401.png"; depth:15; endswith; nocase; http.host; content:"servercommunicationapiglobal.yzz.me"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853578/; classtype:trojan-activity;sid:84716678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.208.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853577/; classtype:trojan-activity;sid:84716677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853575/; classtype:trojan-activity;sid:84716675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.sparc"; depth:10; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853576/; classtype:trojan-activity;sid:84716676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ddb0a9ff-ad2f-4db0-a061-8acaf0ed4750"; depth:37; endswith; nocase; http.host; content:"fgpjr.vigaf.hu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853574/; classtype:trojan-activity;sid:84716674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.85.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853573/; classtype:trojan-activity;sid:84716673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/70/img_225048.png"; depth:18; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853572/; classtype:trojan-activity;sid:84716672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/70/giveubestthingsevermadefrome.js"; depth:35; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853570/; classtype:trojan-activity;sid:84716670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_175111.png"; depth:15; endswith; nocase; http.host; content:"servercommunicationapiglobal.yzz.me"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853571/; classtype:trojan-activity;sid:84716671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853568/; classtype:trojan-activity;sid:84716668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.dbg"; depth:9; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853569/; classtype:trojan-activity;sid:84716669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpswww.tcs.comwhat-we-doindustriespublic-servicessolutiontcs-sovereignsecure-cloudness.php"; depth:93; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853566/; classtype:trojan-activity;sid:84716666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wm7gzv"; depth:7; endswith; nocase; http.host; content:"jakos.ovh"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853567/; classtype:trojan-activity;sid:84716667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853546/; classtype:trojan-activity;sid:84716646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853547/; classtype:trojan-activity;sid:84716647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853548/; classtype:trojan-activity;sid:84716648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853549/; classtype:trojan-activity;sid:84716649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peniss.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853550/; classtype:trojan-activity;sid:84716650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853551/; classtype:trojan-activity;sid:84716651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853552/; classtype:trojan-activity;sid:84716652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853553/; classtype:trojan-activity;sid:84716653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853554/; classtype:trojan-activity;sid:84716654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853555/; classtype:trojan-activity;sid:84716655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853556/; classtype:trojan-activity;sid:84716656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853557/; classtype:trojan-activity;sid:84716657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853558/; classtype:trojan-activity;sid:84716658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm4"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853559/; classtype:trojan-activity;sid:84716659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853560/; classtype:trojan-activity;sid:84716660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853561/; classtype:trojan-activity;sid:84716661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853562/; classtype:trojan-activity;sid:84716662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853563/; classtype:trojan-activity;sid:84716663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853564/; classtype:trojan-activity;sid:84716664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"176.65.148.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853565/; classtype:trojan-activity;sid:84716665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/70/ecc/enitrethingsgoodformybesthings.hta"; depth:42; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853545/; classtype:trojan-activity;sid:84716645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=c51d0d82-bc40-4c2a-8630-6d1feaa4782b"; depth:47; endswith; nocase; http.host; content:"h7cyp6bl.kernel-compass.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853544/; classtype:trojan-activity;sid:84716644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853543/; classtype:trojan-activity;sid:84716643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.83.31.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853541/; classtype:trojan-activity;sid:84716641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"84.54.33.84"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853542/; classtype:trojan-activity;sid:84716642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.92.1.35"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853540/; classtype:trojan-activity;sid:84716640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.83.31.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853539/; classtype:trojan-activity;sid:84716639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"84.54.33.84"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853537/; classtype:trojan-activity;sid:84716637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.92.1.35"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853538/; classtype:trojan-activity;sid:84716638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.57.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853536/; classtype:trojan-activity;sid:84716636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853535/; classtype:trojan-activity;sid:84716635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56d327b3-0068-495c-84e1-a4bc66f9e740"; depth:37; endswith; nocase; http.host; content:"irrvh.ceremoniavezeto.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853534/; classtype:trojan-activity;sid:84716634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.208.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853533/; classtype:trojan-activity;sid:84716633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.92.69.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853532/; classtype:trojan-activity;sid:84716632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.161.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853531/; classtype:trojan-activity;sid:84716631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61154fc4-b79b-484b-936a-953488396e8b"; depth:37; endswith; nocase; http.host; content:"pjvro.cannaturalgroup.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853530/; classtype:trojan-activity;sid:84716630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.244.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853529/; classtype:trojan-activity;sid:84716629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.82.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853528/; classtype:trojan-activity;sid:84716628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.3.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853527/; classtype:trojan-activity;sid:84716627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.130.169.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853525/; classtype:trojan-activity;sid:84716625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.244.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853526/; classtype:trojan-activity;sid:84716626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.3.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853524/; classtype:trojan-activity;sid:84716624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4fc3e1d5-4515-466b-a767-857988d9032e"; depth:37; endswith; nocase; http.host; content:"topbo.cannatural.eu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853523/; classtype:trojan-activity;sid:84716623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.215.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853522/; classtype:trojan-activity;sid:84716622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.4.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853521/; classtype:trojan-activity;sid:84716621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; endswith; nocase; http.host; content:"193.24.123.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853520/; classtype:trojan-activity;sid:84716620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4.sh"; depth:5; endswith; nocase; http.host; content:"pub-41eee9d53a324f038367d5d36f45d18b.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853519/; classtype:trojan-activity;sid:84716619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.34.31"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853518/; classtype:trojan-activity;sid:84716618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.92.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853517/; classtype:trojan-activity;sid:84716617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.92.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853516/; classtype:trojan-activity;sid:84716616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.215.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853515/; classtype:trojan-activity;sid:84716615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.82.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853514/; classtype:trojan-activity;sid:84716614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.140.161.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853513/; classtype:trojan-activity;sid:84716613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.49.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853512/; classtype:trojan-activity;sid:84716612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/78972430-8b37-4477-8e4b-29dfac209b54"; depth:37; endswith; nocase; http.host; content:"grrab.cannatural.cz"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853511/; classtype:trojan-activity;sid:84716611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.10.154"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853510/; classtype:trojan-activity;sid:84716610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853509/; classtype:trojan-activity;sid:84716609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853508/; classtype:trojan-activity;sid:84716608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.3.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853507/; classtype:trojan-activity;sid:84716607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853506/; classtype:trojan-activity;sid:84716606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/ce/madewithbestsettingsforme.hta"; depth:35; endswith; nocase; http.host; content:"198.46.173.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853505/; classtype:trojan-activity;sid:84716605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5/po.zip"; depth:9; endswith; nocase; http.host; content:"198.46.173.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853499/; classtype:trojan-activity;sid:84716599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2/rslnxonu38.bin"; depth:17; endswith; nocase; http.host; content:"198.46.173.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853500/; classtype:trojan-activity;sid:84716600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/zlvqfxiydzdvcpeoafsjoyxexk192.bin"; depth:36; endswith; nocase; http.host; content:"198.46.173.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853501/; classtype:trojan-activity;sid:84716601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/nyohdxmrc172.bin"; depth:19; endswith; nocase; http.host; content:"198.46.173.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853502/; classtype:trojan-activity;sid:84716602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/vnc.exe"; depth:10; endswith; nocase; http.host; content:"198.46.173.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853503/; classtype:trojan-activity;sid:84716603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/aytzdmxt149.bin"; depth:18; endswith; nocase; http.host; content:"198.46.173.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853504/; classtype:trojan-activity;sid:84716604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.118.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853498/; classtype:trojan-activity;sid:84716598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.46.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853497/; classtype:trojan-activity;sid:84716597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.49.6"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853496/; classtype:trojan-activity;sid:84716596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=d1f91b97-c0d3-4e3a-b77b-09ee5916c9cd"; depth:47; endswith; nocase; http.host; content:"j543wvuu.packet-orbit.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853495/; classtype:trojan-activity;sid:84716595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.3.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853494/; classtype:trojan-activity;sid:84716594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geeksitalians"; depth:14; endswith; nocase; http.host; content:"paste.sensio.no"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853493/; classtype:trojan-activity;sid:84716593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mywtestwusbect/hfghfgdfgdfg/downloads/3.jpg"; depth:44; endswith; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853492/; classtype:trojan-activity;sid:84716592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.10.154"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853491/; classtype:trojan-activity;sid:84716591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ca18e602c7a72d9c.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853490/; classtype:trojan-activity;sid:84716590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/index.php|3f|a=dl|7c|26|7c|lrj=cx1gb52tuj|7c|26|7c|anji=ozxky|7c|26|7c|cp=a4f989e43e04ed72c38a1a134ab6534d612154d996d0711d999510924873ae0f"; depth:143; endswith; nocase; http.host; content:"clacndjsvulnarbi.beer"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853489/; classtype:trojan-activity;sid:84716589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8d22c8bc8c39510a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853488/; classtype:trojan-activity;sid:84716588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.21.172.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853487/; classtype:trojan-activity;sid:84716587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.226.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853486/; classtype:trojan-activity;sid:84716586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.114.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853485/; classtype:trojan-activity;sid:84716585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a0fb36c-6f6a-48d0-bc07-87af2a0b4180"; depth:37; endswith; nocase; http.host; content:"kaewe.caesarresidence.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853484/; classtype:trojan-activity;sid:84716584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.40.117"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853483/; classtype:trojan-activity;sid:84716583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.21.172.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853482/; classtype:trojan-activity;sid:84716582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.40.117"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853481/; classtype:trojan-activity;sid:84716581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/714cad5f-b224-4cef-be0e-54d8c875215d"; depth:37; endswith; nocase; http.host; content:"xvceg.butoralberlet.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853480/; classtype:trojan-activity;sid:84716580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.58.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853479/; classtype:trojan-activity;sid:84716579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.212.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853478/; classtype:trojan-activity;sid:84716578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.189.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853477/; classtype:trojan-activity;sid:84716577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8830f003-13c1-4ac1-958d-ce6f439ac25c"; depth:37; endswith; nocase; http.host; content:"qgrqy.business360.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853476/; classtype:trojan-activity;sid:84716576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.8.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853475/; classtype:trojan-activity;sid:84716575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853474/; classtype:trojan-activity;sid:84716574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.58.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853473/; classtype:trojan-activity;sid:84716573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.142.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853472/; classtype:trojan-activity;sid:84716572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.212.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853471/; classtype:trojan-activity;sid:84716571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853470/; classtype:trojan-activity;sid:84716570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/733d568a-91fe-4206-8e7c-7e3ece4dafaa"; depth:37; endswith; nocase; http.host; content:"vhfla.budapesthandmade.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853469/; classtype:trojan-activity;sid:84716569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.90.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853468/; classtype:trojan-activity;sid:84716568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.118.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853467/; classtype:trojan-activity;sid:84716567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=48e87da3-8794-4ffb-a89b-4f48bccd5691"; depth:47; endswith; nocase; http.host; content:"a7px1y1v.container-pulse.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853466/; classtype:trojan-activity;sid:84716566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.252.159.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853465/; classtype:trojan-activity;sid:84716565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.226.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853464/; classtype:trojan-activity;sid:84716564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.34.31"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853463/; classtype:trojan-activity;sid:84716563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.241.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853462/; classtype:trojan-activity;sid:84716562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.189.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853461/; classtype:trojan-activity;sid:84716561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15741499-af12-41eb-b1c5-5ad6ae3c9515"; depth:37; endswith; nocase; http.host; content:"zpxfn.buborekjatszohaz.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853460/; classtype:trojan-activity;sid:84716560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.15.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853459/; classtype:trojan-activity;sid:84716559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.134.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853458/; classtype:trojan-activity;sid:84716558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.118.154"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853457/; classtype:trojan-activity;sid:84716557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.98.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853456/; classtype:trojan-activity;sid:84716556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.134.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853455/; classtype:trojan-activity;sid:84716555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c05d91eb-4527-4a5a-bbab-fb681e76f1a9"; depth:37; endswith; nocase; http.host; content:"ldeml.buborekjatszohaz.hu"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853454/; classtype:trojan-activity;sid:84716554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.196.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853453/; classtype:trojan-activity;sid:84716553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_91aca91ebbe1b031.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853452/; classtype:trojan-activity;sid:84716552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.248.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853451/; classtype:trojan-activity;sid:84716551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/callm743/gridlesssekai-retro/main/bernardine/gridless-sekai-retro-v3.0-alpha.5.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853450/; classtype:trojan-activity;sid:84716550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ea4b46f1-f591-40fd-9507-a5baf7899c70"; depth:37; endswith; nocase; http.host; content:"ggrze.brssolar.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853449/; classtype:trojan-activity;sid:84716549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.196.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853448/; classtype:trojan-activity;sid:84716548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.212.50.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853447/; classtype:trojan-activity;sid:84716547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.248.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853446/; classtype:trojan-activity;sid:84716546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.110.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853445/; classtype:trojan-activity;sid:84716545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d753127-caf9-4aeb-8f42-a9b3288902eb"; depth:37; endswith; nocase; http.host; content:"nveth.brandbuilder.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853444/; classtype:trojan-activity;sid:84716544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h/estagio4.php"; depth:15; endswith; nocase; http.host; content:"b.acrobatreader.online"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853443/; classtype:trojan-activity;sid:84716543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.191.230.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853442/; classtype:trojan-activity;sid:84716542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853441/; classtype:trojan-activity;sid:84716541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d762073-c04e-436c-a416-6f8176e03e0e"; depth:37; endswith; nocase; http.host; content:"adxwe.boutiqbar.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853440/; classtype:trojan-activity;sid:84716540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.83.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853439/; classtype:trojan-activity;sid:84716539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.191.230.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853438/; classtype:trojan-activity;sid:84716538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853437/; classtype:trojan-activity;sid:84716537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=f9aaafce-1a12-4686-a8a9-aa01ff4e7f47"; depth:47; endswith; nocase; http.host; content:"oa4njxsv.byte-frontier.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853436/; classtype:trojan-activity;sid:84716536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.152.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853435/; classtype:trojan-activity;sid:84716535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"dawn-bush-ddd1.yasminanthonyy.workers.dev"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853434/; classtype:trojan-activity;sid:84716534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ap/udpunktcp.toc"; depth:17; endswith; nocase; http.host; content:"alkurdi-sa.cam"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853433/; classtype:trojan-activity;sid:84716533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ucc/kr.js"; depth:10; endswith; nocase; http.host; content:"clemanimpianti.it.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853432/; classtype:trojan-activity;sid:84716532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca0b6882-153f-475e-af19-225b65068c00"; depth:37; endswith; nocase; http.host; content:"mlbmb.bonuszugynokseg.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853431/; classtype:trojan-activity;sid:84716531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.229.186.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853430/; classtype:trojan-activity;sid:84716530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.152.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853429/; classtype:trojan-activity;sid:84716529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/68faedf6-b056-46d9-80d0-faf708414e32"; depth:37; endswith; nocase; http.host; content:"swhbk.bohochal.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853428/; classtype:trojan-activity;sid:84716528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.229.186.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853427/; classtype:trojan-activity;sid:84716527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.121.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853426/; classtype:trojan-activity;sid:84716526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853425/; classtype:trojan-activity;sid:84716525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.203.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853424/; classtype:trojan-activity;sid:84716524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntb/ntb.arm7"; depth:13; endswith; nocase; http.host; content:"34.227.228.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853423/; classtype:trojan-activity;sid:84716523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvcs-0h91-09wd-ypdn/img_uvbfvh.png"; depth:35; endswith; nocase; http.host; content:"small-morning-8be0.fsocietyandtools.workers.dev"; depth:47; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853422/; classtype:trojan-activity;sid:84716522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/8gwqsgp3ywwsus51500y0/img_de00290100_001000_26_05_2026.vbe|3f|rlkey=bh347g667knqo2j2vu8677zft|7c|26|7c|st=97hjftn7|7c|26|7c|dl=1"; depth:136; endswith; nocase; http.host; content:"dl.dropboxusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853421/; classtype:trojan-activity;sid:84716521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.70.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853420/; classtype:trojan-activity;sid:84716520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06dfa801-6992-4f5e-83f8-de1601c9348a"; depth:37; endswith; nocase; http.host; content:"rrnek.bognartransport.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853419/; classtype:trojan-activity;sid:84716519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853418/; classtype:trojan-activity;sid:84716518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.121.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853417/; classtype:trojan-activity;sid:84716517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.94.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853416/; classtype:trojan-activity;sid:84716516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.102.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853415/; classtype:trojan-activity;sid:84716515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853414/; classtype:trojan-activity;sid:84716514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.102.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853413/; classtype:trojan-activity;sid:84716513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28f63c78-c36f-49c6-bb3e-0d92b2ea8107"; depth:37; endswith; nocase; http.host; content:"ohzmh.bninolimit.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853412/; classtype:trojan-activity;sid:84716512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.237.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853411/; classtype:trojan-activity;sid:84716511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.185.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853410/; classtype:trojan-activity;sid:84716510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=2ff72def-ad07-45e5-b558-3c26db036a3f"; depth:47; endswith; nocase; http.host; content:"9awu4igb.cloud-lattice.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853409/; classtype:trojan-activity;sid:84716509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.185.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853408/; classtype:trojan-activity;sid:84716508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.237.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853407/; classtype:trojan-activity;sid:84716507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1977d4e3-e910-48fc-9431-e64e363bf452"; depth:37; endswith; nocase; http.host; content:"acuon.bni-ai.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853406/; classtype:trojan-activity;sid:84716506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.237.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853405/; classtype:trojan-activity;sid:84716505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.237.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853404/; classtype:trojan-activity;sid:84716504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=fc4c2afc-d641-4677-b313-959281dd5b4e"; depth:47; endswith; nocase; http.host; content:"bcfaxrtc.logic-compass.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853403/; classtype:trojan-activity;sid:84716503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.195.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853402/; classtype:trojan-activity;sid:84716502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.54.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853401/; classtype:trojan-activity;sid:84716501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.102.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853400/; classtype:trojan-activity;sid:84716500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aa3f1358-3a51-49aa-ab70-758334c8e739"; depth:37; endswith; nocase; http.host; content:"julya.bmz.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853399/; classtype:trojan-activity;sid:84716499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.85.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853398/; classtype:trojan-activity;sid:84716498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.110.53.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853397/; classtype:trojan-activity;sid:84716497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.85.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853396/; classtype:trojan-activity;sid:84716496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.246.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853395/; classtype:trojan-activity;sid:84716495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.66.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853394/; classtype:trojan-activity;sid:84716494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853393/; classtype:trojan-activity;sid:84716493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/79c886ef-67c8-41dc-95da-43d74d0dcdbe"; depth:37; endswith; nocase; http.host; content:"vmpyw.almasiklima.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853392/; classtype:trojan-activity;sid:84716492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.42.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853391/; classtype:trojan-activity;sid:84716491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope12.johnsmith"; depth:19; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853390/; classtype:trojan-activity;sid:84716490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.109.28"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853389/; classtype:trojan-activity;sid:84716489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.163.53.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853388/; classtype:trojan-activity;sid:84716488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.187.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853387/; classtype:trojan-activity;sid:84716487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/405282cb-7ac0-4cae-987f-bd54fdb1d270"; depth:37; endswith; nocase; http.host; content:"fuluz.akonyvelod.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853386/; classtype:trojan-activity;sid:84716486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.99.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853385/; classtype:trojan-activity;sid:84716485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"45.85.218.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853384/; classtype:trojan-activity;sid:84716484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.73.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853383/; classtype:trojan-activity;sid:84716483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.9.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853382/; classtype:trojan-activity;sid:84716482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.109.28"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853381/; classtype:trojan-activity;sid:84716481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/83fd96f1-a2b9-4c28-ad6f-1fe1db5eb03e"; depth:37; endswith; nocase; http.host; content:"ilgte.aivallalkozok.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853380/; classtype:trojan-activity;sid:84716480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.163.53.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853379/; classtype:trojan-activity;sid:84716479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.195.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853378/; classtype:trojan-activity;sid:84716478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.42.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853377/; classtype:trojan-activity;sid:84716477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.9.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853376/; classtype:trojan-activity;sid:84716476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.99.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853375/; classtype:trojan-activity;sid:84716475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.73.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853374/; classtype:trojan-activity;sid:84716474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s.exe"; depth:6; endswith; nocase; http.host; content:"9e628dc697b3b9.lhr.life"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853373/; classtype:trojan-activity;sid:84716473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.113.25.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853372/; classtype:trojan-activity;sid:84716472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.107.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853371/; classtype:trojan-activity;sid:84716471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brainiacmonoos/document/refs/heads/main/origin.exe"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853370/; classtype:trojan-activity;sid:84716470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7262ae00e091e63d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853368/; classtype:trojan-activity;sid:84716468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e8f2c5079f92806a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853369/; classtype:trojan-activity;sid:84716469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7544dfc7-91c6-48e8-b6b6-b7644403e300"; depth:37; endswith; nocase; http.host; content:"eqgwn.aivallalkozo.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853367/; classtype:trojan-activity;sid:84716467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.171.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853366/; classtype:trojan-activity;sid:84716466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.119.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853365/; classtype:trojan-activity;sid:84716465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.119.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853364/; classtype:trojan-activity;sid:84716464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"dtp-avaria.vercel.app"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853363/; classtype:trojan-activity;sid:84716463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"phtod-rus.vercel.app"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853362/; classtype:trojan-activity;sid:84716462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_0428bf72ca3505bf.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853361/; classtype:trojan-activity;sid:84716461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.107.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853360/; classtype:trojan-activity;sid:84716460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.28.230.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853359/; classtype:trojan-activity;sid:84716459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.232.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853358/; classtype:trojan-activity;sid:84716458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.19.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853357/; classtype:trojan-activity;sid:84716457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.119.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853356/; classtype:trojan-activity;sid:84716456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/75a2f137-c7aa-4acf-b992-99237cdbd12c"; depth:37; endswith; nocase; http.host; content:"abmjl.bertifolia.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853355/; classtype:trojan-activity;sid:84716455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb9.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853353/; classtype:trojan-activity;sid:84716453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb10.exe"; depth:9; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853354/; classtype:trojan-activity;sid:84716454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb8.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853347/; classtype:trojan-activity;sid:84716447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb4.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853348/; classtype:trojan-activity;sid:84716448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb6.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853349/; classtype:trojan-activity;sid:84716449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb7.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853350/; classtype:trojan-activity;sid:84716450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb5.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853351/; classtype:trojan-activity;sid:84716451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fee93181-065c-4499-af45-199a9a79a097"; depth:37; endswith; nocase; http.host; content:"ptnza.bni-ai.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853352/; classtype:trojan-activity;sid:84716452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.28.230.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853346/; classtype:trojan-activity;sid:84716446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb1.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853343/; classtype:trojan-activity;sid:84716443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb3.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853344/; classtype:trojan-activity;sid:84716444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb2.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853345/; classtype:trojan-activity;sid:84716445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.19.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853342/; classtype:trojan-activity;sid:84716442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.171.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853341/; classtype:trojan-activity;sid:84716441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/321ddd16-64a3-43d6-aeb1-c613db8ff8b2"; depth:37; endswith; nocase; http.host; content:"neypx.bmz.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853340/; classtype:trojan-activity;sid:84716440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.8.59"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853339/; classtype:trojan-activity;sid:84716439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.178.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853338/; classtype:trojan-activity;sid:84716438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/09016948-1d50-4614-a072-c44cd5771ae4"; depth:37; endswith; nocase; http.host; content:"miqhc.bmiroda.hu"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853337/; classtype:trojan-activity;sid:84716437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853336/; classtype:trojan-activity;sid:84716436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.8.59"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853335/; classtype:trojan-activity;sid:84716435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b49ef12c-321d-4fba-a93b-9683282fe140"; depth:37; endswith; nocase; http.host; content:"bczth.bertifolia.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853334/; classtype:trojan-activity;sid:84716434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.11.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853333/; classtype:trojan-activity;sid:84716433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dde58c5d-ea59-4538-9490-4133a9503bd8"; depth:37; endswith; nocase; http.host; content:"zcrop.bernoe.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853332/; classtype:trojan-activity;sid:84716432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.87.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853331/; classtype:trojan-activity;sid:84716431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853330/; classtype:trojan-activity;sid:84716430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.26.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853329/; classtype:trojan-activity;sid:84716429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.11.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853328/; classtype:trojan-activity;sid:84716428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.178.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853327/; classtype:trojan-activity;sid:84716427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.226.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853326/; classtype:trojan-activity;sid:84716426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/589b9ff0-510f-4248-9b02-d1bf6cf6813e"; depth:37; endswith; nocase; http.host; content:"vrifp.bergertetokft.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853325/; classtype:trojan-activity;sid:84716425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.26.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853324/; classtype:trojan-activity;sid:84716424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.173.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853323/; classtype:trojan-activity;sid:84716423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/kythy.exe"; depth:29; endswith; nocase; http.host; content:"femade.co.uk"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853322/; classtype:trojan-activity;sid:84716422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853321/; classtype:trojan-activity;sid:84716421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c2f6759-671b-46e8-872e-0671fd1a0488"; depth:37; endswith; nocase; http.host; content:"aklze.bercibutor.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853320/; classtype:trojan-activity;sid:84716420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.110.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853319/; classtype:trojan-activity;sid:84716419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbt3h2b4si.bin"; depth:15; endswith; nocase; http.host; content:"6a109ce5-3c8f-432c-8c07-1b9ff8282c7a.mp-lby-mtch-svc.in.net"; depth:59; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853318/; classtype:trojan-activity;sid:84716418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b085475f-3e07-4592-b0d9-308c24016584"; depth:37; endswith; nocase; http.host; content:"odqtx.bbglobalbau.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853317/; classtype:trojan-activity;sid:84716417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.214.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853316/; classtype:trojan-activity;sid:84716416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/hjbk.exe"; depth:14; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853315/; classtype:trojan-activity;sid:84716415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jlffdd.exe"; depth:20; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853314/; classtype:trojan-activity;sid:84716414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/jufprujs.exe"; depth:22; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853313/; classtype:trojan-activity;sid:84716413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/kythy.exe"; depth:15; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853312/; classtype:trojan-activity;sid:84716412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/ojujn.exe"; depth:15; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853311/; classtype:trojan-activity;sid:84716411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/kliulij.exe"; depth:17; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853309/; classtype:trojan-activity;sid:84716409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/vkkqj.exe"; depth:19; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853310/; classtype:trojan-activity;sid:84716410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/somaliacruises.exe"; depth:28; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853300/; classtype:trojan-activity;sid:84716400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/gxjgd.exe"; depth:19; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853301/; classtype:trojan-activity;sid:84716401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/urgoy.exe"; depth:19; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853302/; classtype:trojan-activity;sid:84716402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/bjbh.exe"; depth:14; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853303/; classtype:trojan-activity;sid:84716403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cxmfd.exe"; depth:19; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853304/; classtype:trojan-activity;sid:84716404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/statingconnectors.exe"; depth:31; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853305/; classtype:trojan-activity;sid:84716405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/hnmh.exe"; depth:14; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853306/; classtype:trojan-activity;sid:84716406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/ww7.exe"; depth:17; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853307/; classtype:trojan-activity;sid:84716407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/os1/cry.exe"; depth:17; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853308/; classtype:trojan-activity;sid:84716408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load/jhgkuyyg.exe"; depth:18; endswith; nocase; http.host; content:"5.252.155.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853299/; classtype:trojan-activity;sid:84716399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/289284235475738274"; depth:19; endswith; nocase; http.host; content:"6a109ce5-3c8f-432c-8c07-1b9ff8282c7a.mp-lby-mtch-svc.in.net"; depth:59; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853298/; classtype:trojan-activity;sid:84716398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.230.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853297/; classtype:trojan-activity;sid:84716397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.214.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853296/; classtype:trojan-activity;sid:84716396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.215.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853295/; classtype:trojan-activity;sid:84716395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c72a1f15-b3bc-42a8-a644-a213b226cd47"; depth:37; endswith; nocase; http.host; content:"jwqnk.bbautokozmetika.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853294/; classtype:trojan-activity;sid:84716394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.241.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853293/; classtype:trojan-activity;sid:84716393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.240.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853292/; classtype:trojan-activity;sid:84716392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853291/; classtype:trojan-activity;sid:84716391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm"; depth:8; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853289/; classtype:trojan-activity;sid:84716389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm64"; depth:10; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853290/; classtype:trojan-activity;sid:84716390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853284/; classtype:trojan-activity;sid:84716384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853285/; classtype:trojan-activity;sid:84716385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853286/; classtype:trojan-activity;sid:84716386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853287/; classtype:trojan-activity;sid:84716387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i468"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853288/; classtype:trojan-activity;sid:84716388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/vendor/chain.exe"; depth:20; endswith; nocase; http.host; content:"www.hippamsas.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853283/; classtype:trojan-activity;sid:84716383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_169c5057cfdadb9c.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853278/; classtype:trojan-activity;sid:84716378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a11093226dc72f08.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853279/; classtype:trojan-activity;sid:84716379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_2b6fb93e2bac48b0.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853280/; classtype:trojan-activity;sid:84716380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5d90675258d7f07c.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853281/; classtype:trojan-activity;sid:84716381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_57623be47902747d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853282/; classtype:trojan-activity;sid:84716382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.208.112.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853277/; classtype:trojan-activity;sid:84716377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02304fa5-d517-4c8a-8c5c-28c85e57205a"; depth:37; endswith; nocase; http.host; content:"xybtn.bartendersclub.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853276/; classtype:trojan-activity;sid:84716376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.115.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853275/; classtype:trojan-activity;sid:84716375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.29.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853274/; classtype:trojan-activity;sid:84716374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.71.131.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853273/; classtype:trojan-activity;sid:84716373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.195.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853272/; classtype:trojan-activity;sid:84716372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.29.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853271/; classtype:trojan-activity;sid:84716371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.45.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853270/; classtype:trojan-activity;sid:84716370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/899e5776-2f18-4389-bd2d-67b44d115358"; depth:37; endswith; nocase; http.host; content:"mrwqb.bartaenergetika.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853269/; classtype:trojan-activity;sid:84716369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.195.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853268/; classtype:trojan-activity;sid:84716368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.219.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853267/; classtype:trojan-activity;sid:84716367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/to"; depth:3; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853266/; classtype:trojan-activity;sid:84716366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.25.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853265/; classtype:trojan-activity;sid:84716365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.221.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853264/; classtype:trojan-activity;sid:84716364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.252.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853263/; classtype:trojan-activity;sid:84716363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/80a6b38f-d0c5-444d-b99f-42a5c2ea219c"; depth:37; endswith; nocase; http.host; content:"mahcr.banhidileadershipacademy.hu"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853262/; classtype:trojan-activity;sid:84716362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.60.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853261/; classtype:trojan-activity;sid:84716361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.128.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853260/; classtype:trojan-activity;sid:84716360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.25.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853259/; classtype:trojan-activity;sid:84716359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.219.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853258/; classtype:trojan-activity;sid:84716358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8375dfce-f3e3-4729-ac0a-eb5b869b0ed0"; depth:37; endswith; nocase; http.host; content:"dynhc.balintpiroska.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853257/; classtype:trojan-activity;sid:84716357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.221.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853256/; classtype:trojan-activity;sid:84716356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.138.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853255/; classtype:trojan-activity;sid:84716355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.164.128.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853254/; classtype:trojan-activity;sid:84716354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.21.25.2"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853253/; classtype:trojan-activity;sid:84716353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853252/; classtype:trojan-activity;sid:84716352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853251/; classtype:trojan-activity;sid:84716351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853242/; classtype:trojan-activity;sid:84716342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853243/; classtype:trojan-activity;sid:84716343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853244/; classtype:trojan-activity;sid:84716344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853245/; classtype:trojan-activity;sid:84716345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.i686"; depth:9; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853246/; classtype:trojan-activity;sid:84716346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853247/; classtype:trojan-activity;sid:84716347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mis.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853248/; classtype:trojan-activity;sid:84716348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853249/; classtype:trojan-activity;sid:84716349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853250/; classtype:trojan-activity;sid:84716350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853241/; classtype:trojan-activity;sid:84716341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853240/; classtype:trojan-activity;sid:84716340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.254.113.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853239/; classtype:trojan-activity;sid:84716339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f509f5e2-7107-4a31-89f6-ce283ad83177"; depth:37; endswith; nocase; http.host; content:"werel.balazsotthonepites.hu"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853238/; classtype:trojan-activity;sid:84716338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.224.69.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853237/; classtype:trojan-activity;sid:84716337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.246.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853236/; classtype:trojan-activity;sid:84716336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.60.250"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853235/; classtype:trojan-activity;sid:84716335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.21.25.2"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853234/; classtype:trojan-activity;sid:84716334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.224.69.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853233/; classtype:trojan-activity;sid:84716333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.179.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853232/; classtype:trojan-activity;sid:84716332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.23.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853231/; classtype:trojan-activity;sid:84716331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.182.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853230/; classtype:trojan-activity;sid:84716330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.115.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853229/; classtype:trojan-activity;sid:84716329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.179.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853228/; classtype:trojan-activity;sid:84716328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rdlink"; depth:7; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853227/; classtype:trojan-activity;sid:84716327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/li"; depth:3; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853226/; classtype:trojan-activity;sid:84716326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/res"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853225/; classtype:trojan-activity;sid:84716325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.23.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853224/; classtype:trojan-activity;sid:84716324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.182.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853223/; classtype:trojan-activity;sid:84716323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76d79658-78d7-4cca-846e-556c1baed306"; depth:37; endswith; nocase; http.host; content:"vnhvi.orkapool.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853222/; classtype:trojan-activity;sid:84716322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.74.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853221/; classtype:trojan-activity;sid:84716321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.14.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853220/; classtype:trojan-activity;sid:84716320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.62.184.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853219/; classtype:trojan-activity;sid:84716319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.56.100"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853218/; classtype:trojan-activity;sid:84716318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.74.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853217/; classtype:trojan-activity;sid:84716317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.156.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853216/; classtype:trojan-activity;sid:84716316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.56.100"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853215/; classtype:trojan-activity;sid:84716315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"vmi3208269.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853214/; classtype:trojan-activity;sid:84716314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853210/; classtype:trojan-activity;sid:84716310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853211/; classtype:trojan-activity;sid:84716311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853212/; classtype:trojan-activity;sid:84716312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mpsl"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853213/; classtype:trojan-activity;sid:84716313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853205/; classtype:trojan-activity;sid:84716305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853206/; classtype:trojan-activity;sid:84716306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853207/; classtype:trojan-activity;sid:84716307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853208/; classtype:trojan-activity;sid:84716308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853209/; classtype:trojan-activity;sid:84716309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853199/; classtype:trojan-activity;sid:84716299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853200/; classtype:trojan-activity;sid:84716300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/1.sh"; depth:15; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853201/; classtype:trojan-activity;sid:84716301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853202/; classtype:trojan-activity;sid:84716302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853203/; classtype:trojan-activity;sid:84716303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"62.171.152.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853204/; classtype:trojan-activity;sid:84716304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.230.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853198/; classtype:trojan-activity;sid:84716298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.35.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853197/; classtype:trojan-activity;sid:84716297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.231.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853196/; classtype:trojan-activity;sid:84716296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b90c607f-1bf2-49bc-908c-8b9404cac4a4"; depth:37; endswith; nocase; http.host; content:"fgmxk.optimumfitness.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853195/; classtype:trojan-activity;sid:84716295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.96.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853194/; classtype:trojan-activity;sid:84716294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.62.184.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853193/; classtype:trojan-activity;sid:84716293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.43.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853192/; classtype:trojan-activity;sid:84716292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"83.142.209.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853191/; classtype:trojan-activity;sid:84716291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.157.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_26; reference:url, urlhaus.abuse.ch/url/3853190/; classtype:trojan-activity;sid:84716290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.89.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853189/; classtype:trojan-activity;sid:84716289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8041f36c-f4ad-4c9f-965a-9446a83d703f"; depth:37; endswith; nocase; http.host; content:"phmro.optikusom.hu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853188/; classtype:trojan-activity;sid:84716288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.76.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853187/; classtype:trojan-activity;sid:84716287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.89.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853186/; classtype:trojan-activity;sid:84716286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.165.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853184/; classtype:trojan-activity;sid:84716284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.138.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853185/; classtype:trojan-activity;sid:84716285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.90.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853183/; classtype:trojan-activity;sid:84716283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.22.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853182/; classtype:trojan-activity;sid:84716282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.35.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853181/; classtype:trojan-activity;sid:84716281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.96.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853180/; classtype:trojan-activity;sid:84716280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.231.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853179/; classtype:trojan-activity;sid:84716279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853178/; classtype:trojan-activity;sid:84716278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.22.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853177/; classtype:trojan-activity;sid:84716277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"42.6.248.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853176/; classtype:trojan-activity;sid:84716276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.186.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853175/; classtype:trojan-activity;sid:84716275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.165.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853174/; classtype:trojan-activity;sid:84716274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.90.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853173/; classtype:trojan-activity;sid:84716273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54de9e0e-1516-4a31-b1f2-6a475b4f3a9e"; depth:37; endswith; nocase; http.host; content:"rnfg.onlyfansagency.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853172/; classtype:trojan-activity;sid:84716272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.138.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853171/; classtype:trojan-activity;sid:84716271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.186.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853170/; classtype:trojan-activity;sid:84716270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853169/; classtype:trojan-activity;sid:84716269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.188.76.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853168/; classtype:trojan-activity;sid:84716268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.103.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853167/; classtype:trojan-activity;sid:84716267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desktop.exe"; depth:12; endswith; nocase; http.host; content:"193.233.126.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853166/; classtype:trojan-activity;sid:84716266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syslog.exe"; depth:11; endswith; nocase; http.host; content:"193.233.126.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853165/; classtype:trojan-activity;sid:84716265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syslog.vbs"; depth:11; endswith; nocase; http.host; content:"193.233.126.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853164/; classtype:trojan-activity;sid:84716264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.119.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853163/; classtype:trojan-activity;sid:84716263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su.bat"; depth:7; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853162/; classtype:trojan-activity;sid:84716262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0b64832e-86c2-4a4d-827b-0b07d459ba3d"; depth:37; endswith; nocase; http.host; content:"axnb.olyusvirag.hu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853161/; classtype:trojan-activity;sid:84716261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syslog.exe"; depth:11; endswith; nocase; http.host; content:"45.38.143.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853159/; classtype:trojan-activity;sid:84716259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desktop.exe"; depth:12; endswith; nocase; http.host; content:"45.38.143.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853160/; classtype:trojan-activity;sid:84716260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su.js"; depth:6; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853157/; classtype:trojan-activity;sid:84716257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sos.exe"; depth:8; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853158/; classtype:trojan-activity;sid:84716258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/su.vbs"; depth:7; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853156/; classtype:trojan-activity;sid:84716256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syslog.vbs"; depth:11; endswith; nocase; http.host; content:"45.38.143.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853155/; classtype:trojan-activity;sid:84716255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tarra31.vbs"; depth:12; endswith; nocase; http.host; content:"tarratarea.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853154/; classtype:trojan-activity;sid:84716254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/tumfuf.txt|3f|ref_type=heads"; depth:98; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853152/; classtype:trojan-activity;sid:84716252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/refs/heads/main/cryp2_cvtres.txt"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853153/; classtype:trojan-activity;sid:84716253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/refs/heads/main/tumfuf.txt"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853148/; classtype:trojan-activity;sid:84716248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/class.txt|3f|ref_type=heads"; depth:97; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853149/; classtype:trojan-activity;sid:84716249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/tarra_cl3.txt|3f|ref_type=heads"; depth:101; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853150/; classtype:trojan-activity;sid:84716250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elpolacodelsuroficial-group/elpolacodelsuroficial-project/-/raw/main/31agosto.txt|3f|ref_type=heads"; depth:100; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853151/; classtype:trojan-activity;sid:84716251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e4e8e997-1d2e-4c39-8940-28f5b1d21bda"; depth:37; endswith; nocase; http.host; content:"wzfm.oltigergo.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853147/; classtype:trojan-activity;sid:84716247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sep01x86_ayoo.zip"; depth:18; endswith; nocase; http.host; content:"eligibility-biological-rights-directive.trycloudflare.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853144/; classtype:trojan-activity;sid:84716244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1apr22st.zip"; depth:13; endswith; nocase; http.host; content:"eligibility-biological-rights-directive.trycloudflare.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853145/; classtype:trojan-activity;sid:84716245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1apr22ma.zip"; depth:13; endswith; nocase; http.host; content:"eligibility-biological-rights-directive.trycloudflare.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853146/; classtype:trojan-activity;sid:84716246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/an.zip"; depth:7; endswith; nocase; http.host; content:"eligibility-biological-rights-directive.trycloudflare.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853143/; classtype:trojan-activity;sid:84716243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1apr22dll.zip"; depth:14; endswith; nocase; http.host; content:"eligibility-biological-rights-directive.trycloudflare.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853142/; classtype:trojan-activity;sid:84716242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1apr22su.bat"; depth:13; endswith; nocase; http.host; content:"eligibility-biological-rights-directive.trycloudflare.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853140/; classtype:trojan-activity;sid:84716240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1apr22su.txt"; depth:13; endswith; nocase; http.host; content:"eligibility-biological-rights-directive.trycloudflare.com"; depth:57; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853141/; classtype:trojan-activity;sid:84716241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ukmay182.txt"; depth:13; endswith; nocase; http.host; content:"moscow-discounted-applications-magnitude.trycloudflare.com"; depth:58; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853139/; classtype:trojan-activity;sid:84716239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/1.js"; depth:9; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853137/; classtype:trojan-activity;sid:84716237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/ukmay05_.js"; depth:16; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853138/; classtype:trojan-activity;sid:84716238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scan04/scan_04758935839204.pdf.wsh"; depth:35; endswith; nocase; http.host; content:"51.89.204.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853130/; classtype:trojan-activity;sid:84716230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/new.js"; depth:11; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853131/; classtype:trojan-activity;sid:84716231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/01473463829.js"; depth:19; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853132/; classtype:trojan-activity;sid:84716232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/thedll.js"; depth:14; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853133/; classtype:trojan-activity;sid:84716233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/ukmay12.js"; depth:15; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853134/; classtype:trojan-activity;sid:84716234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/new_josh.js"; depth:16; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853135/; classtype:trojan-activity;sid:84716235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/ukmar27.wsf"; depth:16; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853136/; classtype:trojan-activity;sid:84716236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ukmay181.txt"; depth:13; endswith; nocase; http.host; content:"moscow-discounted-applications-magnitude.trycloudflare.com"; depth:58; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853125/; classtype:trojan-activity;sid:84716225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/ukapr29b.wsf"; depth:17; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853126/; classtype:trojan-activity;sid:84716226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/thedll.wsf"; depth:15; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853127/; classtype:trojan-activity;sid:84716227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/ukmar26.wsf"; depth:16; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853128/; classtype:trojan-activity;sid:84716228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obe/1phj14.wsf"; depth:15; endswith; nocase; http.host; content:"lodge-pilot-node-vegetables.trycloudflare.com"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853129/; classtype:trojan-activity;sid:84716229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853124/; classtype:trojan-activity;sid:84716224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853112/; classtype:trojan-activity;sid:84716212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853113/; classtype:trojan-activity;sid:84716213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853114/; classtype:trojan-activity;sid:84716214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853115/; classtype:trojan-activity;sid:84716215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853116/; classtype:trojan-activity;sid:84716216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853117/; classtype:trojan-activity;sid:84716217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853118/; classtype:trojan-activity;sid:84716218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853119/; classtype:trojan-activity;sid:84716219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853120/; classtype:trojan-activity;sid:84716220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853121/; classtype:trojan-activity;sid:84716221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853122/; classtype:trojan-activity;sid:84716222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"176.65.139.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853123/; classtype:trojan-activity;sid:84716223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853111/; classtype:trojan-activity;sid:84716211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853100/; classtype:trojan-activity;sid:84716200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv5l"; depth:12; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853101/; classtype:trojan-activity;sid:84716201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853102/; classtype:trojan-activity;sid:84716202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv7l"; depth:12; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853103/; classtype:trojan-activity;sid:84716203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853104/; classtype:trojan-activity;sid:84716204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853105/; classtype:trojan-activity;sid:84716205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853106/; classtype:trojan-activity;sid:84716206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv6l"; depth:12; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853107/; classtype:trojan-activity;sid:84716207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853108/; classtype:trojan-activity;sid:84716208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.sh"; depth:10; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853109/; classtype:trojan-activity;sid:84716209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"64.89.161.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853110/; classtype:trojan-activity;sid:84716210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853095/; classtype:trojan-activity;sid:84716195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853096/; classtype:trojan-activity;sid:84716196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853097/; classtype:trojan-activity;sid:84716197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853098/; classtype:trojan-activity;sid:84716198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853099/; classtype:trojan-activity;sid:84716199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853087/; classtype:trojan-activity;sid:84716187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853088/; classtype:trojan-activity;sid:84716188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853089/; classtype:trojan-activity;sid:84716189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853090/; classtype:trojan-activity;sid:84716190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl.sh"; depth:6; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853091/; classtype:trojan-activity;sid:84716191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853092/; classtype:trojan-activity;sid:84716192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853093/; classtype:trojan-activity;sid:84716193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"151.242.30.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853094/; classtype:trojan-activity;sid:84716194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"2.27.20.154"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853085/; classtype:trojan-activity;sid:84716185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"2.27.20.154"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853086/; classtype:trojan-activity;sid:84716186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853074/; classtype:trojan-activity;sid:84716174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853075/; classtype:trojan-activity;sid:84716175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853076/; classtype:trojan-activity;sid:84716176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853077/; classtype:trojan-activity;sid:84716177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853078/; classtype:trojan-activity;sid:84716178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/anti.sh"; depth:13; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853079/; classtype:trojan-activity;sid:84716179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853080/; classtype:trojan-activity;sid:84716180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/anti.sh"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853081/; classtype:trojan-activity;sid:84716181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"2.27.20.154"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853082/; classtype:trojan-activity;sid:84716182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv5l"; depth:12; endswith; nocase; http.host; content:"2.27.20.154"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853083/; classtype:trojan-activity;sid:84716183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"2.27.20.154"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853084/; classtype:trojan-activity;sid:84716184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853068/; classtype:trojan-activity;sid:84716168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853069/; classtype:trojan-activity;sid:84716169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853070/; classtype:trojan-activity;sid:84716170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853071/; classtype:trojan-activity;sid:84716171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853072/; classtype:trojan-activity;sid:84716172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853073/; classtype:trojan-activity;sid:84716173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropper.go"; depth:16; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853066/; classtype:trojan-activity;sid:84716166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dropper.go"; depth:16; endswith; nocase; http.host; content:"176.65.139.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853067/; classtype:trojan-activity;sid:84716167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-9b3cf5ac"; depth:13; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853058/; classtype:trojan-activity;sid:84716158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-e0e4c747"; depth:13; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853059/; classtype:trojan-activity;sid:84716159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-7040216d"; depth:13; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853060/; classtype:trojan-activity;sid:84716160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-d446c582"; depth:13; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853061/; classtype:trojan-activity;sid:84716161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-058769b2"; depth:13; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853062/; classtype:trojan-activity;sid:84716162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-64d64f06"; depth:13; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853063/; classtype:trojan-activity;sid:84716163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853064/; classtype:trojan-activity;sid:84716164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-bf9c9361"; depth:13; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853065/; classtype:trojan-activity;sid:84716165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853057/; classtype:trojan-activity;sid:84716157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3fd06543-1e50-4054-a9fd-89fb6cf46d52"; depth:37; endswith; nocase; http.host; content:"odna.oltigergely.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853056/; classtype:trojan-activity;sid:84716156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.228.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853055/; classtype:trojan-activity;sid:84716155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-armv7l"; depth:11; endswith; nocase; http.host; content:"176.65.139.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853054/; classtype:trojan-activity;sid:84716154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f98df549-ed2a-4a85-ace1-1b9c3f88e999"; depth:37; endswith; nocase; http.host; content:"ayov.olcsongepet.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853053/; classtype:trojan-activity;sid:84716153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86b9499e-bc56-4220-804d-32d305158a58"; depth:37; endswith; nocase; http.host; content:"yvcg.oltigergely.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853052/; classtype:trojan-activity;sid:84716152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.87.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853051/; classtype:trojan-activity;sid:84716151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.39.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853050/; classtype:trojan-activity;sid:84716150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0b9ddb80-1e61-48ac-a257-4e207a2240fd"; depth:37; endswith; nocase; http.host; content:"oazd.olcsongepet.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853049/; classtype:trojan-activity;sid:84716149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.83.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853048/; classtype:trojan-activity;sid:84716148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.83.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853047/; classtype:trojan-activity;sid:84716147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a0d2d88c-7c10-401b-bfbb-2f0e4a3506ee"; depth:37; endswith; nocase; http.host; content:"lvavdb.nyitottkeramia.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853046/; classtype:trojan-activity;sid:84716146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.89.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853044/; classtype:trojan-activity;sid:84716144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.240.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853045/; classtype:trojan-activity;sid:84716145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=6b30cd5c-e014-4077-8e75-5a06e7b63e6d"; depth:47; endswith; nocase; http.host; content:"7louefau.microservice-compass.digital"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853043/; classtype:trojan-activity;sid:84716143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba14db08-71ec-4426-8b31-89cca907a26f"; depth:37; endswith; nocase; http.host; content:"fmslna.nr1office.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853042/; classtype:trojan-activity;sid:84716142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.128.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853041/; classtype:trojan-activity;sid:84716141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.175.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853040/; classtype:trojan-activity;sid:84716140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.89.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853039/; classtype:trojan-activity;sid:84716139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.128.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853038/; classtype:trojan-activity;sid:84716138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71130d2d-1299-4a5b-a840-5ccf59ac8ff2"; depth:37; endswith; nocase; http.host; content:"iejzed.liltkereskedohaz.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853037/; classtype:trojan-activity;sid:84716137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/svchost.exe"; depth:20; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853035/; classtype:trojan-activity;sid:84716135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/svchost_laptop.exe"; depth:27; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853036/; classtype:trojan-activity;sid:84716136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/windows%20update%20elevated%20service.exe"; depth:50; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853031/; classtype:trojan-activity;sid:84716131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/system%20protection%20background%20task.exe"; depth:52; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853032/; classtype:trojan-activity;sid:84716132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/microsoft%20windows%20health%20service%20diagnostics.exe"; depth:65; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853033/; classtype:trojan-activity;sid:84716133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/windows%20update%20diagnostic%20task%20handler.exe"; depth:59; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853034/; classtype:trojan-activity;sid:84716134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/onedrive%20sync%20shell%20extension%20processor.exe"; depth:60; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853030/; classtype:trojan-activity;sid:84716130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates/microsoft%20windows%20pnp%20device%20driver%20loader.exe"; depth:65; endswith; nocase; http.host; content:"194.32.248.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853029/; classtype:trojan-activity;sid:84716129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5a73b563a79eac7a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853028/; classtype:trojan-activity;sid:84716128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.2.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853027/; classtype:trojan-activity;sid:84716127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.111.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853026/; classtype:trojan-activity;sid:84716126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853025/; classtype:trojan-activity;sid:84716125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/035d5c0c-7925-4c67-a94c-b4cf6f154a86"; depth:37; endswith; nocase; http.host; content:"wdplqn.liltkereskedohaz.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853023/; classtype:trojan-activity;sid:84716123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853024/; classtype:trojan-activity;sid:84716124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853017/; classtype:trojan-activity;sid:84716117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853018/; classtype:trojan-activity;sid:84716118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853019/; classtype:trojan-activity;sid:84716119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853020/; classtype:trojan-activity;sid:84716120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853021/; classtype:trojan-activity;sid:84716121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853022/; classtype:trojan-activity;sid:84716122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853016/; classtype:trojan-activity;sid:84716116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.142.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853015/; classtype:trojan-activity;sid:84716115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853014/; classtype:trojan-activity;sid:84716114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.2.184"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853013/; classtype:trojan-activity;sid:84716113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1508520980748963918/1508521305723633986/app.exe|3f|ex=6a15d772|7c|26|7c|is=6a1485f2|7c|26|7c|hm=6c5a2ab3071d258ff0cad131ed3e72bd5d7b09c028f28264a13244aaafc8c779|7c|26|7c|.exe"; depth:187; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853012/; classtype:trojan-activity;sid:84716112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.35.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853011/; classtype:trojan-activity;sid:84716111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a3b77118f5c75b2f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853010/; classtype:trojan-activity;sid:84716110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"45.90.98.190"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853009/; classtype:trojan-activity;sid:84716109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_705605a58f8a57e3.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853007/; classtype:trojan-activity;sid:84716107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8646776923b00c06.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853008/; classtype:trojan-activity;sid:84716108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.90.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853006/; classtype:trojan-activity;sid:84716106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.35.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853005/; classtype:trojan-activity;sid:84716105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.231.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853004/; classtype:trojan-activity;sid:84716104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.176.116.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853003/; classtype:trojan-activity;sid:84716103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.32.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853002/; classtype:trojan-activity;sid:84716102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e978c8c8-51cc-4180-87bb-ef4bdfeb467d"; depth:37; endswith; nocase; http.host; content:"onwqrw.lillafunfit.com"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853001/; classtype:trojan-activity;sid:84716101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3853000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=9932f62c-d99c-4937-9240-bec44385dec9"; depth:47; endswith; nocase; http.host; content:"uubbkkxd.network-vector.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3853000/; classtype:trojan-activity;sid:84716100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.0.56.168"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852999/; classtype:trojan-activity;sid:84716099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.201.226.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852998/; classtype:trojan-activity;sid:84716098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.231.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852997/; classtype:trojan-activity;sid:84716097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76937bb4-d910-4cbe-9cfc-4a3d5e317cd4"; depth:37; endswith; nocase; http.host; content:"rpyrxh.lilbaukft.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852996/; classtype:trojan-activity;sid:84716096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"41.201.226.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852995/; classtype:trojan-activity;sid:84716095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.195.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852994/; classtype:trojan-activity;sid:84716094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.244.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852993/; classtype:trojan-activity;sid:84716093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.195.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852992/; classtype:trojan-activity;sid:84716092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cf7fa83-2425-4606-962f-652e27f47813"; depth:37; endswith; nocase; http.host; content:"qczybp.liftoff.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852991/; classtype:trojan-activity;sid:84716091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.205.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852990/; classtype:trojan-activity;sid:84716090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.106.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852989/; classtype:trojan-activity;sid:84716089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.241.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852988/; classtype:trojan-activity;sid:84716088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1dd56c0c-f3fa-4171-8362-9ad55f3688e1"; depth:37; endswith; nocase; http.host; content:"cftxqt.lifemax.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852987/; classtype:trojan-activity;sid:84716087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.196.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852986/; classtype:trojan-activity;sid:84716086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.246.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852985/; classtype:trojan-activity;sid:84716085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.81.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852984/; classtype:trojan-activity;sid:84716084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.106.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852983/; classtype:trojan-activity;sid:84716083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69a8f372-041c-43df-aa35-2ef4c1b1b83e"; depth:37; endswith; nocase; http.host; content:"qlhsnt.lifealigned.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852982/; classtype:trojan-activity;sid:84716082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852981/; classtype:trojan-activity;sid:84716081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.161.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852980/; classtype:trojan-activity;sid:84716080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.246.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852979/; classtype:trojan-activity;sid:84716079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"211.92.69.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852978/; classtype:trojan-activity;sid:84716078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b83450a2-ab3f-49ca-835c-b3b30dc01161"; depth:47; endswith; nocase; http.host; content:"ci7uxmq7.proxy-harbor.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852977/; classtype:trojan-activity;sid:84716077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.59.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852976/; classtype:trojan-activity;sid:84716076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/645720a4-6bb9-4a90-99de-221967193d77"; depth:37; endswith; nocase; http.host; content:"udiqhj.levivilaga.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852975/; classtype:trojan-activity;sid:84716075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852974/; classtype:trojan-activity;sid:84716074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.223.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852973/; classtype:trojan-activity;sid:84716073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.223.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852972/; classtype:trojan-activity;sid:84716072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.114.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852971/; classtype:trojan-activity;sid:84716071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e5a290be-d7a8-4427-8bfb-553a262c7703"; depth:37; endswith; nocase; http.host; content:"oleavv.levelupadventure.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852970/; classtype:trojan-activity;sid:84716070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.161.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852969/; classtype:trojan-activity;sid:84716069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.127.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852968/; classtype:trojan-activity;sid:84716068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_70b5a185b98405c6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852965/; classtype:trojan-activity;sid:84716065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_53bcb69c7af4ffe6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852966/; classtype:trojan-activity;sid:84716066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/o2lyucp.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852967/; classtype:trojan-activity;sid:84716067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/88922f9f-937a-4fd4-aeb2-4e74bc9945d1"; depth:37; endswith; nocase; http.host; content:"rtixcz.lestyanesfiai.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852964/; classtype:trojan-activity;sid:84716064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.114.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852963/; classtype:trojan-activity;sid:84716063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.102.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852962/; classtype:trojan-activity;sid:84716062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.57.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852961/; classtype:trojan-activity;sid:84716061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/nope3.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852960/; classtype:trojan-activity;sid:84716060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.42.239"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852959/; classtype:trojan-activity;sid:84716059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/52e12495-eead-4dcf-93d8-2f7496f9bac2"; depth:37; endswith; nocase; http.host; content:"kjvbjr.krokodilpince.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852958/; classtype:trojan-activity;sid:84716058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852957/; classtype:trojan-activity;sid:84716057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.231.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852956/; classtype:trojan-activity;sid:84716056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.115.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852955/; classtype:trojan-activity;sid:84716055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.240.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852953/; classtype:trojan-activity;sid:84716053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.196.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852954/; classtype:trojan-activity;sid:84716054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.32.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852952/; classtype:trojan-activity;sid:84716052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.240.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852951/; classtype:trojan-activity;sid:84716051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/nope2.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852950/; classtype:trojan-activity;sid:84716050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e2b195f0-64fd-454f-a0fe-f15199b0eda1"; depth:37; endswith; nocase; http.host; content:"sagdxf.krokodilpince.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852949/; classtype:trojan-activity;sid:84716049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.42.239"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852948/; classtype:trojan-activity;sid:84716048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.101.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852947/; classtype:trojan-activity;sid:84716047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.101.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852946/; classtype:trojan-activity;sid:84716046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.194.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852945/; classtype:trojan-activity;sid:84716045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.115.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852944/; classtype:trojan-activity;sid:84716044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=e64154cd-cfd3-4959-9cce-77c56fbc03e3"; depth:47; endswith; nocase; http.host; content:"mp696mc8.script-nexus.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852943/; classtype:trojan-activity;sid:84716043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.32.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852942/; classtype:trojan-activity;sid:84716042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.140.161.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852941/; classtype:trojan-activity;sid:84716041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.238.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852940/; classtype:trojan-activity;sid:84716040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/092da2ad-e6e0-4bf7-9ec2-41557f120dbd"; depth:37; endswith; nocase; http.host; content:"rxpvcd.ksfogaszat.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852939/; classtype:trojan-activity;sid:84716039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.242.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852938/; classtype:trojan-activity;sid:84716038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.242.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852937/; classtype:trojan-activity;sid:84716037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.222.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852936/; classtype:trojan-activity;sid:84716036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.94.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852935/; classtype:trojan-activity;sid:84716035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.39.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852934/; classtype:trojan-activity;sid:84716034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852933/; classtype:trojan-activity;sid:84716033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e6e4c43a-4f02-4079-be26-ecf4f46d68e2"; depth:37; endswith; nocase; http.host; content:"nspbcu.krokodilpince.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852932/; classtype:trojan-activity;sid:84716032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.118.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852931/; classtype:trojan-activity;sid:84716031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm"; depth:8; endswith; nocase; http.host; content:"23.132.164.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852930/; classtype:trojan-activity;sid:84716030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8424601462/5trjuma.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852927/; classtype:trojan-activity;sid:84716027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_835c7eea52e14763.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852928/; classtype:trojan-activity;sid:84716028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_82fcb5ac5135a53d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852929/; classtype:trojan-activity;sid:84716029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_41cc5cfe1c109d77.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852926/; classtype:trojan-activity;sid:84716026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.148.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852925/; classtype:trojan-activity;sid:84716025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.94.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852924/; classtype:trojan-activity;sid:84716024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.148.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852923/; classtype:trojan-activity;sid:84716023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852922/; classtype:trojan-activity;sid:84716022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852921/; classtype:trojan-activity;sid:84716021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.118.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852920/; classtype:trojan-activity;sid:84716020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bf99157e-2fd0-4857-b585-267760c69b81"; depth:37; endswith; nocase; http.host; content:"bxjmrg.krisztinavarga.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852919/; classtype:trojan-activity;sid:84716019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.124.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852918/; classtype:trojan-activity;sid:84716018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.243.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852917/; classtype:trojan-activity;sid:84716017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.136.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852916/; classtype:trojan-activity;sid:84716016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.194.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852915/; classtype:trojan-activity;sid:84716015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/501e4833-ff9d-499c-88aa-ca08c2374255"; depth:37; endswith; nocase; http.host; content:"fdgxxt.kpmarketing.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852914/; classtype:trojan-activity;sid:84716014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.224.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852913/; classtype:trojan-activity;sid:84716013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.157.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852912/; classtype:trojan-activity;sid:84716012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.124.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852911/; classtype:trojan-activity;sid:84716011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.194.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852910/; classtype:trojan-activity;sid:84716010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.228.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852909/; classtype:trojan-activity;sid:84716009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.228.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852908/; classtype:trojan-activity;sid:84716008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.255.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852907/; classtype:trojan-activity;sid:84716007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3dc98d01-2b5e-49ab-8f8f-d1a8e97d1c28"; depth:37; endswith; nocase; http.host; content:"ecjimr.kovacsago.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852906/; classtype:trojan-activity;sid:84716006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7da5e9bb-a866-4b94-ba26-db96d4088bd3"; depth:47; endswith; nocase; http.host; content:"5ib6hoc4.stack-orbit.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852905/; classtype:trojan-activity;sid:84716005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.224.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852904/; classtype:trojan-activity;sid:84716004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.11.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852903/; classtype:trojan-activity;sid:84716003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/315f9ccb-ddf9-4e6b-b1d6-3f6ceae04e7d"; depth:37; endswith; nocase; http.host; content:"znbsrq.kovacsago.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852902/; classtype:trojan-activity;sid:84716002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.175.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852901/; classtype:trojan-activity;sid:84716001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.179.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852900/; classtype:trojan-activity;sid:84716000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.217.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852899/; classtype:trojan-activity;sid:84715999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.0.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852898/; classtype:trojan-activity;sid:84715998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.179.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852896/; classtype:trojan-activity;sid:84715996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.10.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852897/; classtype:trojan-activity;sid:84715997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.11.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852895/; classtype:trojan-activity;sid:84715995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cb534e5-f8e8-47da-9764-215426ff636e"; depth:37; endswith; nocase; http.host; content:"ycmztd.kokeny.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852894/; classtype:trojan-activity;sid:84715994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.175.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852893/; classtype:trojan-activity;sid:84715993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.190.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852892/; classtype:trojan-activity;sid:84715992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.133.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852891/; classtype:trojan-activity;sid:84715991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.79.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852890/; classtype:trojan-activity;sid:84715990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.68.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852889/; classtype:trojan-activity;sid:84715989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.230.141.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852888/; classtype:trojan-activity;sid:84715988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.52.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852887/; classtype:trojan-activity;sid:84715987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a905f791-c469-460d-8390-41fcad1df71c"; depth:37; endswith; nocase; http.host; content:"glsvuu.knminerals.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852886/; classtype:trojan-activity;sid:84715986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.25.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852885/; classtype:trojan-activity;sid:84715985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.25.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852884/; classtype:trojan-activity;sid:84715984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.242.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852883/; classtype:trojan-activity;sid:84715983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.116.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852882/; classtype:trojan-activity;sid:84715982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.190.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852881/; classtype:trojan-activity;sid:84715981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.68.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852880/; classtype:trojan-activity;sid:84715980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.133.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852879/; classtype:trojan-activity;sid:84715979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.38.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852878/; classtype:trojan-activity;sid:84715978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.10.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852877/; classtype:trojan-activity;sid:84715977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b36d5a3e-9bf6-4711-8aab-9c7928f78a9b"; depth:37; endswith; nocase; http.host; content:"htfnjw.jatekotmindenkinek.hu"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852876/; classtype:trojan-activity;sid:84715976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.242.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852875/; classtype:trojan-activity;sid:84715975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.230.141.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852874/; classtype:trojan-activity;sid:84715974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.116.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852873/; classtype:trojan-activity;sid:84715973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.38.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852872/; classtype:trojan-activity;sid:84715972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attack_bot"; depth:11; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852871/; classtype:trojan-activity;sid:84715971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluefix.mipsel"; depth:15; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852866/; classtype:trojan-activity;sid:84715966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluefix.aarch64"; depth:16; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852867/; classtype:trojan-activity;sid:84715967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluefix.x86_64"; depth:15; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852868/; classtype:trojan-activity;sid:84715968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluefix.powerpc"; depth:16; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852869/; classtype:trojan-activity;sid:84715969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluefix.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852870/; classtype:trojan-activity;sid:84715970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluefix.armv7"; depth:14; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852865/; classtype:trojan-activity;sid:84715965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852864/; classtype:trojan-activity;sid:84715964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bluefix.x86"; depth:12; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852863/; classtype:trojan-activity;sid:84715963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.x86"; depth:8; endswith; nocase; http.host; content:"blacknigger.boo"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852862/; classtype:trojan-activity;sid:84715962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.208.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852861/; classtype:trojan-activity;sid:84715961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.powerpc"; depth:12; endswith; nocase; http.host; content:"176.65.139.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852860/; classtype:trojan-activity;sid:84715960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852859/; classtype:trojan-activity;sid:84715959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.mips"; depth:9; endswith; nocase; http.host; content:"blacknigger.boo"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852858/; classtype:trojan-activity;sid:84715958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.powerpc"; depth:12; endswith; nocase; http.host; content:"blacknigger.boo"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852857/; classtype:trojan-activity;sid:84715957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.arm7"; depth:9; endswith; nocase; http.host; content:"blacknigger.boo"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852856/; classtype:trojan-activity;sid:84715956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nig.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852855/; classtype:trojan-activity;sid:84715955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71c43e3d-f08f-45d2-9fde-8275b46fb111"; depth:37; endswith; nocase; http.host; content:"kferlw.itsmarthungary.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852854/; classtype:trojan-activity;sid:84715954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=df9d8407-fcac-4730-b0d5-e6030d7d4754"; depth:47; endswith; nocase; http.host; content:"3k3qw9fd.system-forge.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852853/; classtype:trojan-activity;sid:84715953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.222.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852852/; classtype:trojan-activity;sid:84715952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/file/echovoicemod-installer-wizard-1.4.2.exe"; depth:49; endswith; nocase; http.host; content:"wss.a.pinggy.link"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852851/; classtype:trojan-activity;sid:84715951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rawww.exe"; depth:10; endswith; nocase; http.host; content:"kevtel.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852849/; classtype:trojan-activity;sid:84715949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/echovoicemod.zip"; depth:17; endswith; nocase; http.host; content:"echovoicemod.fun"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852850/; classtype:trojan-activity;sid:84715950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itachiccnts-collab/donuthacks/main/gamble-rig%201.21.jar"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852846/; classtype:trojan-activity;sid:84715946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jedibubub1/jedibubub/refs/heads/main/wizzyaddon1.21.11.jar"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852847/; classtype:trojan-activity;sid:84715947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/4esuv5e.txt"; depth:25; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852848/; classtype:trojan-activity;sid:84715948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/160066.jpg|3f|12711313"; depth:36; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852845/; classtype:trojan-activity;sid:84715945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/160066.jpg|3f|12711313p"; depth:37; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852844/; classtype:trojan-activity;sid:84715944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.208.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852843/; classtype:trojan-activity;sid:84715943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852842/; classtype:trojan-activity;sid:84715942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaef0ccd-c3f4-4a61-a622-5e9b25eddf07"; depth:37; endswith; nocase; http.host; content:"vdbkti.ispilates.hu"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852841/; classtype:trojan-activity;sid:84715941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.160.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852840/; classtype:trojan-activity;sid:84715940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.160.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852839/; classtype:trojan-activity;sid:84715939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.54.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852838/; classtype:trojan-activity;sid:84715938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.141.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852837/; classtype:trojan-activity;sid:84715937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.119.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852836/; classtype:trojan-activity;sid:84715936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.111.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852835/; classtype:trojan-activity;sid:84715935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.218.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852834/; classtype:trojan-activity;sid:84715934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852833/; classtype:trojan-activity;sid:84715933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.218.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852832/; classtype:trojan-activity;sid:84715932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.205.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852831/; classtype:trojan-activity;sid:84715931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c0142e9b-2623-479c-8847-cca4924bef51"; depth:37; endswith; nocase; http.host; content:"fgyfhb.iparivillanyszerelo.hu"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852830/; classtype:trojan-activity;sid:84715930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.59.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852829/; classtype:trojan-activity;sid:84715929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.54.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852828/; classtype:trojan-activity;sid:84715928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.247.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852827/; classtype:trojan-activity;sid:84715927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.87.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852826/; classtype:trojan-activity;sid:84715926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.235.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852825/; classtype:trojan-activity;sid:84715925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.58.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852824/; classtype:trojan-activity;sid:84715924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852823/; classtype:trojan-activity;sid:84715923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.111.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852822/; classtype:trojan-activity;sid:84715922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.226.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852820/; classtype:trojan-activity;sid:84715920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.71.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852821/; classtype:trojan-activity;sid:84715921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3b6e258854bc5270.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852819/; classtype:trojan-activity;sid:84715919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3d1e4324-b6ee-4535-a6c0-4ba8aaa4d38b"; depth:37; endswith; nocase; http.host; content:"gqsgdt.interimpro.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852818/; classtype:trojan-activity;sid:84715918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.58.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852817/; classtype:trojan-activity;sid:84715917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.226.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852816/; classtype:trojan-activity;sid:84715916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.63.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852815/; classtype:trojan-activity;sid:84715915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.63.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852814/; classtype:trojan-activity;sid:84715914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/606ef002-8429-44a6-8aee-f478ba1027b4"; depth:37; endswith; nocase; http.host; content:"rosrcf.inoxsystem.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852813/; classtype:trojan-activity;sid:84715913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.247.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852812/; classtype:trojan-activity;sid:84715912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nm.js"; depth:6; endswith; nocase; http.host; content:"toptionlab.co.za"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852811/; classtype:trojan-activity;sid:84715911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nm.js"; depth:6; endswith; nocase; http.host; content:"toptionlab.co.za"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852810/; classtype:trojan-activity;sid:84715910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wipi"; depth:5; endswith; nocase; http.host; content:"203.145.34.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852809/; classtype:trojan-activity;sid:84715909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=213bbe95-e609-4ec2-9534-c8fb76842fad"; depth:47; endswith; nocase; http.host; content:"vzjahpug.telemetry-sphere.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852808/; classtype:trojan-activity;sid:84715908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/62dae79e-0693-4df3-9fec-ff4c8aefef69"; depth:37; endswith; nocase; http.host; content:"blaold.indebud.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852807/; classtype:trojan-activity;sid:84715907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.240.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852806/; classtype:trojan-activity;sid:84715906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.4.97"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852805/; classtype:trojan-activity;sid:84715905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852804/; classtype:trojan-activity;sid:84715904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.76.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852803/; classtype:trojan-activity;sid:84715903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.76.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852802/; classtype:trojan-activity;sid:84715902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15b5f96b-6db2-415e-825a-f98dd945a571"; depth:37; endswith; nocase; http.host; content:"kzaftq.hyflowtp.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852801/; classtype:trojan-activity;sid:84715901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852800/; classtype:trojan-activity;sid:84715900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c1efa92-bd04-4855-929f-e3065e0763f0"; depth:37; endswith; nocase; http.host; content:"xredgj.holisztikuscsontkovacs.hu"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852799/; classtype:trojan-activity;sid:84715899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.4.97"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852798/; classtype:trojan-activity;sid:84715898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.90.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852797/; classtype:trojan-activity;sid:84715897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.240.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852796/; classtype:trojan-activity;sid:84715896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.147.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852795/; classtype:trojan-activity;sid:84715895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0853bebb-e0f8-49fe-b456-4a5c7c27ff47"; depth:37; endswith; nocase; http.host; content:"torrrj.highlife-global.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852794/; classtype:trojan-activity;sid:84715894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.170.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852793/; classtype:trojan-activity;sid:84715893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8761886"; depth:8; endswith; nocase; http.host; content:"zealpraxis.com"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852792/; classtype:trojan-activity;sid:84715892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1468318468066640095/1508156566145073306/porno.exe|3f|ex=6a1483c1|7c|26|7c|is=6a133241|7c|26|7c|hm=2404f64778201a5dbd5a5c88603594bbed4f5b5768daf7fe4cc3073b2545f81a|7c|26|7c|"; depth:185; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852791/; classtype:trojan-activity;sid:84715891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_96624d70aef25b2e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852789/; classtype:trojan-activity;sid:84715889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_aa3f5de9b1a43312.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852790/; classtype:trojan-activity;sid:84715890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.90.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852788/; classtype:trojan-activity;sid:84715888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips64"; depth:17; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852777/; classtype:trojan-activity;sid:84715877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852778/; classtype:trojan-activity;sid:84715878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852779/; classtype:trojan-activity;sid:84715879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852780/; classtype:trojan-activity;sid:84715880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852781/; classtype:trojan-activity;sid:84715881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852782/; classtype:trojan-activity;sid:84715882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852783/; classtype:trojan-activity;sid:84715883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852784/; classtype:trojan-activity;sid:84715884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sparc"; depth:16; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852785/; classtype:trojan-activity;sid:84715885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852786/; classtype:trojan-activity;sid:84715886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arc"; depth:14; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852787/; classtype:trojan-activity;sid:84715887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86_64"; depth:17; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852775/; classtype:trojan-activity;sid:84715875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852776/; classtype:trojan-activity;sid:84715876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852769/; classtype:trojan-activity;sid:84715869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852770/; classtype:trojan-activity;sid:84715870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852771/; classtype:trojan-activity;sid:84715871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852772/; classtype:trojan-activity;sid:84715872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852773/; classtype:trojan-activity;sid:84715873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.i686"; depth:15; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852774/; classtype:trojan-activity;sid:84715874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef674302-a378-48a1-86cc-53eef0a9ee02"; depth:37; endswith; nocase; http.host; content:"fiwmth.gyorsanhaz.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852768/; classtype:trojan-activity;sid:84715868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852767/; classtype:trojan-activity;sid:84715867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.88.136.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852766/; classtype:trojan-activity;sid:84715866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=4cee0a40-a9d9-4721-a7c2-1280ba039213"; depth:47; endswith; nocase; http.host; content:"n9bv1oq5.proxy-orbit.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852765/; classtype:trojan-activity;sid:84715865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.235.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852764/; classtype:trojan-activity;sid:84715864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.118.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852763/; classtype:trojan-activity;sid:84715863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.147.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852762/; classtype:trojan-activity;sid:84715862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.197.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852761/; classtype:trojan-activity;sid:84715861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852760/; classtype:trojan-activity;sid:84715860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.196.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852759/; classtype:trojan-activity;sid:84715859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.118.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852758/; classtype:trojan-activity;sid:84715858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.196.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852757/; classtype:trojan-activity;sid:84715857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.38.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852756/; classtype:trojan-activity;sid:84715856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.81.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852755/; classtype:trojan-activity;sid:84715855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.188.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852754/; classtype:trojan-activity;sid:84715854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3462366e-e406-49fb-9145-91cdf8de7fdb"; depth:37; endswith; nocase; http.host; content:"foqovv.h13lakopark.hu"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852753/; classtype:trojan-activity;sid:84715853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.197.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852752/; classtype:trojan-activity;sid:84715852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.5.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852751/; classtype:trojan-activity;sid:84715851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.246.215"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852750/; classtype:trojan-activity;sid:84715850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.228.109.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852749/; classtype:trojan-activity;sid:84715849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.38.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852748/; classtype:trojan-activity;sid:84715848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.81.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852747/; classtype:trojan-activity;sid:84715847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.188.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852746/; classtype:trojan-activity;sid:84715846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/91845145-d4ac-4c50-97d3-7d5c6bc05b71"; depth:37; endswith; nocase; http.host; content:"rqwanh.gyulaicsevego.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852745/; classtype:trojan-activity;sid:84715845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.236.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852744/; classtype:trojan-activity;sid:84715844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.228.109.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852743/; classtype:trojan-activity;sid:84715843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.225.47.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852742/; classtype:trojan-activity;sid:84715842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.149.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852741/; classtype:trojan-activity;sid:84715841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.87.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852740/; classtype:trojan-activity;sid:84715840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.112.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852739/; classtype:trojan-activity;sid:84715839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.242.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852738/; classtype:trojan-activity;sid:84715838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e8a29f93-5679-43bb-9737-c4c343ac9d93"; depth:37; endswith; nocase; http.host; content:"ykdeqf.gyorsotthont.hu"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852737/; classtype:trojan-activity;sid:84715837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.103.121.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852736/; classtype:trojan-activity;sid:84715836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.127.232.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852735/; classtype:trojan-activity;sid:84715835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.5.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852734/; classtype:trojan-activity;sid:84715834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b08e6a64-9f22-4c71-aff4-3b1c9ae173c5"; depth:47; endswith; nocase; http.host; content:"rlaa5uje.stack-frontier.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852733/; classtype:trojan-activity;sid:84715833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.86.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852732/; classtype:trojan-activity;sid:84715832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cc189718-3675-45ca-b958-6c56ef9f5e90"; depth:37; endswith; nocase; http.host; content:"usoiuv.gyorsanhaz.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852731/; classtype:trojan-activity;sid:84715831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.36.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852730/; classtype:trojan-activity;sid:84715830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.242.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852729/; classtype:trojan-activity;sid:84715829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.112.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852728/; classtype:trojan-activity;sid:84715828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.79.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852727/; classtype:trojan-activity;sid:84715827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b66483a6-eb83-44e4-8792-eff102fc5298"; depth:37; endswith; nocase; http.host; content:"vgkjld.gulyaskriszti.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852726/; classtype:trojan-activity;sid:84715826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.106.241.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852725/; classtype:trojan-activity;sid:84715825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.237.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852724/; classtype:trojan-activity;sid:84715824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.112.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852723/; classtype:trojan-activity;sid:84715823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f3af0943-0fa7-4322-9573-7f6d6c8824c6"; depth:37; endswith; nocase; http.host; content:"fayzcm.greenwaysolar.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852722/; classtype:trojan-activity;sid:84715822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.55.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852720/; classtype:trojan-activity;sid:84715820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.201.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852721/; classtype:trojan-activity;sid:84715821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.106.241.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852719/; classtype:trojan-activity;sid:84715819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76b0e6f1-6675-4f67-8d58-60e0db0cabbf"; depth:37; endswith; nocase; http.host; content:"hatvtf.globalcontact.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852718/; classtype:trojan-activity;sid:84715818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.mpsl"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852707/; classtype:trojan-activity;sid:84715807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm5"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852708/; classtype:trojan-activity;sid:84715808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.m68k"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852709/; classtype:trojan-activity;sid:84715809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.spc"; depth:12; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852710/; classtype:trojan-activity;sid:84715810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.sh4"; depth:12; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852711/; classtype:trojan-activity;sid:84715811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.ppc"; depth:12; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852712/; classtype:trojan-activity;sid:84715812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arc"; depth:12; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852713/; classtype:trojan-activity;sid:84715813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.aarch64"; depth:16; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852714/; classtype:trojan-activity;sid:84715814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.x86_64"; depth:15; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852715/; classtype:trojan-activity;sid:84715815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.x86"; depth:12; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852716/; classtype:trojan-activity;sid:84715816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.i686"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852717/; classtype:trojan-activity;sid:84715817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm6"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852704/; classtype:trojan-activity;sid:84715804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm4"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852705/; classtype:trojan-activity;sid:84715805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.mips"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852706/; classtype:trojan-activity;sid:84715806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852703/; classtype:trojan-activity;sid:84715803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6264891c-a891-416b-baed-d70b678223fe"; depth:37; endswith; nocase; http.host; content:"gcrexj.glfree.hu"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852702/; classtype:trojan-activity;sid:84715802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=8eacdf4c-7761-4d63-8c76-5f3336392399"; depth:47; endswith; nocase; http.host; content:"bzngye4l.proxy-orbit.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852701/; classtype:trojan-activity;sid:84715801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.242.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852700/; classtype:trojan-activity;sid:84715800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.81.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852699/; classtype:trojan-activity;sid:84715799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852698/; classtype:trojan-activity;sid:84715798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e4b6a640-32d1-4574-b94e-47564431cbb2"; depth:37; endswith; nocase; http.host; content:"uekdrl.gesol.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852697/; classtype:trojan-activity;sid:84715797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.68.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852696/; classtype:trojan-activity;sid:84715796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklarm7"; depth:8; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852694/; classtype:trojan-activity;sid:84715794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jklarm"; depth:7; endswith; nocase; http.host; content:"176.65.139.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852695/; classtype:trojan-activity;sid:84715795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.233.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852693/; classtype:trojan-activity;sid:84715793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.112.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852692/; classtype:trojan-activity;sid:84715792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852691/; classtype:trojan-activity;sid:84715791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.68.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852690/; classtype:trojan-activity;sid:84715790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.62.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852689/; classtype:trojan-activity;sid:84715789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.97.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852688/; classtype:trojan-activity;sid:84715788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5f2d7851-ece8-4664-a3fc-6bb9268a3f48"; depth:37; endswith; nocase; http.host; content:"sneodo.gerecseglamping.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852687/; classtype:trojan-activity;sid:84715787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.47.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852686/; classtype:trojan-activity;sid:84715786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arm"; depth:8; endswith; nocase; http.host; content:"176.100.36.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852685/; classtype:trojan-activity;sid:84715785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.97.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852684/; classtype:trojan-activity;sid:84715784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.164.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852683/; classtype:trojan-activity;sid:84715783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.164.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852682/; classtype:trojan-activity;sid:84715782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.62.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852681/; classtype:trojan-activity;sid:84715781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36af5d35-8a0a-4fa5-a468-e79d1758e6a3"; depth:37; endswith; nocase; http.host; content:"qcjqcd.geokalk.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852680/; classtype:trojan-activity;sid:84715780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.47.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852679/; classtype:trojan-activity;sid:84715779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_85e88c7ae15946b2.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852678/; classtype:trojan-activity;sid:84715778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/41f6b5f6-1409-4e72-bb56-b1e8b20004dd"; depth:37; endswith; nocase; http.host; content:"rapiny.gamesystem.hu"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852677/; classtype:trojan-activity;sid:84715777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.152.102.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852676/; classtype:trojan-activity;sid:84715776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm"; depth:12; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852675/; classtype:trojan-activity;sid:84715775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.139.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852674/; classtype:trojan-activity;sid:84715774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclear.arm7"; depth:13; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852673/; classtype:trojan-activity;sid:84715773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bc2b0bc7-3bae-4b2c-81d8-7502c54e6974"; depth:47; endswith; nocase; http.host; content:"m8fpbfz3.container-bridge.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852672/; classtype:trojan-activity;sid:84715772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.222.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852671/; classtype:trojan-activity;sid:84715771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/38c76721-58d1-4d51-bf1a-4b72d51153fa"; depth:37; endswith; nocase; http.host; content:"bysjry.fusionize.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852670/; classtype:trojan-activity;sid:84715770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.98.142.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852669/; classtype:trojan-activity;sid:84715769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.83.13.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852668/; classtype:trojan-activity;sid:84715768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.195.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852667/; classtype:trojan-activity;sid:84715767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.222.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_25; reference:url, urlhaus.abuse.ch/url/3852666/; classtype:trojan-activity;sid:84715766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7c384dc5-3f03-45ff-a6b3-33d9cdabffe2"; depth:37; endswith; nocase; http.host; content:"kimfeg.fusionizemanagement.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852665/; classtype:trojan-activity;sid:84715765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.212.57.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852664/; classtype:trojan-activity;sid:84715764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.187.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852663/; classtype:trojan-activity;sid:84715763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.74.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852662/; classtype:trojan-activity;sid:84715762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"170.83.13.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852661/; classtype:trojan-activity;sid:84715761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.195.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852660/; classtype:trojan-activity;sid:84715760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.55.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852659/; classtype:trojan-activity;sid:84715759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4afef2dd-f74b-4814-9cb1-a55b16831552"; depth:37; endswith; nocase; http.host; content:"jgkvlq.fulop-vargafanni.hu"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852658/; classtype:trojan-activity;sid:84715758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852657/; classtype:trojan-activity;sid:84715757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.224.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852656/; classtype:trojan-activity;sid:84715756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.242.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852655/; classtype:trojan-activity;sid:84715755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.155.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852654/; classtype:trojan-activity;sid:84715754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.255.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852653/; classtype:trojan-activity;sid:84715753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b9fc31b1-4e34-4141-83f0-d0b44a3d678a"; depth:37; endswith; nocase; http.host; content:"dbvxnw.fullnrg.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852652/; classtype:trojan-activity;sid:84715752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.182.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852651/; classtype:trojan-activity;sid:84715751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.206.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852650/; classtype:trojan-activity;sid:84715750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852649/; classtype:trojan-activity;sid:84715749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.224.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852648/; classtype:trojan-activity;sid:84715748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.8.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852647/; classtype:trojan-activity;sid:84715747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.63.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852646/; classtype:trojan-activity;sid:84715746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.127.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852645/; classtype:trojan-activity;sid:84715745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=9e0e3bf9-684e-4e01-a7fd-2515bc86a6cf"; depth:47; endswith; nocase; http.host; content:"mcq9ktcv.telemetry-nexus.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852644/; classtype:trojan-activity;sid:84715744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7e778cbe-1bd4-47ce-a5a1-749ea5b2d8b2"; depth:37; endswith; nocase; http.host; content:"kgztgu.fortunalamella.hu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852643/; classtype:trojan-activity;sid:84715743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.182.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852642/; classtype:trojan-activity;sid:84715742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.159.187.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852641/; classtype:trojan-activity;sid:84715741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.174.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852640/; classtype:trojan-activity;sid:84715740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.23.134.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852639/; classtype:trojan-activity;sid:84715739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.63.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852638/; classtype:trojan-activity;sid:84715738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"static.210.112.105.178.clients.your-server.de"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852637/; classtype:trojan-activity;sid:84715737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"static.210.112.105.178.clients.your-server.de"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852636/; classtype:trojan-activity;sid:84715736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.127.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852635/; classtype:trojan-activity;sid:84715735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"178.105.112.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852633/; classtype:trojan-activity;sid:84715733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"178.105.112.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852634/; classtype:trojan-activity;sid:84715734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1bf3899c-8774-4bfd-8c72-3cbf18fa43e0"; depth:37; endswith; nocase; http.host; content:"arrtom.followyourjoy.hu"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852632/; classtype:trojan-activity;sid:84715732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.159.187.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852631/; classtype:trojan-activity;sid:84715731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.63.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852630/; classtype:trojan-activity;sid:84715730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/03ace386-a37f-41e7-a367-df0d30df34a5"; depth:37; endswith; nocase; http.host; content:"npukpk.fodraszoktatas.eu"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852629/; classtype:trojan-activity;sid:84715729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.249.112.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852628/; classtype:trojan-activity;sid:84715728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.23.134.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852627/; classtype:trojan-activity;sid:84715727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.191.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852626/; classtype:trojan-activity;sid:84715726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/526ac08f-2188-419f-b2ad-e01b2bdb0df1"; depth:37; endswith; nocase; http.host; content:"wwkgzd.flybuiltstudio.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852625/; classtype:trojan-activity;sid:84715725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.174.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852624/; classtype:trojan-activity;sid:84715724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.4.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852623/; classtype:trojan-activity;sid:84715723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.191.201"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852622/; classtype:trojan-activity;sid:84715722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/39b08f37-efbc-45ce-b98f-6ddaba53f04d"; depth:37; endswith; nocase; http.host; content:"qsxrao.flybuilt.hu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852621/; classtype:trojan-activity;sid:84715721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/977d4603-4081-4280-8ea6-62ecfcc84f05"; depth:37; endswith; nocase; http.host; content:"nqvfew.flybuilt.eu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852620/; classtype:trojan-activity;sid:84715720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.63.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852619/; classtype:trojan-activity;sid:84715719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852618/; classtype:trojan-activity;sid:84715718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852617/; classtype:trojan-activity;sid:84715717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=36534f41-dc9c-4236-b20e-843ee861e728"; depth:47; endswith; nocase; http.host; content:"58knxotz.proxy-compass.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852616/; classtype:trojan-activity;sid:84715716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.206.57.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852615/; classtype:trojan-activity;sid:84715715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.55.91"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852614/; classtype:trojan-activity;sid:84715714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6542db39-5779-4a96-8233-000e048dc99d"; depth:37; endswith; nocase; http.host; content:"vuvwlz.fluss.hu"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852613/; classtype:trojan-activity;sid:84715713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.96.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852612/; classtype:trojan-activity;sid:84715712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.103.105"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852611/; classtype:trojan-activity;sid:84715711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.206.57.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852610/; classtype:trojan-activity;sid:84715710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.103.105"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852609/; classtype:trojan-activity;sid:84715709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0ea4384d-3295-4e89-829c-803c6e58deff"; depth:37; endswith; nocase; http.host; content:"ieeljt.fittkor.hu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852608/; classtype:trojan-activity;sid:84715708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.154.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852607/; classtype:trojan-activity;sid:84715707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/436049f6-40c3-4c50-b420-e1a81a1431ec"; depth:37; endswith; nocase; http.host; content:"xdfbko.feszt360.hu"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852606/; classtype:trojan-activity;sid:84715706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/60fd6bbb-3774-46d1-afcc-9d6e31df4890"; depth:37; endswith; nocase; http.host; content:"trejzg.femeso.hu"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852605/; classtype:trojan-activity;sid:84715705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852604/; classtype:trojan-activity;sid:84715704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.63.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852603/; classtype:trojan-activity;sid:84715703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852602/; classtype:trojan-activity;sid:84715702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852598/; classtype:trojan-activity;sid:84715698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852599/; classtype:trojan-activity;sid:84715699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852600/; classtype:trojan-activity;sid:84715700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852601/; classtype:trojan-activity;sid:84715701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852597/; classtype:trojan-activity;sid:84715697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"192.159.99.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852596/; classtype:trojan-activity;sid:84715696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7801266f-7be5-4f9d-9301-2154542f65fa"; depth:37; endswith; nocase; http.host; content:"dxsdji.felhangolo.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852594/; classtype:trojan-activity;sid:84715694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b38ec3bf-301b-435a-a39c-37314ea5f352"; depth:47; endswith; nocase; http.host; content:"hqcmiiiu.cloud-orbit.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852595/; classtype:trojan-activity;sid:84715695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.88.186.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852592/; classtype:trojan-activity;sid:84715692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.209.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852593/; classtype:trojan-activity;sid:84715693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.88.186.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852589/; classtype:trojan-activity;sid:84715689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"158.94.209.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852590/; classtype:trojan-activity;sid:84715690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852591/; classtype:trojan-activity;sid:84715691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852586/; classtype:trojan-activity;sid:84715686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852587/; classtype:trojan-activity;sid:84715687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852588/; classtype:trojan-activity;sid:84715688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852579/; classtype:trojan-activity;sid:84715679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm61"; depth:6; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852580/; classtype:trojan-activity;sid:84715680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852581/; classtype:trojan-activity;sid:84715681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852582/; classtype:trojan-activity;sid:84715682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852583/; classtype:trojan-activity;sid:84715683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852584/; classtype:trojan-activity;sid:84715684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852585/; classtype:trojan-activity;sid:84715685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852578/; classtype:trojan-activity;sid:84715678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852564/; classtype:trojan-activity;sid:84715664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852565/; classtype:trojan-activity;sid:84715665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852566/; classtype:trojan-activity;sid:84715666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852567/; classtype:trojan-activity;sid:84715667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852568/; classtype:trojan-activity;sid:84715668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852569/; classtype:trojan-activity;sid:84715669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852570/; classtype:trojan-activity;sid:84715670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852571/; classtype:trojan-activity;sid:84715671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852572/; classtype:trojan-activity;sid:84715672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852573/; classtype:trojan-activity;sid:84715673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/a.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852574/; classtype:trojan-activity;sid:84715674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852575/; classtype:trojan-activity;sid:84715675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852576/; classtype:trojan-activity;sid:84715676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852577/; classtype:trojan-activity;sid:84715677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.132.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852563/; classtype:trojan-activity;sid:84715663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.253.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852562/; classtype:trojan-activity;sid:84715662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm5"; depth:15; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852555/; classtype:trojan-activity;sid:84715655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm6"; depth:15; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852556/; classtype:trojan-activity;sid:84715656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh4"; depth:14; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852557/; classtype:trojan-activity;sid:84715657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm7"; depth:15; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852558/; classtype:trojan-activity;sid:84715658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852559/; classtype:trojan-activity;sid:84715659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852560/; classtype:trojan-activity;sid:84715660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852561/; classtype:trojan-activity;sid:84715661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852552/; classtype:trojan-activity;sid:84715652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852553/; classtype:trojan-activity;sid:84715653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852554/; classtype:trojan-activity;sid:84715654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852546/; classtype:trojan-activity;sid:84715646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mips"; depth:15; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852547/; classtype:trojan-activity;sid:84715647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.mpsl"; depth:15; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852548/; classtype:trojan-activity;sid:84715648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.m68k"; depth:15; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852549/; classtype:trojan-activity;sid:84715649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.spc"; depth:14; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852550/; classtype:trojan-activity;sid:84715650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.arm"; depth:14; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852551/; classtype:trojan-activity;sid:84715651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.ppc"; depth:14; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852545/; classtype:trojan-activity;sid:84715645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.143.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852544/; classtype:trojan-activity;sid:84715644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852535/; classtype:trojan-activity;sid:84715635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.ppc"; depth:9; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852536/; classtype:trojan-activity;sid:84715636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852537/; classtype:trojan-activity;sid:84715637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852538/; classtype:trojan-activity;sid:84715638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852539/; classtype:trojan-activity;sid:84715639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852540/; classtype:trojan-activity;sid:84715640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.i686"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852541/; classtype:trojan-activity;sid:84715641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.spc"; depth:9; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852542/; classtype:trojan-activity;sid:84715642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852543/; classtype:trojan-activity;sid:84715643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852534/; classtype:trojan-activity;sid:84715634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm4"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852530/; classtype:trojan-activity;sid:84715630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852531/; classtype:trojan-activity;sid:84715631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852532/; classtype:trojan-activity;sid:84715632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852533/; classtype:trojan-activity;sid:84715633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.199.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852529/; classtype:trojan-activity;sid:84715629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.253.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852528/; classtype:trojan-activity;sid:84715628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.97.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852527/; classtype:trojan-activity;sid:84715627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.132.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852526/; classtype:trojan-activity;sid:84715626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.97.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852525/; classtype:trojan-activity;sid:84715625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linnn"; depth:6; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852524/; classtype:trojan-activity;sid:84715624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852523/; classtype:trojan-activity;sid:84715623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.232.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852522/; classtype:trojan-activity;sid:84715622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.199.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852521/; classtype:trojan-activity;sid:84715621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.128.158.19"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852520/; classtype:trojan-activity;sid:84715620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.220.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852519/; classtype:trojan-activity;sid:84715619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.232.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852518/; classtype:trojan-activity;sid:84715618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.94.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852517/; classtype:trojan-activity;sid:84715617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.220.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852516/; classtype:trojan-activity;sid:84715616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.94.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852515/; classtype:trojan-activity;sid:84715615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.82.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852514/; classtype:trojan-activity;sid:84715614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.149.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852513/; classtype:trojan-activity;sid:84715613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.121.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852512/; classtype:trojan-activity;sid:84715612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=72a75cdb-387d-4b1c-ac11-92ad91b9e7f7"; depth:47; endswith; nocase; http.host; content:"fkmrx4nm.signal-meridian.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852511/; classtype:trojan-activity;sid:84715611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.36.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852510/; classtype:trojan-activity;sid:84715610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a3af8298ea44b225.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852509/; classtype:trojan-activity;sid:84715609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.231.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852508/; classtype:trojan-activity;sid:84715608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.166.38.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852507/; classtype:trojan-activity;sid:84715607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.50.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852506/; classtype:trojan-activity;sid:84715606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.121.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852505/; classtype:trojan-activity;sid:84715605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.ppc"; depth:17; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852502/; classtype:trojan-activity;sid:84715602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.i5"; depth:9; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852503/; classtype:trojan-activity;sid:84715603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.i6"; depth:9; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852504/; classtype:trojan-activity;sid:84715604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.x86"; depth:17; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852501/; classtype:trojan-activity;sid:84715601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.arm"; depth:17; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852495/; classtype:trojan-activity;sid:84715595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.mpsl"; depth:18; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852496/; classtype:trojan-activity;sid:84715596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.arm6"; depth:18; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852497/; classtype:trojan-activity;sid:84715597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.ppc"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852498/; classtype:trojan-activity;sid:84715598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852499/; classtype:trojan-activity;sid:84715599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nvr"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852500/; classtype:trojan-activity;sid:84715600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lil"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852494/; classtype:trojan-activity;sid:84715594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.i6"; depth:16; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852483/; classtype:trojan-activity;sid:84715583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.sh4"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852484/; classtype:trojan-activity;sid:84715584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.m68k"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852485/; classtype:trojan-activity;sid:84715585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.mips"; depth:18; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852486/; classtype:trojan-activity;sid:84715586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.arm5"; depth:18; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852487/; classtype:trojan-activity;sid:84715587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l.sh"; depth:5; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852488/; classtype:trojan-activity;sid:84715588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.arm7"; depth:18; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852489/; classtype:trojan-activity;sid:84715589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.arc"; depth:17; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852490/; classtype:trojan-activity;sid:84715590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.spc"; depth:17; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852491/; classtype:trojan-activity;sid:84715591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.spc"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852492/; classtype:trojan-activity;sid:84715592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852493/; classtype:trojan-activity;sid:84715593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thk"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852477/; classtype:trojan-activity;sid:84715577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.231.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852478/; classtype:trojan-activity;sid:84715578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.i5"; depth:16; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852479/; classtype:trojan-activity;sid:84715579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.m68k"; depth:18; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852480/; classtype:trojan-activity;sid:84715580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852481/; classtype:trojan-activity;sid:84715581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wokbin/gbhnj.sh4"; depth:17; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852482/; classtype:trojan-activity;sid:84715582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7d8f95cb60bbcf0f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852476/; classtype:trojan-activity;sid:84715576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.arc"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852467/; classtype:trojan-activity;sid:84715567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gh"; depth:3; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852468/; classtype:trojan-activity;sid:84715568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.arm"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852469/; classtype:trojan-activity;sid:84715569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.mpsl"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852470/; classtype:trojan-activity;sid:84715570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.mips"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852471/; classtype:trojan-activity;sid:84715571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.arm6"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852472/; classtype:trojan-activity;sid:84715572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.arm7"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852473/; classtype:trojan-activity;sid:84715573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.x86"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852474/; classtype:trojan-activity;sid:84715574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbhnj.arm5"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852475/; classtype:trojan-activity;sid:84715575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.50.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852466/; classtype:trojan-activity;sid:84715566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.99.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852465/; classtype:trojan-activity;sid:84715565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86"; depth:3; endswith; nocase; http.host; content:"192.109.200.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852464/; classtype:trojan-activity;sid:84715564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=67272593-a627-4ddf-bb7e-474c50f5a448"; depth:47; endswith; nocase; http.host; content:"gq0e2dm9.kernel-beacon.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852463/; classtype:trojan-activity;sid:84715563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852462/; classtype:trojan-activity;sid:84715562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852460/; classtype:trojan-activity;sid:84715560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852461/; classtype:trojan-activity;sid:84715561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7048186296/zxfyzvm.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852459/; classtype:trojan-activity;sid:84715559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.247.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852458/; classtype:trojan-activity;sid:84715558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.226.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852457/; classtype:trojan-activity;sid:84715557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852456/; classtype:trojan-activity;sid:84715556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.38.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852454/; classtype:trojan-activity;sid:84715554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.38.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852455/; classtype:trojan-activity;sid:84715555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.90.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852453/; classtype:trojan-activity;sid:84715553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.208.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852452/; classtype:trojan-activity;sid:84715552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ace28c8550a31cc6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852451/; classtype:trojan-activity;sid:84715551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.201.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852450/; classtype:trojan-activity;sid:84715550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_eafb821b5b284ba4.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852449/; classtype:trojan-activity;sid:84715549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.243.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852448/; classtype:trojan-activity;sid:84715548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.176.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852447/; classtype:trojan-activity;sid:84715547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.41.205"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852446/; classtype:trojan-activity;sid:84715546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.155.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852445/; classtype:trojan-activity;sid:84715545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.23.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852444/; classtype:trojan-activity;sid:84715544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.243.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852443/; classtype:trojan-activity;sid:84715543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=94a04734-43ed-4fea-a748-248f926b72ef"; depth:47; endswith; nocase; http.host; content:"uudiolsq.packet-frontier.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852442/; classtype:trojan-activity;sid:84715542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.106.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852441/; classtype:trojan-activity;sid:84715541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852440/; classtype:trojan-activity;sid:84715540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.155.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852439/; classtype:trojan-activity;sid:84715539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8047329760/yklrc7e.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852438/; classtype:trojan-activity;sid:84715538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.145.142"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852437/; classtype:trojan-activity;sid:84715537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852436/; classtype:trojan-activity;sid:84715536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.106.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852435/; classtype:trojan-activity;sid:84715535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.185.147.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852434/; classtype:trojan-activity;sid:84715534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.7.180"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852433/; classtype:trojan-activity;sid:84715533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.52.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852432/; classtype:trojan-activity;sid:84715532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.23.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852431/; classtype:trojan-activity;sid:84715531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.125.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852430/; classtype:trojan-activity;sid:84715530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplinkr.sh"; depth:11; endswith; nocase; http.host; content:"giga.miraibotnet.su"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852429/; classtype:trojan-activity;sid:84715529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.178.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852428/; classtype:trojan-activity;sid:84715528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.34.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852427/; classtype:trojan-activity;sid:84715527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.192.249.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852425/; classtype:trojan-activity;sid:84715525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.192.249.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852426/; classtype:trojan-activity;sid:84715526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852421/; classtype:trojan-activity;sid:84715521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852422/; classtype:trojan-activity;sid:84715522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852423/; classtype:trojan-activity;sid:84715523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852424/; classtype:trojan-activity;sid:84715524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/zoomworkspace.clientsetup.msi"; depth:40; endswith; nocase; http.host; content:"zoominviteeees.de"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852420/; classtype:trojan-activity;sid:84715520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/6a11f03a2f229e4f44685cb9/winrar.exe"; depth:39; endswith; nocase; http.host; content:"plgb.koyeb.app"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852419/; classtype:trojan-activity;sid:84715519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dynamic|3f|txd=5b7250991558c1089d217b180d9418df77886996c22f8f319d7f640895e03381"; depth:80; endswith; nocase; http.host; content:"astradomain.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852416/; classtype:trojan-activity;sid:84715516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/xnewbrenow"; depth:16; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852418/; classtype:trojan-activity;sid:84715518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_df61a8f7aeb6fed0.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852415/; classtype:trojan-activity;sid:84715515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/download.php"; depth:21; endswith; nocase; http.host; content:"uss001web.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852414/; classtype:trojan-activity;sid:84715514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.php"; depth:13; endswith; nocase; http.host; content:"zoom.web-interviews.live"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852412/; classtype:trojan-activity;sid:84715512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoomworkspace.msi"; depth:18; endswith; nocase; http.host; content:"zoom-in.pages.dev"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852413/; classtype:trojan-activity;sid:84715513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852411/; classtype:trojan-activity;sid:84715511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest"; depth:63; endswith; nocase; http.host; content:"doc-web.org"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852410/; classtype:trojan-activity;sid:84715510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_cccda55512f7366e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852409/; classtype:trojan-activity;sid:84715509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/mellerbrew"; depth:16; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852404/; classtype:trojan-activity;sid:84715504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/claud-business4-ver22"; depth:27; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852405/; classtype:trojan-activity;sid:84715505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.228.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852406/; classtype:trojan-activity;sid:84715506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/clodemacx"; depth:15; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852407/; classtype:trojan-activity;sid:84715507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.23.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852408/; classtype:trojan-activity;sid:84715508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl/493264d0f5918aa56ae745564bcb8e3308fb5a9aeaa3d7279ba0a2bc2ae4240e"; depth:70; endswith; nocase; http.host; content:"api-metrics-6258.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852401/; classtype:trojan-activity;sid:84715501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl/84cd03748d087041769611941a392bf93582eec01c9ee0471fea09c65d586ce7"; depth:70; endswith; nocase; http.host; content:"orbitstride7.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852402/; classtype:trojan-activity;sid:84715502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/probable-adventure/connect.html"; depth:32; endswith; nocase; http.host; content:"buyaneli876-oss.github.io"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852403/; classtype:trojan-activity;sid:84715503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wawan.sh"; depth:9; endswith; nocase; http.host; content:"203.145.34.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852400/; classtype:trojan-activity;sid:84715500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8350398681/n2kdvp4.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852396/; classtype:trojan-activity;sid:84715496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8177e9f543146896.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852397/; classtype:trojan-activity;sid:84715497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3893e312f59d8339.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852398/; classtype:trojan-activity;sid:84715498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e"; depth:70; endswith; nocase; http.host; content:"homeinspectionnaperville.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852399/; classtype:trojan-activity;sid:84715499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_b91e8a8039155374.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852393/; classtype:trojan-activity;sid:84715493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_4acb8f51ec30100c.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852394/; classtype:trojan-activity;sid:84715494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7ebb31ca35ebc3a5.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852395/; classtype:trojan-activity;sid:84715495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7fe935f4043e70c6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852388/; classtype:trojan-activity;sid:84715488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_bbf3e2a3656f8155.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852389/; classtype:trojan-activity;sid:84715489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e3dc00d1b6f96c81.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852390/; classtype:trojan-activity;sid:84715490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_6d1c2b332b500487.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852391/; classtype:trojan-activity;sid:84715491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d33f9331c38f3288.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852392/; classtype:trojan-activity;sid:84715492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.185.147.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852387/; classtype:trojan-activity;sid:84715487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852386/; classtype:trojan-activity;sid:84715486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852385/; classtype:trojan-activity;sid:84715485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.208.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852384/; classtype:trojan-activity;sid:84715484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.7.180"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852383/; classtype:trojan-activity;sid:84715483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.57.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852382/; classtype:trojan-activity;sid:84715482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852381/; classtype:trojan-activity;sid:84715481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.9.175"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852380/; classtype:trojan-activity;sid:84715480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=659ee75f-49e9-4100-8588-f9666da8f00c"; depth:47; endswith; nocase; http.host; content:"n4burrgj.runtime-cascade.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852379/; classtype:trojan-activity;sid:84715479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.242.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852377/; classtype:trojan-activity;sid:84715477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.57.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852378/; classtype:trojan-activity;sid:84715478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852376/; classtype:trojan-activity;sid:84715476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.105.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852375/; classtype:trojan-activity;sid:84715475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.238.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852374/; classtype:trojan-activity;sid:84715474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.9.175"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852373/; classtype:trojan-activity;sid:84715473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.26.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852372/; classtype:trojan-activity;sid:84715472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/vnc.exe"; depth:27; endswith; nocase; http.host; content:"138.197.117.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852371/; classtype:trojan-activity;sid:84715471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.110.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852370/; classtype:trojan-activity;sid:84715470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.129.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852369/; classtype:trojan-activity;sid:84715469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.91.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852368/; classtype:trojan-activity;sid:84715468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.168.0.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852367/; classtype:trojan-activity;sid:84715467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.183.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852366/; classtype:trojan-activity;sid:84715466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_c87961759af84e33.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852365/; classtype:trojan-activity;sid:84715465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.129.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852364/; classtype:trojan-activity;sid:84715464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.91.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852363/; classtype:trojan-activity;sid:84715463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852362/; classtype:trojan-activity;sid:84715462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.183.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852361/; classtype:trojan-activity;sid:84715461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.214.202.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852360/; classtype:trojan-activity;sid:84715460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.153.144.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852359/; classtype:trojan-activity;sid:84715459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8648a3932ba8c3b6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852358/; classtype:trojan-activity;sid:84715458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.124.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852357/; classtype:trojan-activity;sid:84715457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.168.0.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852356/; classtype:trojan-activity;sid:84715456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.242.141.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852355/; classtype:trojan-activity;sid:84715455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.214.202.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852354/; classtype:trojan-activity;sid:84715454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"154.242.141.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852353/; classtype:trojan-activity;sid:84715453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.124.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852352/; classtype:trojan-activity;sid:84715452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852350/; classtype:trojan-activity;sid:84715450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852351/; classtype:trojan-activity;sid:84715451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.8.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852349/; classtype:trojan-activity;sid:84715449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"23.92.130.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852348/; classtype:trojan-activity;sid:84715448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.89.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852347/; classtype:trojan-activity;sid:84715447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.237.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852346/; classtype:trojan-activity;sid:84715446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.237.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852345/; classtype:trojan-activity;sid:84715445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.141.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852344/; classtype:trojan-activity;sid:84715444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.198.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852343/; classtype:trojan-activity;sid:84715443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.141.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852342/; classtype:trojan-activity;sid:84715442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.238.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852341/; classtype:trojan-activity;sid:84715441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"23.92.130.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852340/; classtype:trojan-activity;sid:84715440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.221.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852339/; classtype:trojan-activity;sid:84715439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.198.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852338/; classtype:trojan-activity;sid:84715438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.86.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852336/; classtype:trojan-activity;sid:84715436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.200.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852337/; classtype:trojan-activity;sid:84715437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.11.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852335/; classtype:trojan-activity;sid:84715435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.64.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852334/; classtype:trojan-activity;sid:84715434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.221.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852333/; classtype:trojan-activity;sid:84715433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.218.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852332/; classtype:trojan-activity;sid:84715432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.8.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852331/; classtype:trojan-activity;sid:84715431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.200.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852330/; classtype:trojan-activity;sid:84715430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.112.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852329/; classtype:trojan-activity;sid:84715429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.72.125"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852328/; classtype:trojan-activity;sid:84715428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.112.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852327/; classtype:trojan-activity;sid:84715427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.218.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852326/; classtype:trojan-activity;sid:84715426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.219.117.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852325/; classtype:trojan-activity;sid:84715425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.33.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852324/; classtype:trojan-activity;sid:84715424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.122.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852323/; classtype:trojan-activity;sid:84715423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.9.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852322/; classtype:trojan-activity;sid:84715422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.33.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852321/; classtype:trojan-activity;sid:84715421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.219.117.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852320/; classtype:trojan-activity;sid:84715420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.129.184.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852319/; classtype:trojan-activity;sid:84715419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.9.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852318/; classtype:trojan-activity;sid:84715418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.91.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852317/; classtype:trojan-activity;sid:84715417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.189.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852316/; classtype:trojan-activity;sid:84715416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.129.184.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852315/; classtype:trojan-activity;sid:84715415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.167.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852314/; classtype:trojan-activity;sid:84715414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.91.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852313/; classtype:trojan-activity;sid:84715413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.253.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852312/; classtype:trojan-activity;sid:84715412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852311/; classtype:trojan-activity;sid:84715411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852310/; classtype:trojan-activity;sid:84715410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.8.174"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852309/; classtype:trojan-activity;sid:84715409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.239.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852308/; classtype:trojan-activity;sid:84715408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.179.228.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852307/; classtype:trojan-activity;sid:84715407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.189.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852306/; classtype:trojan-activity;sid:84715406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.167.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852305/; classtype:trojan-activity;sid:84715405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.214.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852304/; classtype:trojan-activity;sid:84715404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.253.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852303/; classtype:trojan-activity;sid:84715403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.8.174"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852302/; classtype:trojan-activity;sid:84715402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.250.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852301/; classtype:trojan-activity;sid:84715401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.103.116.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852300/; classtype:trojan-activity;sid:84715400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.149.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852299/; classtype:trojan-activity;sid:84715399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.15.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852298/; classtype:trojan-activity;sid:84715398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.214.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852297/; classtype:trojan-activity;sid:84715397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.149.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852296/; classtype:trojan-activity;sid:84715396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.x86"; depth:14; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852295/; classtype:trojan-activity;sid:84715395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.222.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852294/; classtype:trojan-activity;sid:84715394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.99.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852293/; classtype:trojan-activity;sid:84715393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.81.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852292/; classtype:trojan-activity;sid:84715392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.152.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852291/; classtype:trojan-activity;sid:84715391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.222.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852290/; classtype:trojan-activity;sid:84715390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.81.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852289/; classtype:trojan-activity;sid:84715389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.69.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852288/; classtype:trojan-activity;sid:84715388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.152.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852287/; classtype:trojan-activity;sid:84715387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.77.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852286/; classtype:trojan-activity;sid:84715386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.5.112"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852285/; classtype:trojan-activity;sid:84715385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852284/; classtype:trojan-activity;sid:84715384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.173.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852283/; classtype:trojan-activity;sid:84715383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.69.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852282/; classtype:trojan-activity;sid:84715382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.77.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852281/; classtype:trojan-activity;sid:84715381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.5.112"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852280/; classtype:trojan-activity;sid:84715380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.179.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852279/; classtype:trojan-activity;sid:84715379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.179.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852278/; classtype:trojan-activity;sid:84715378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.141.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852277/; classtype:trojan-activity;sid:84715377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.141.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852276/; classtype:trojan-activity;sid:84715376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.13.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852275/; classtype:trojan-activity;sid:84715375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.130.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852274/; classtype:trojan-activity;sid:84715374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.195.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852273/; classtype:trojan-activity;sid:84715373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.147.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852272/; classtype:trojan-activity;sid:84715372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.164.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852271/; classtype:trojan-activity;sid:84715371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.130.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852270/; classtype:trojan-activity;sid:84715370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.100.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852269/; classtype:trojan-activity;sid:84715369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fd84166d2046cf3a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852268/; classtype:trojan-activity;sid:84715368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.242.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852267/; classtype:trojan-activity;sid:84715367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.13.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852266/; classtype:trojan-activity;sid:84715366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.250.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852265/; classtype:trojan-activity;sid:84715365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.164.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852264/; classtype:trojan-activity;sid:84715364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_41b9b0ae817a81c5.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852263/; classtype:trojan-activity;sid:84715363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.219.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852262/; classtype:trojan-activity;sid:84715362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.242.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852261/; classtype:trojan-activity;sid:84715361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.211.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852260/; classtype:trojan-activity;sid:84715360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.183.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852259/; classtype:trojan-activity;sid:84715359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.250.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852258/; classtype:trojan-activity;sid:84715358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.12.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852257/; classtype:trojan-activity;sid:84715357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7ae1efec59cf42de.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852256/; classtype:trojan-activity;sid:84715356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.184.188.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_24; reference:url, urlhaus.abuse.ch/url/3852255/; classtype:trojan-activity;sid:84715355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.100.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852254/; classtype:trojan-activity;sid:84715354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.16.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852253/; classtype:trojan-activity;sid:84715353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.219.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852252/; classtype:trojan-activity;sid:84715352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.211.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852251/; classtype:trojan-activity;sid:84715351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.91.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852250/; classtype:trojan-activity;sid:84715350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.184.188.107"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852249/; classtype:trojan-activity;sid:84715349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852248/; classtype:trojan-activity;sid:84715348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852247/; classtype:trojan-activity;sid:84715347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc-440fp"; depth:14; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852240/; classtype:trojan-activity;sid:84715340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852241/; classtype:trojan-activity;sid:84715341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852242/; classtype:trojan-activity;sid:84715342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852243/; classtype:trojan-activity;sid:84715343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852244/; classtype:trojan-activity;sid:84715344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852245/; classtype:trojan-activity;sid:84715345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"45.81.234.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852246/; classtype:trojan-activity;sid:84715346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.0.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852239/; classtype:trojan-activity;sid:84715339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.183.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852238/; classtype:trojan-activity;sid:84715338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.42.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852237/; classtype:trojan-activity;sid:84715337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852236/; classtype:trojan-activity;sid:84715336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.141.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852235/; classtype:trojan-activity;sid:84715335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.116.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852234/; classtype:trojan-activity;sid:84715334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.244.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852233/; classtype:trojan-activity;sid:84715333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.176.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852232/; classtype:trojan-activity;sid:84715332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.42.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852231/; classtype:trojan-activity;sid:84715331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=aa690aff-01d7-4af1-bcb4-29bfade3d6b3"; depth:47; endswith; nocase; http.host; content:"y4gf3n18.network-foundry.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852230/; classtype:trojan-activity;sid:84715330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.113.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852229/; classtype:trojan-activity;sid:84715329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.116.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852228/; classtype:trojan-activity;sid:84715328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.185.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852227/; classtype:trojan-activity;sid:84715327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.244.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852226/; classtype:trojan-activity;sid:84715326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.208.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852225/; classtype:trojan-activity;sid:84715325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.233.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852224/; classtype:trojan-activity;sid:84715324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.15.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852223/; classtype:trojan-activity;sid:84715323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.236.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852222/; classtype:trojan-activity;sid:84715322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.185.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852221/; classtype:trojan-activity;sid:84715321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.208.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852220/; classtype:trojan-activity;sid:84715320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.91.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852219/; classtype:trojan-activity;sid:84715319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"194.69.200.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852218/; classtype:trojan-activity;sid:84715318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.228.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852217/; classtype:trojan-activity;sid:84715317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852216/; classtype:trojan-activity;sid:84715316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.233.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852215/; classtype:trojan-activity;sid:84715315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.236.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852214/; classtype:trojan-activity;sid:84715314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.15.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852213/; classtype:trojan-activity;sid:84715313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.32.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852212/; classtype:trojan-activity;sid:84715312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.37.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852211/; classtype:trojan-activity;sid:84715311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852210/; classtype:trojan-activity;sid:84715310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.242.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852209/; classtype:trojan-activity;sid:84715309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.242.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852208/; classtype:trojan-activity;sid:84715308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.72.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852207/; classtype:trojan-activity;sid:84715307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.26.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852206/; classtype:trojan-activity;sid:84715306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.140.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852205/; classtype:trojan-activity;sid:84715305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.36.124.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852204/; classtype:trojan-activity;sid:84715304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.190.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852203/; classtype:trojan-activity;sid:84715303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852202/; classtype:trojan-activity;sid:84715302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.26.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852201/; classtype:trojan-activity;sid:84715301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.115.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852200/; classtype:trojan-activity;sid:84715300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.140.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852199/; classtype:trojan-activity;sid:84715299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.254.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852198/; classtype:trojan-activity;sid:84715298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.89.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852197/; classtype:trojan-activity;sid:84715297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.140.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852196/; classtype:trojan-activity;sid:84715296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.190.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852195/; classtype:trojan-activity;sid:84715295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.142.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852194/; classtype:trojan-activity;sid:84715294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.254.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852193/; classtype:trojan-activity;sid:84715293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.94.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852192/; classtype:trojan-activity;sid:84715292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.36.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852191/; classtype:trojan-activity;sid:84715291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.142.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852190/; classtype:trojan-activity;sid:84715290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.115.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852189/; classtype:trojan-activity;sid:84715289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.199.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852188/; classtype:trojan-activity;sid:84715288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.24.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852187/; classtype:trojan-activity;sid:84715287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852186/; classtype:trojan-activity;sid:84715286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.24.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852185/; classtype:trojan-activity;sid:84715285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0bd596cf-3da7-4c07-a54b-75fc88461ef7"; depth:47; endswith; nocase; http.host; content:"9v42ch67.proxy-frontier.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852184/; classtype:trojan-activity;sid:84715284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.36.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852183/; classtype:trojan-activity;sid:84715283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.142.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852182/; classtype:trojan-activity;sid:84715282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.82.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852181/; classtype:trojan-activity;sid:84715281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852180/; classtype:trojan-activity;sid:84715280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.234.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852179/; classtype:trojan-activity;sid:84715279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.3.40"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852178/; classtype:trojan-activity;sid:84715278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.142.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852177/; classtype:trojan-activity;sid:84715277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.234.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852176/; classtype:trojan-activity;sid:84715276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.148.241.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852175/; classtype:trojan-activity;sid:84715275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852174/; classtype:trojan-activity;sid:84715274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852173/; classtype:trojan-activity;sid:84715273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.233.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852172/; classtype:trojan-activity;sid:84715272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.156.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852171/; classtype:trojan-activity;sid:84715271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.89.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852169/; classtype:trojan-activity;sid:84715269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.146.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852170/; classtype:trojan-activity;sid:84715270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.156.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852168/; classtype:trojan-activity;sid:84715268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.234.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852167/; classtype:trojan-activity;sid:84715267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.234.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852166/; classtype:trojan-activity;sid:84715266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.3.40"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852165/; classtype:trojan-activity;sid:84715265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.66.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852164/; classtype:trojan-activity;sid:84715264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.90.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852163/; classtype:trojan-activity;sid:84715263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.90.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852162/; classtype:trojan-activity;sid:84715262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.233.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852161/; classtype:trojan-activity;sid:84715261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.118.146.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852160/; classtype:trojan-activity;sid:84715260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.181.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852159/; classtype:trojan-activity;sid:84715259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.66.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852158/; classtype:trojan-activity;sid:84715258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.55.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852157/; classtype:trojan-activity;sid:84715257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.25.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852156/; classtype:trojan-activity;sid:84715256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.19.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852155/; classtype:trojan-activity;sid:84715255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.55.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852154/; classtype:trojan-activity;sid:84715254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.46.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852153/; classtype:trojan-activity;sid:84715253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/phyqcoj.x86_64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852152/; classtype:trojan-activity;sid:84715252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/jofvjef.mips64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852146/; classtype:trojan-activity;sid:84715246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/jxkpemu.i486"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852147/; classtype:trojan-activity;sid:84715247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/vgceumj.mips"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852148/; classtype:trojan-activity;sid:84715248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/ophnlrw.aarch64"; depth:25; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852149/; classtype:trojan-activity;sid:84715249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/fzijrsa.i686"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852150/; classtype:trojan-activity;sid:84715250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/kpbthal.i586"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852151/; classtype:trojan-activity;sid:84715251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/jtkfvce.ppc"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852145/; classtype:trojan-activity;sid:84715245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/ptqyiwp.mpsl"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852144/; classtype:trojan-activity;sid:84715244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.25.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852143/; classtype:trojan-activity;sid:84715243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.236.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852142/; classtype:trojan-activity;sid:84715242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852141/; classtype:trojan-activity;sid:84715241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852139/; classtype:trojan-activity;sid:84715239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852140/; classtype:trojan-activity;sid:84715240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852131/; classtype:trojan-activity;sid:84715231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852132/; classtype:trojan-activity;sid:84715232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852133/; classtype:trojan-activity;sid:84715233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852134/; classtype:trojan-activity;sid:84715234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852135/; classtype:trojan-activity;sid:84715235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852136/; classtype:trojan-activity;sid:84715236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm64"; depth:14; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852137/; classtype:trojan-activity;sid:84715237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852138/; classtype:trojan-activity;sid:84715238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852130/; classtype:trojan-activity;sid:84715230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miner.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852128/; classtype:trojan-activity;sid:84715228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852127/; classtype:trojan-activity;sid:84715227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852126/; classtype:trojan-activity;sid:84715226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.173.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852125/; classtype:trojan-activity;sid:84715225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.46.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852124/; classtype:trojan-activity;sid:84715224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.255.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852123/; classtype:trojan-activity;sid:84715223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x64.exe"; depth:12; endswith; nocase; http.host; content:"158.94.208.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852122/; classtype:trojan-activity;sid:84715222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.19.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852121/; classtype:trojan-activity;sid:84715221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.21.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852120/; classtype:trojan-activity;sid:84715220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.35.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852119/; classtype:trojan-activity;sid:84715219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.35.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852118/; classtype:trojan-activity;sid:84715218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852116/; classtype:trojan-activity;sid:84715216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.101.187.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852117/; classtype:trojan-activity;sid:84715217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.21.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852115/; classtype:trojan-activity;sid:84715215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.41.205"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852114/; classtype:trojan-activity;sid:84715214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/institute/10/cloudiya10.txt"; depth:28; endswith; nocase; http.host; content:"abimj.edu.af"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852113/; classtype:trojan-activity;sid:84715213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a6357da6a05d7266.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852112/; classtype:trojan-activity;sid:84715212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_29906bbf82a8831a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852109/; classtype:trojan-activity;sid:84715209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8d6babf2a10342e5.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852110/; classtype:trojan-activity;sid:84715210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_22d235bef51be395.dll:::start"; depth:56; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852111/; classtype:trojan-activity;sid:84715211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852108/; classtype:trojan-activity;sid:84715208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"66.212.185.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852106/; classtype:trojan-activity;sid:84715206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.101.187.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852107/; classtype:trojan-activity;sid:84715207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.195.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852105/; classtype:trojan-activity;sid:84715205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.246.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852104/; classtype:trojan-activity;sid:84715204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852103/; classtype:trojan-activity;sid:84715203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.237.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852102/; classtype:trojan-activity;sid:84715202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.103.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852101/; classtype:trojan-activity;sid:84715201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.183.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852099/; classtype:trojan-activity;sid:84715199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.237.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852100/; classtype:trojan-activity;sid:84715200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.183.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852098/; classtype:trojan-activity;sid:84715198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.134.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852097/; classtype:trojan-activity;sid:84715197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/e7d3d6vmgxiy.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852096/; classtype:trojan-activity;sid:84715196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/lzd94idifoet.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852095/; classtype:trojan-activity;sid:84715195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.246.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852094/; classtype:trojan-activity;sid:84715194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.103.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852093/; classtype:trojan-activity;sid:84715193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852092/; classtype:trojan-activity;sid:84715192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852091/; classtype:trojan-activity;sid:84715191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852090/; classtype:trojan-activity;sid:84715190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/memekw.sh"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852076/; classtype:trojan-activity;sid:84715176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852077/; classtype:trojan-activity;sid:84715177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/memekc.sh"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852078/; classtype:trojan-activity;sid:84715178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852079/; classtype:trojan-activity;sid:84715179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852080/; classtype:trojan-activity;sid:84715180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852081/; classtype:trojan-activity;sid:84715181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852082/; classtype:trojan-activity;sid:84715182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/debug"; depth:16; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852083/; classtype:trojan-activity;sid:84715183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852084/; classtype:trojan-activity;sid:84715184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852085/; classtype:trojan-activity;sid:84715185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852086/; classtype:trojan-activity;sid:84715186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852087/; classtype:trojan-activity;sid:84715187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mpsl"; depth:21; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852088/; classtype:trojan-activity;sid:84715188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852089/; classtype:trojan-activity;sid:84715189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.117.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852075/; classtype:trojan-activity;sid:84715175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.165.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852074/; classtype:trojan-activity;sid:84715174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.116.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852073/; classtype:trojan-activity;sid:84715173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.83.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852072/; classtype:trojan-activity;sid:84715172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.93.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852071/; classtype:trojan-activity;sid:84715171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.209.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852070/; classtype:trojan-activity;sid:84715170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.15.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852069/; classtype:trojan-activity;sid:84715169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.83.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852068/; classtype:trojan-activity;sid:84715168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.165.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852067/; classtype:trojan-activity;sid:84715167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.43.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852066/; classtype:trojan-activity;sid:84715166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.117.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852065/; classtype:trojan-activity;sid:84715165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.116.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852064/; classtype:trojan-activity;sid:84715164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.156.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852063/; classtype:trojan-activity;sid:84715163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_32112d735f99e00e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852062/; classtype:trojan-activity;sid:84715162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.120.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852061/; classtype:trojan-activity;sid:84715161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.247.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852060/; classtype:trojan-activity;sid:84715160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.232.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852059/; classtype:trojan-activity;sid:84715159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.161.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852058/; classtype:trojan-activity;sid:84715158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.210.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852057/; classtype:trojan-activity;sid:84715157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.215.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852056/; classtype:trojan-activity;sid:84715156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.115.161.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852055/; classtype:trojan-activity;sid:84715155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.99.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852054/; classtype:trojan-activity;sid:84715154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.210.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852053/; classtype:trojan-activity;sid:84715153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852052/; classtype:trojan-activity;sid:84715152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.247.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852051/; classtype:trojan-activity;sid:84715151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.215.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852050/; classtype:trojan-activity;sid:84715150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"62.169.16.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852049/; classtype:trojan-activity;sid:84715149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.232.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852048/; classtype:trojan-activity;sid:84715148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852047/; classtype:trojan-activity;sid:84715147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.41.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852046/; classtype:trojan-activity;sid:84715146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/android.sh"; depth:20; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852045/; classtype:trojan-activity;sid:84715145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.206.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852044/; classtype:trojan-activity;sid:84715144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.41.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852043/; classtype:trojan-activity;sid:84715143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.231.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852042/; classtype:trojan-activity;sid:84715142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.86.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852041/; classtype:trojan-activity;sid:84715141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.79.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852040/; classtype:trojan-activity;sid:84715140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.231.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852039/; classtype:trojan-activity;sid:84715139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.157.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852038/; classtype:trojan-activity;sid:84715138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.86.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852037/; classtype:trojan-activity;sid:84715137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.215.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852036/; classtype:trojan-activity;sid:84715136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.190.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852035/; classtype:trojan-activity;sid:84715135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.157.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852034/; classtype:trojan-activity;sid:84715134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.20.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852032/; classtype:trojan-activity;sid:84715132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.20.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852033/; classtype:trojan-activity;sid:84715133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.190.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852031/; classtype:trojan-activity;sid:84715131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.128.158.19"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852030/; classtype:trojan-activity;sid:84715130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852029/; classtype:trojan-activity;sid:84715129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.exe"; depth:12; endswith; nocase; http.host; content:"165.231.215.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852028/; classtype:trojan-activity;sid:84715128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/uvffofq.arm5"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852020/; classtype:trojan-activity;sid:84715120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"31.57.129.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852021/; classtype:trojan-activity;sid:84715121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"31.57.129.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852022/; classtype:trojan-activity;sid:84715122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/nqwseha.arm"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852023/; classtype:trojan-activity;sid:84715123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"31.57.129.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852024/; classtype:trojan-activity;sid:84715124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/dgkbspx.arm6"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852025/; classtype:trojan-activity;sid:84715125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bi6zyc9/ubonojy.arm7"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852026/; classtype:trojan-activity;sid:84715126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/loader.sh"; depth:15; endswith; nocase; http.host; content:"31.57.129.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852027/; classtype:trojan-activity;sid:84715127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.81.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852019/; classtype:trojan-activity;sid:84715119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/wuwkgkchfcso/49.exe"; depth:23; endswith; nocase; http.host; content:"tmpfiles.org"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852017/; classtype:trojan-activity;sid:84715117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7d9b4f2278093dda.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852018/; classtype:trojan-activity;sid:84715118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ddjidd564/defi-security-best-practices/gh-pages/scan.js"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852015/; classtype:trojan-activity;sid:84715115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.181.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852016/; classtype:trojan-activity;sid:84715116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shr"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852013/; classtype:trojan-activity;sid:84715113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/fonts/loader.sh"; depth:28; endswith; nocase; http.host; content:"simonizauto.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852014/; classtype:trojan-activity;sid:84715114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7453936223/4btqzz1.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852009/; classtype:trojan-activity;sid:84715109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_203deff4b651a421.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852010/; classtype:trojan-activity;sid:84715110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"maxvideo2026.vercel.app"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852011/; classtype:trojan-activity;sid:84715111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"vidrudtp.vercel.app"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852012/; classtype:trojan-activity;sid:84715112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shr"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852005/; classtype:trojan-activity;sid:84715105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a02dac0bee89fdba.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852006/; classtype:trojan-activity;sid:84715106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_2e74ff26f42e77fb.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852007/; classtype:trojan-activity;sid:84715107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e1c960b1c3f65886.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852008/; classtype:trojan-activity;sid:84715108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantom.sh"; depth:11; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852003/; classtype:trojan-activity;sid:84715103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/loader.sh"; depth:15; endswith; nocase; http.host; content:"31.57.129.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852004/; classtype:trojan-activity;sid:84715104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/morte.x86_64"; depth:18; endswith; nocase; http.host; content:"5.175.249.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852001/; classtype:trojan-activity;sid:84715101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b|3f|k=bbee54406bdf5263ce87a60545079a1b"; depth:40; endswith; nocase; http.host; content:"5.175.249.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852002/; classtype:trojan-activity;sid:84715102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/dvgfltm/aa/loader.sh"; depth:40; endswith; nocase; http.host; content:"tpkpolus.ru"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851998/; classtype:trojan-activity;sid:84715098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/fonts/loader.sh"; depth:28; endswith; nocase; http.host; content:"www.simonizauto.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851999/; classtype:trojan-activity;sid:84715099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3852000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"103.82.25.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3852000/; classtype:trojan-activity;sid:84715100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"85.17.200.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851997/; classtype:trojan-activity;sid:84715097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851996/; classtype:trojan-activity;sid:84715096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.17.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851995/; classtype:trojan-activity;sid:84715095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.17.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851994/; classtype:trojan-activity;sid:84715094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.151.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851993/; classtype:trojan-activity;sid:84715093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.181.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851992/; classtype:trojan-activity;sid:84715092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.191.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851991/; classtype:trojan-activity;sid:84715091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851990/; classtype:trojan-activity;sid:84715090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.78.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851989/; classtype:trojan-activity;sid:84715089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.101.213.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851988/; classtype:trojan-activity;sid:84715088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.103.116.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851987/; classtype:trojan-activity;sid:84715087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.141.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851986/; classtype:trojan-activity;sid:84715086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.253.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851985/; classtype:trojan-activity;sid:84715085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.52.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851984/; classtype:trojan-activity;sid:84715084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.180.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851983/; classtype:trojan-activity;sid:84715083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba1019ee-a048-4bd5-a90d-1fc5da2b8696"; depth:37; endswith; nocase; http.host; content:"euftrhnx.computationalgrid.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851982/; classtype:trojan-activity;sid:84715082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851981/; classtype:trojan-activity;sid:84715081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851980/; classtype:trojan-activity;sid:84715080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.101.213.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851979/; classtype:trojan-activity;sid:84715079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.78.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851978/; classtype:trojan-activity;sid:84715078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.180.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851977/; classtype:trojan-activity;sid:84715077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851976/; classtype:trojan-activity;sid:84715076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.201.226.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851974/; classtype:trojan-activity;sid:84715074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.52.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851975/; classtype:trojan-activity;sid:84715075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.95.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851973/; classtype:trojan-activity;sid:84715073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851972/; classtype:trojan-activity;sid:84715072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/505ac99f-02c9-42a2-9d0d-c95052c9ebea"; depth:37; endswith; nocase; http.host; content:"badxqjge.gift-lattice.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851970/; classtype:trojan-activity;sid:84715070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/505ac99f-02c9-42a2-9d0d-c95052c9ebea"; depth:37; endswith; nocase; http.host; content:"badxqjge.gift-lattice.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851971/; classtype:trojan-activity;sid:84715071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851969/; classtype:trojan-activity;sid:84715069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.95.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851968/; classtype:trojan-activity;sid:84715068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851967/; classtype:trojan-activity;sid:84715067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-7.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851953/; classtype:trojan-activity;sid:84715053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot"; depth:4; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851954/; classtype:trojan-activity;sid:84715054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p-p.c-.sakura"; depth:14; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851955/; classtype:trojan-activity;sid:84715055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-6.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851956/; classtype:trojan-activity;sid:84715056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-5.8-6.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851957/; classtype:trojan-activity;sid:84715057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-5.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851958/; classtype:trojan-activity;sid:84715058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-p.s-l.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851959/; classtype:trojan-activity;sid:84715059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sakura.sh"; depth:10; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851960/; classtype:trojan-activity;sid:84715060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-4.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851961/; classtype:trojan-activity;sid:84715061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-i.p-s.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851962/; classtype:trojan-activity;sid:84715062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s-h.4-.sakura"; depth:14; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851963/; classtype:trojan-activity;sid:84715063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-3.2-.sakura"; depth:14; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851964/; classtype:trojan-activity;sid:84715064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-6.8-k.sakura"; depth:15; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851965/; classtype:trojan-activity;sid:84715065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-8.6-.sakura"; depth:14; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851966/; classtype:trojan-activity;sid:84715066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851951/; classtype:trojan-activity;sid:84715051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851952/; classtype:trojan-activity;sid:84715052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"85.204.125.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851950/; classtype:trojan-activity;sid:84715050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"41.201.226.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851949/; classtype:trojan-activity;sid:84715049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851948/; classtype:trojan-activity;sid:84715048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.121.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851947/; classtype:trojan-activity;sid:84715047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.231.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851946/; classtype:trojan-activity;sid:84715046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851945/; classtype:trojan-activity;sid:84715045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.170.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851944/; classtype:trojan-activity;sid:84715044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851943/; classtype:trojan-activity;sid:84715043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.138.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851942/; classtype:trojan-activity;sid:84715042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.121.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851941/; classtype:trojan-activity;sid:84715041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.231.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851940/; classtype:trojan-activity;sid:84715040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ed43f705-077c-4a27-afdb-6d2678de06be"; depth:37; endswith; nocase; http.host; content:"lzascdxk.xenomorphhiveintel.christmas"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851939/; classtype:trojan-activity;sid:84715039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.170.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851938/; classtype:trojan-activity;sid:84715038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.0.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851937/; classtype:trojan-activity;sid:84715037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.191.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851936/; classtype:trojan-activity;sid:84715036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e3d9565f-68aa-44b0-aa7d-b64a3e9d24dd"; depth:37; endswith; nocase; http.host; content:"ukkqtbst.snow-harbor.christmas"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851935/; classtype:trojan-activity;sid:84715035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.117.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851934/; classtype:trojan-activity;sid:84715034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.54.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851932/; classtype:trojan-activity;sid:84715032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.184.28.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851933/; classtype:trojan-activity;sid:84715033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851931/; classtype:trojan-activity;sid:84715031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.0.212.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851930/; classtype:trojan-activity;sid:84715030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.255.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851929/; classtype:trojan-activity;sid:84715029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.184.28.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851928/; classtype:trojan-activity;sid:84715028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3e376a3d-065b-463f-93dd-8721c73c2e12"; depth:37; endswith; nocase; http.host; content:"mokmgdal.gift-lattice.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851927/; classtype:trojan-activity;sid:84715027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851926/; classtype:trojan-activity;sid:84715026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.216.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851925/; classtype:trojan-activity;sid:84715025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.113.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851924/; classtype:trojan-activity;sid:84715024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.136.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851923/; classtype:trojan-activity;sid:84715023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.151.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851922/; classtype:trojan-activity;sid:84715022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a754bad3-7e7b-479d-b307-bcbfcb2a933f"; depth:37; endswith; nocase; http.host; content:"paqcfwvt.winter-pulse.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851921/; classtype:trojan-activity;sid:84715021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.8.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851920/; classtype:trojan-activity;sid:84715020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.173.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851919/; classtype:trojan-activity;sid:84715019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851918/; classtype:trojan-activity;sid:84715018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.35.153"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851917/; classtype:trojan-activity;sid:84715017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.225.163.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851916/; classtype:trojan-activity;sid:84715016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30570070-8dda-4769-8eef-c0c5a6867cb6"; depth:37; endswith; nocase; http.host; content:"hzlqlpfw.frost-engine.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851915/; classtype:trojan-activity;sid:84715015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.98.142.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851914/; classtype:trojan-activity;sid:84715014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.8.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851912/; classtype:trojan-activity;sid:84715012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.35.153"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851913/; classtype:trojan-activity;sid:84715013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.251.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851911/; classtype:trojan-activity;sid:84715011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/96b7aba8-3295-4cfa-ba52-95f2dcc75e6a"; depth:37; endswith; nocase; http.host; content:"ihtfqktk.holiday-matrix.christmas"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851910/; classtype:trojan-activity;sid:84715010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.106.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851909/; classtype:trojan-activity;sid:84715009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.255.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851908/; classtype:trojan-activity;sid:84715008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/786762b0-4825-4286-99b2-577a9bc95013"; depth:37; endswith; nocase; http.host; content:"ilhvyrij.ipv4has-lampnew.cyou"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851907/; classtype:trojan-activity;sid:84715007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.251.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851906/; classtype:trojan-activity;sid:84715006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.145.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851905/; classtype:trojan-activity;sid:84715005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.145.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851904/; classtype:trojan-activity;sid:84715004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.86.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851903/; classtype:trojan-activity;sid:84715003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.106.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851902/; classtype:trojan-activity;sid:84715002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab9efe8d-0c62-405b-bb4f-1e0e6c3a048e"; depth:37; endswith; nocase; http.host; content:"mkszunli.flopstin-gymcargo.cyou"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851901/; classtype:trojan-activity;sid:84715001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.86.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851900/; classtype:trojan-activity;sid:84715000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/49a68922-608d-42f2-aefe-fc929839d14a"; depth:37; endswith; nocase; http.host; content:"mfbrkbuv.betnoise-unionour.cyou"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851899/; classtype:trojan-activity;sid:84714999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851898/; classtype:trojan-activity;sid:84714998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.246.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851897/; classtype:trojan-activity;sid:84714997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.153.144.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851896/; classtype:trojan-activity;sid:84714996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.12.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851895/; classtype:trojan-activity;sid:84714995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.250.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851894/; classtype:trojan-activity;sid:84714994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851893/; classtype:trojan-activity;sid:84714993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.177.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851892/; classtype:trojan-activity;sid:84714992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851891/; classtype:trojan-activity;sid:84714991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.207.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851890/; classtype:trojan-activity;sid:84714990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bc3341b1-731e-4187-93fc-7f86b7753cf5"; depth:37; endswith; nocase; http.host; content:"hoycbijv.holiday-matrix.christmas"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851889/; classtype:trojan-activity;sid:84714989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.177.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851888/; classtype:trojan-activity;sid:84714988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.76.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851887/; classtype:trojan-activity;sid:84714987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.191.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851886/; classtype:trojan-activity;sid:84714986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.30.170"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851885/; classtype:trojan-activity;sid:84714985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/nknrjhk.x86_64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851871/; classtype:trojan-activity;sid:84714971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/qtmrdhj.arm5"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851872/; classtype:trojan-activity;sid:84714972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/amvdvgp.i486"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851873/; classtype:trojan-activity;sid:84714973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/android.sh"; depth:20; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851874/; classtype:trojan-activity;sid:84714974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/jvwyawa.ppc"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851875/; classtype:trojan-activity;sid:84714975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/bjsvazz.mips"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851876/; classtype:trojan-activity;sid:84714976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/rrolpik.arm7"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851877/; classtype:trojan-activity;sid:84714977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/uztbtfs.mpsl"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851878/; classtype:trojan-activity;sid:84714978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/uasvdmt.arm"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851879/; classtype:trojan-activity;sid:84714979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/nqxefxw.mips64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851880/; classtype:trojan-activity;sid:84714980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/jdruzjv.i686"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851881/; classtype:trojan-activity;sid:84714981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/nvbiyjp.i586"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851882/; classtype:trojan-activity;sid:84714982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/czwzdzt.aarch64"; depth:25; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851883/; classtype:trojan-activity;sid:84714983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tg1zgmft/tpydwmr.arm6"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851884/; classtype:trojan-activity;sid:84714984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02b9cfc1-2c23-4ca6-b36e-fbec31299c31"; depth:37; endswith; nocase; http.host; content:"mvltyody.frost-engine.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851870/; classtype:trojan-activity;sid:84714970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.30.170"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851869/; classtype:trojan-activity;sid:84714969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.246.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851868/; classtype:trojan-activity;sid:84714968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.76.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851867/; classtype:trojan-activity;sid:84714967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dabbd14d-3c14-425b-85e7-e2550832fc63"; depth:37; endswith; nocase; http.host; content:"ftjilgqw.winter-pulse.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851866/; classtype:trojan-activity;sid:84714966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.156.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851865/; classtype:trojan-activity;sid:84714965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.13.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851863/; classtype:trojan-activity;sid:84714963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.119.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851864/; classtype:trojan-activity;sid:84714964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.108.80.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_23; reference:url, urlhaus.abuse.ch/url/3851862/; classtype:trojan-activity;sid:84714962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851861/; classtype:trojan-activity;sid:84714961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8ee92af5-0bfd-4f2d-9008-878f5978ff55"; depth:37; endswith; nocase; http.host; content:"mfwhezll.gift-lattice.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851860/; classtype:trojan-activity;sid:84714960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chk"; depth:4; endswith; nocase; http.host; content:"winter-pulse.christmas"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851859/; classtype:trojan-activity;sid:84714959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.207.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851858/; classtype:trojan-activity;sid:84714958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.203.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851857/; classtype:trojan-activity;sid:84714957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.16.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851856/; classtype:trojan-activity;sid:84714956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.54.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851855/; classtype:trojan-activity;sid:84714955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.85.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851854/; classtype:trojan-activity;sid:84714954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.47.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851853/; classtype:trojan-activity;sid:84714953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chk"; depth:4; endswith; nocase; http.host; content:"gift-lattice.christmas"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851852/; classtype:trojan-activity;sid:84714952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.77.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851851/; classtype:trojan-activity;sid:84714951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.6.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851850/; classtype:trojan-activity;sid:84714950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.54.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851849/; classtype:trojan-activity;sid:84714949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.77.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851847/; classtype:trojan-activity;sid:84714947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.6.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851848/; classtype:trojan-activity;sid:84714948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.83.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851846/; classtype:trojan-activity;sid:84714946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.138.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851845/; classtype:trojan-activity;sid:84714945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chk"; depth:4; endswith; nocase; http.host; content:"snow-harbor.christmas"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851844/; classtype:trojan-activity;sid:84714944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.250.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851843/; classtype:trojan-activity;sid:84714943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.81.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851842/; classtype:trojan-activity;sid:84714942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chk"; depth:4; endswith; nocase; http.host; content:"xenomorphhiveintel.christmas"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851841/; classtype:trojan-activity;sid:84714941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851840/; classtype:trojan-activity;sid:84714940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.243.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851839/; classtype:trojan-activity;sid:84714939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.32.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851838/; classtype:trojan-activity;sid:84714938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851837/; classtype:trojan-activity;sid:84714937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_66b7f7ac55ab3943.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851836/; classtype:trojan-activity;sid:84714936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.189.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851835/; classtype:trojan-activity;sid:84714935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.230.80.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851834/; classtype:trojan-activity;sid:84714934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.203.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851833/; classtype:trojan-activity;sid:84714933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.32.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851832/; classtype:trojan-activity;sid:84714932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.223.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851831/; classtype:trojan-activity;sid:84714931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.204.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851830/; classtype:trojan-activity;sid:84714930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.239.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851829/; classtype:trojan-activity;sid:84714929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chk"; depth:4; endswith; nocase; http.host; content:"sopranos-familytree.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851828/; classtype:trojan-activity;sid:84714928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_06ad553c86ec86c7.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851827/; classtype:trojan-activity;sid:84714927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_05115473da05b069.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851826/; classtype:trojan-activity;sid:84714926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.39.8"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851825/; classtype:trojan-activity;sid:84714925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.229.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851824/; classtype:trojan-activity;sid:84714924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.249.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851823/; classtype:trojan-activity;sid:84714923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.29.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851822/; classtype:trojan-activity;sid:84714922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.29.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851821/; classtype:trojan-activity;sid:84714921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.160.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851820/; classtype:trojan-activity;sid:84714920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.229.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851819/; classtype:trojan-activity;sid:84714919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.39.8"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851818/; classtype:trojan-activity;sid:84714918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.6.180"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851817/; classtype:trojan-activity;sid:84714917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope1.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851816/; classtype:trojan-activity;sid:84714916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope4.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851804/; classtype:trojan-activity;sid:84714904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope13.johnsmith"; depth:19; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851805/; classtype:trojan-activity;sid:84714905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope9.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851806/; classtype:trojan-activity;sid:84714906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope2.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851807/; classtype:trojan-activity;sid:84714907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sssss.sh"; depth:9; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851808/; classtype:trojan-activity;sid:84714908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope8.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851809/; classtype:trojan-activity;sid:84714909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope5.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851810/; classtype:trojan-activity;sid:84714910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope10.johnsmith"; depth:19; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851811/; classtype:trojan-activity;sid:84714911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope6.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851812/; classtype:trojan-activity;sid:84714912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope7.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851813/; classtype:trojan-activity;sid:84714913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope11.johnsmith"; depth:19; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851814/; classtype:trojan-activity;sid:84714914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l/nope3.johnsmith"; depth:18; endswith; nocase; http.host; content:"160.119.71.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851815/; classtype:trojan-activity;sid:84714915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.160.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851802/; classtype:trojan-activity;sid:84714902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.145.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851803/; classtype:trojan-activity;sid:84714903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.240.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851801/; classtype:trojan-activity;sid:84714901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.24.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851800/; classtype:trojan-activity;sid:84714900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.242.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851799/; classtype:trojan-activity;sid:84714899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.94.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851798/; classtype:trojan-activity;sid:84714898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.53.111.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851797/; classtype:trojan-activity;sid:84714897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.145.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851796/; classtype:trojan-activity;sid:84714896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.184.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851795/; classtype:trojan-activity;sid:84714895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verif"; depth:6; endswith; nocase; http.host; content:"holisticdetective.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851794/; classtype:trojan-activity;sid:84714894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.184.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851793/; classtype:trojan-activity;sid:84714893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.193.110.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851792/; classtype:trojan-activity;sid:84714892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.254.195.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851791/; classtype:trojan-activity;sid:84714891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.205.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851790/; classtype:trojan-activity;sid:84714890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.107.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851789/; classtype:trojan-activity;sid:84714889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15/a"; depth:5; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851788/; classtype:trojan-activity;sid:84714888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.140.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851787/; classtype:trojan-activity;sid:84714887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851786/; classtype:trojan-activity;sid:84714886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.193.110.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851785/; classtype:trojan-activity;sid:84714885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.54.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851784/; classtype:trojan-activity;sid:84714884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.254.195.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851783/; classtype:trojan-activity;sid:84714883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.140.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851782/; classtype:trojan-activity;sid:84714882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.138.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851781/; classtype:trojan-activity;sid:84714881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.107.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851780/; classtype:trojan-activity;sid:84714880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.125.5.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851779/; classtype:trojan-activity;sid:84714879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851778/; classtype:trojan-activity;sid:84714878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.116.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851777/; classtype:trojan-activity;sid:84714877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851776/; classtype:trojan-activity;sid:84714876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.125.5.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851775/; classtype:trojan-activity;sid:84714875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.232.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851774/; classtype:trojan-activity;sid:84714874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verif"; depth:6; endswith; nocase; http.host; content:"phase-shiftbridge.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851773/; classtype:trojan-activity;sid:84714873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/361d2a9d-9c75-4043-bfd8-bbca0794e89e/api.js"; depth:44; endswith; nocase; http.host; content:"nodefabric.christmas"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851772/; classtype:trojan-activity;sid:84714872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.59.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851771/; classtype:trojan-activity;sid:84714871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"98.252.87.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851770/; classtype:trojan-activity;sid:84714870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.86.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851769/; classtype:trojan-activity;sid:84714869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.80.179"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851768/; classtype:trojan-activity;sid:84714868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.59.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851767/; classtype:trojan-activity;sid:84714867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851766/; classtype:trojan-activity;sid:84714866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.232.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851765/; classtype:trojan-activity;sid:84714865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.80.179"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851764/; classtype:trojan-activity;sid:84714864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64f2d2a2-efba-49bf-b079-1ba81e02a777/ton.ch"; depth:44; endswith; nocase; http.host; content:"nodefabric.christmas"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851763/; classtype:trojan-activity;sid:84714863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.59.124"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851762/; classtype:trojan-activity;sid:84714862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851761/; classtype:trojan-activity;sid:84714861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5405d3e1-2a9c-468d-8d44-c66d47f51cea/ton.ch"; depth:44; endswith; nocase; http.host; content:"virtual-packet-grid.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851760/; classtype:trojan-activity;sid:84714860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.59.124"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851759/; classtype:trojan-activity;sid:84714859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851758/; classtype:trojan-activity;sid:84714858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_61fdc9c6c9548f20.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851757/; classtype:trojan-activity;sid:84714857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_46523d3a4b85e9dc.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851755/; classtype:trojan-activity;sid:84714855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_50287593ed694836.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851756/; classtype:trojan-activity;sid:84714856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851754/; classtype:trojan-activity;sid:84714854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.238.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851753/; classtype:trojan-activity;sid:84714853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851752/; classtype:trojan-activity;sid:84714852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851751/; classtype:trojan-activity;sid:84714851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/24570d7a-161a-490a-8818-be3190f8a653/ton.ch"; depth:44; endswith; nocase; http.host; content:"cache-orbit.christmas"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851750/; classtype:trojan-activity;sid:84714850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.173.158.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851749/; classtype:trojan-activity;sid:84714849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.113.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851748/; classtype:trojan-activity;sid:84714848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.80.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851747/; classtype:trojan-activity;sid:84714847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.189.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851746/; classtype:trojan-activity;sid:84714846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.128.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851745/; classtype:trojan-activity;sid:84714845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851744/; classtype:trojan-activity;sid:84714844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.206.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851743/; classtype:trojan-activity;sid:84714843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca6dcb4d-a7bd-4116-80f4-992b542c3567/ton.ch"; depth:44; endswith; nocase; http.host; content:"labdjang.asia"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851742/; classtype:trojan-activity;sid:84714842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37fd9404-b366-49b3-8b03-b1b77f3fac39/ton.ch"; depth:44; endswith; nocase; http.host; content:"reposboy.asia"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851741/; classtype:trojan-activity;sid:84714841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.128.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851740/; classtype:trojan-activity;sid:84714840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.225.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851739/; classtype:trojan-activity;sid:84714839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bb4f999-2220-484b-ae1d-4c8921d2bbaa/ton.ch"; depth:44; endswith; nocase; http.host; content:"spamgym.asia"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851738/; classtype:trojan-activity;sid:84714838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.92.206.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851737/; classtype:trojan-activity;sid:84714837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.39.242.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851736/; classtype:trojan-activity;sid:84714836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.122.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851735/; classtype:trojan-activity;sid:84714835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.49.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851734/; classtype:trojan-activity;sid:84714834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4b1907aa-05c5-465b-9f6b-836a0b125eb3/ton.ch"; depth:44; endswith; nocase; http.host; content:"reposboy.asia"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851733/; classtype:trojan-activity;sid:84714833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.92.206.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851732/; classtype:trojan-activity;sid:84714832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.25.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851731/; classtype:trojan-activity;sid:84714831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.49.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851730/; classtype:trojan-activity;sid:84714830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.151.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851729/; classtype:trojan-activity;sid:84714829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.122.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851728/; classtype:trojan-activity;sid:84714828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.251.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851727/; classtype:trojan-activity;sid:84714827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.223.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851726/; classtype:trojan-activity;sid:84714826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.44.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851725/; classtype:trojan-activity;sid:84714825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.25.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851724/; classtype:trojan-activity;sid:84714824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851723/; classtype:trojan-activity;sid:84714823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.218.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851722/; classtype:trojan-activity;sid:84714822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.218.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851721/; classtype:trojan-activity;sid:84714821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.218.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851720/; classtype:trojan-activity;sid:84714820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.251.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851719/; classtype:trojan-activity;sid:84714819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rem"; depth:4; endswith; nocase; http.host; content:"vanta.st"; depth:8; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851718/; classtype:trojan-activity;sid:84714818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ca7bee58793b0926.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851717/; classtype:trojan-activity;sid:84714817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.214.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851716/; classtype:trojan-activity;sid:84714816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"134.122.4.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851715/; classtype:trojan-activity;sid:84714815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"134.122.4.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851714/; classtype:trojan-activity;sid:84714814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.214.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851713/; classtype:trojan-activity;sid:84714813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7a28b2c1-d858-4730-a6c5-efb8b85d586d/ton.ch"; depth:44; endswith; nocase; http.host; content:"spamgym.asia"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851712/; classtype:trojan-activity;sid:84714812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.92.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851711/; classtype:trojan-activity;sid:84714811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.245.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851710/; classtype:trojan-activity;sid:84714810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.108.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851709/; classtype:trojan-activity;sid:84714809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.75.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851708/; classtype:trojan-activity;sid:84714808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8051445044/tthdenf.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851707/; classtype:trojan-activity;sid:84714807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.26.86.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851706/; classtype:trojan-activity;sid:84714806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"119.179.209.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851705/; classtype:trojan-activity;sid:84714805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.29.239.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851703/; classtype:trojan-activity;sid:84714803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"115.61.96.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851704/; classtype:trojan-activity;sid:84714804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"117.242.199.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851702/; classtype:trojan-activity;sid:84714802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"154.242.139.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851701/; classtype:trojan-activity;sid:84714801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_cde98f9f712d710a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851700/; classtype:trojan-activity;sid:84714800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.245.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851699/; classtype:trojan-activity;sid:84714799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.14.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851698/; classtype:trojan-activity;sid:84714798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.108.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851697/; classtype:trojan-activity;sid:84714797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.75.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851696/; classtype:trojan-activity;sid:84714796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.164.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851695/; classtype:trojan-activity;sid:84714795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.253.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851694/; classtype:trojan-activity;sid:84714794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.79.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851693/; classtype:trojan-activity;sid:84714793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.14.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851692/; classtype:trojan-activity;sid:84714792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.215.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851691/; classtype:trojan-activity;sid:84714791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.141.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851690/; classtype:trojan-activity;sid:84714790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d01af252-520e-49c5-bb8f-dedf96636d23/ton.ch"; depth:44; endswith; nocase; http.host; content:"formkey.asia"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851689/; classtype:trojan-activity;sid:84714789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/96a44b1a-a1ce-4725-92a8-c3de38e825ee/ton.ch"; depth:44; endswith; nocase; http.host; content:"chickencutlet-hacks.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851688/; classtype:trojan-activity;sid:84714788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.41.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851687/; classtype:trojan-activity;sid:84714787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28601180-c97e-4631-91ff-c70af4e7e173/g.ch"; depth:42; endswith; nocase; http.host; content:"chickencutlet-hacks.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851686/; classtype:trojan-activity;sid:84714786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.171.168.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851685/; classtype:trojan-activity;sid:84714785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.171.168.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851684/; classtype:trojan-activity;sid:84714784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.134.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851683/; classtype:trojan-activity;sid:84714783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.80.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851682/; classtype:trojan-activity;sid:84714782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.141.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851681/; classtype:trojan-activity;sid:84714781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a69046cd-ffaa-4b2e-95d3-c3c082cfe1b6/g.ch"; depth:42; endswith; nocase; http.host; content:"chroniclearchivekeeper.christmas"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851680/; classtype:trojan-activity;sid:84714780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.35.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851679/; classtype:trojan-activity;sid:84714779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.81.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851678/; classtype:trojan-activity;sid:84714778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.35.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851677/; classtype:trojan-activity;sid:84714777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6bfc3d4d-4b96-418d-9580-ba33fc9fee48/g.ch"; depth:42; endswith; nocase; http.host; content:"logicbufferskills.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851676/; classtype:trojan-activity;sid:84714776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.248.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851675/; classtype:trojan-activity;sid:84714775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/92c054f2-ff2b-41bb-abe2-04b838ace443/g.ch"; depth:42; endswith; nocase; http.host; content:"pixelart-canvas.christmas"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851674/; classtype:trojan-activity;sid:84714774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851673/; classtype:trojan-activity;sid:84714773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.153.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851672/; classtype:trojan-activity;sid:84714772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6b92bf0-7e99-48e6-8b94-178717dfab11/g.ch"; depth:42; endswith; nocase; http.host; content:"vintagevinylrestoration.christmas"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851671/; classtype:trojan-activity;sid:84714771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.91.141.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851670/; classtype:trojan-activity;sid:84714770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.106.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851669/; classtype:trojan-activity;sid:84714769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.88.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851668/; classtype:trojan-activity;sid:84714768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851666/; classtype:trojan-activity;sid:84714766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851667/; classtype:trojan-activity;sid:84714767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851665/; classtype:trojan-activity;sid:84714765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851662/; classtype:trojan-activity;sid:84714762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851663/; classtype:trojan-activity;sid:84714763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851664/; classtype:trojan-activity;sid:84714764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.mpsl"; depth:18; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851660/; classtype:trojan-activity;sid:84714760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851661/; classtype:trojan-activity;sid:84714761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851658/; classtype:trojan-activity;sid:84714758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851659/; classtype:trojan-activity;sid:84714759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.i686"; depth:18; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851646/; classtype:trojan-activity;sid:84714746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.arm4"; depth:18; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851647/; classtype:trojan-activity;sid:84714747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.ppc"; depth:17; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851648/; classtype:trojan-activity;sid:84714748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips64"; depth:23; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851649/; classtype:trojan-activity;sid:84714749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851650/; classtype:trojan-activity;sid:84714750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sparc"; depth:22; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851651/; classtype:trojan-activity;sid:84714751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.arm7"; depth:18; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851652/; classtype:trojan-activity;sid:84714752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.x86"; depth:17; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851653/; classtype:trojan-activity;sid:84714753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.arm5"; depth:18; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851654/; classtype:trojan-activity;sid:84714754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.mips"; depth:18; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851655/; classtype:trojan-activity;sid:84714755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/phantom.arm6"; depth:18; endswith; nocase; http.host; content:"176.65.139.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851656/; classtype:trojan-activity;sid:84714756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851657/; classtype:trojan-activity;sid:84714757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/614bf1e9-4498-4c92-8a38-0bc6b48678c9/g.ch"; depth:42; endswith; nocase; http.host; content:"trading-academyexpert.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851645/; classtype:trojan-activity;sid:84714745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8"; depth:40; endswith; nocase; http.host; content:"sam-sa.net"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851644/; classtype:trojan-activity;sid:84714744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v12"; depth:41; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851641/; classtype:trojan-activity;sid:84714741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v5"; depth:40; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851642/; classtype:trojan-activity;sid:84714742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v9"; depth:40; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851643/; classtype:trojan-activity;sid:84714743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v8"; depth:40; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851635/; classtype:trojan-activity;sid:84714735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10"; depth:41; endswith; nocase; http.host; content:"sam-sa.net"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851636/; classtype:trojan-activity;sid:84714736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v7"; depth:40; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851637/; classtype:trojan-activity;sid:84714737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10"; depth:41; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851638/; classtype:trojan-activity;sid:84714738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v10"; depth:41; endswith; nocase; http.host; content:"candipoker.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851639/; classtype:trojan-activity;sid:84714739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/v11"; depth:41; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851640/; classtype:trojan-activity;sid:84714740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11"; depth:41; endswith; nocase; http.host; content:"sam-sa.net"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851633/; classtype:trojan-activity;sid:84714733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10"; depth:41; endswith; nocase; http.host; content:"candipoker.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851634/; classtype:trojan-activity;sid:84714734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t10"; depth:41; endswith; nocase; http.host; content:"sam-sa.net"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851630/; classtype:trojan-activity;sid:84714730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5"; depth:40; endswith; nocase; http.host; content:"sam-sa.net"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851631/; classtype:trojan-activity;sid:84714731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7"; depth:40; endswith; nocase; http.host; content:"sam-sa.net"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851632/; classtype:trojan-activity;sid:84714732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12"; depth:41; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851623/; classtype:trojan-activity;sid:84714723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc|3f|k=h0mhgmj0jk2pirqqvppk"; depth:46; endswith; nocase; http.host; content:"64.89.162.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851624/; classtype:trojan-activity;sid:84714724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t5"; depth:40; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851625/; classtype:trojan-activity;sid:84714725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t8"; depth:40; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851626/; classtype:trojan-activity;sid:84714726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t7"; depth:40; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851627/; classtype:trojan-activity;sid:84714727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t11"; depth:41; endswith; nocase; http.host; content:"namlongland.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851628/; classtype:trojan-activity;sid:84714728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebd417db-979c-51f8-aedf-88a2bf8aa6c3/t12"; depth:41; endswith; nocase; http.host; content:"sam-sa.net"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851629/; classtype:trojan-activity;sid:84714729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_db636563c3c4acf5.dll:::start"; depth:56; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851621/; classtype:trojan-activity;sid:84714721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infos.php|3f|fronts=1"; depth:22; endswith; nocase; http.host; content:"linkedco.net"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851622/; classtype:trojan-activity;sid:84714722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/mn/6676097740/update"; depth:25; endswith; nocase; http.host; content:"microsmeet.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851620/; classtype:trojan-activity;sid:84714720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|tag=f9zp2cak"; depth:17; endswith; nocase; http.host; content:"get2508.host87p.cfd"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851618/; classtype:trojan-activity;sid:84714718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|tag=f9zp2cak"; depth:17; endswith; nocase; http.host; content:"get4061.host87p.cfd"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851619/; classtype:trojan-activity;sid:84714719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug/loader.sh"; depth:16; endswith; nocase; http.host; content:"lfwxgs.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851601/; classtype:trojan-activity;sid:84714701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"ceappi.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851602/; classtype:trojan-activity;sid:84714702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851603/; classtype:trojan-activity;sid:84714703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851604/; classtype:trojan-activity;sid:84714704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851605/; classtype:trojan-activity;sid:84714705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851606/; classtype:trojan-activity;sid:84714706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851607/; classtype:trojan-activity;sid:84714707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm4"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851608/; classtype:trojan-activity;sid:84714708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851609/; classtype:trojan-activity;sid:84714709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i486"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851610/; classtype:trojan-activity;sid:84714710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851611/; classtype:trojan-activity;sid:84714711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851612/; classtype:trojan-activity;sid:84714712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arc"; depth:9; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851613/; classtype:trojan-activity;sid:84714713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851614/; classtype:trojan-activity;sid:84714714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851615/; classtype:trojan-activity;sid:84714715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851616/; classtype:trojan-activity;sid:84714716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851617/; classtype:trojan-activity;sid:84714717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installer.msi"; depth:14; endswith; nocase; http.host; content:"46.224.18.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851600/; classtype:trojan-activity;sid:84714700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fd896ea145f39dc0.dll:::start"; depth:56; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851598/; classtype:trojan-activity;sid:84714698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d1f1134c95605cbb.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851599/; classtype:trojan-activity;sid:84714699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.231.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851597/; classtype:trojan-activity;sid:84714697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.151.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851596/; classtype:trojan-activity;sid:84714696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d0d852ed-9946-4317-8b96-e1740da525d7/g.ch"; depth:42; endswith; nocase; http.host; content:"neon-cyberpunk.christmas"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851595/; classtype:trojan-activity;sid:84714695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.151.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851594/; classtype:trojan-activity;sid:84714694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2cfd9d2-c83c-49b2-a54b-ae75333809dd/g.ch"; depth:42; endswith; nocase; http.host; content:"linguisticpuzzlesolver.christmas"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851593/; classtype:trojan-activity;sid:84714693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.42.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851592/; classtype:trojan-activity;sid:84714692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/237e77e4-e9dd-4832-ac74-7c08e36f8b19/g.ch"; depth:42; endswith; nocase; http.host; content:"linguisticpuzzlesolver.christmas"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851591/; classtype:trojan-activity;sid:84714691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.169.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851590/; classtype:trojan-activity;sid:84714690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.219.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851589/; classtype:trojan-activity;sid:84714689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/212fbe40-570d-403b-81b9-e895913bb568/g.ch"; depth:42; endswith; nocase; http.host; content:"subterranean-mineral.christmas"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851588/; classtype:trojan-activity;sid:84714688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.219.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851587/; classtype:trojan-activity;sid:84714687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.156.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851586/; classtype:trojan-activity;sid:84714686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.169.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851585/; classtype:trojan-activity;sid:84714685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.161.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851584/; classtype:trojan-activity;sid:84714684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.43.253"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851583/; classtype:trojan-activity;sid:84714683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851582/; classtype:trojan-activity;sid:84714682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.140.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851581/; classtype:trojan-activity;sid:84714681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.43.253"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851580/; classtype:trojan-activity;sid:84714680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3333cb84-ffcf-4715-8afe-a87a919bf5a3/g.ch"; depth:42; endswith; nocase; http.host; content:"smartworkflowmanagement.christmas"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851579/; classtype:trojan-activity;sid:84714679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.156.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851578/; classtype:trojan-activity;sid:84714678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.187.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851577/; classtype:trojan-activity;sid:84714677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.159.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851576/; classtype:trojan-activity;sid:84714676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.138.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851575/; classtype:trojan-activity;sid:84714675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/46954175-4239-46b9-94c1-2ed084e7cf2f/g.ch"; depth:42; endswith; nocase; http.host; content:"ancientparchmentarchive.christmas"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851574/; classtype:trojan-activity;sid:84714674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.187.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851573/; classtype:trojan-activity;sid:84714673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.156.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851572/; classtype:trojan-activity;sid:84714672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.138.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851571/; classtype:trojan-activity;sid:84714671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851570/; classtype:trojan-activity;sid:84714670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.11.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851568/; classtype:trojan-activity;sid:84714668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.0.212.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851569/; classtype:trojan-activity;sid:84714669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.156.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851567/; classtype:trojan-activity;sid:84714667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.251.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851566/; classtype:trojan-activity;sid:84714666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1588c80a-dd8b-4a75-8d35-4b18c1801193/g.ch"; depth:42; endswith; nocase; http.host; content:"orbital-mechanics.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851565/; classtype:trojan-activity;sid:84714665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.78.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851564/; classtype:trojan-activity;sid:84714664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.11.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851563/; classtype:trojan-activity;sid:84714663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.237.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851562/; classtype:trojan-activity;sid:84714662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.251.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851561/; classtype:trojan-activity;sid:84714661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.7.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851560/; classtype:trojan-activity;sid:84714660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.53.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851559/; classtype:trojan-activity;sid:84714659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61fd8544-b2a4-4acd-b26f-e33cd488d250/g.ch"; depth:42; endswith; nocase; http.host; content:"cyber-defensepro.christmas"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851558/; classtype:trojan-activity;sid:84714658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.42.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851557/; classtype:trojan-activity;sid:84714657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851556/; classtype:trojan-activity;sid:84714656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.237.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851555/; classtype:trojan-activity;sid:84714655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.238.131.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851554/; classtype:trojan-activity;sid:84714654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.238.131.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851553/; classtype:trojan-activity;sid:84714653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/78875570-5e84-486b-a61d-0005477244e6/g.ch"; depth:42; endswith; nocase; http.host; content:"quantumvelocitylabs.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851552/; classtype:trojan-activity;sid:84714652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.143.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851551/; classtype:trojan-activity;sid:84714651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851550/; classtype:trojan-activity;sid:84714650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.45.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851549/; classtype:trojan-activity;sid:84714649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.210.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851548/; classtype:trojan-activity;sid:84714648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.206.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851547/; classtype:trojan-activity;sid:84714647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.217.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851546/; classtype:trojan-activity;sid:84714646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851545/; classtype:trojan-activity;sid:84714645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_cf4c0966dc8263ae.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851544/; classtype:trojan-activity;sid:84714644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.88.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851543/; classtype:trojan-activity;sid:84714643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bc876c95-8245-4fbf-86d2-5ca047cf41d0/g.ch"; depth:42; endswith; nocase; http.host; content:"lasagna-bakingpro.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851542/; classtype:trojan-activity;sid:84714642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.110.39.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851541/; classtype:trojan-activity;sid:84714641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.86.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851540/; classtype:trojan-activity;sid:84714640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.210.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851539/; classtype:trojan-activity;sid:84714639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.45.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851538/; classtype:trojan-activity;sid:84714638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.143.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851537/; classtype:trojan-activity;sid:84714637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851535/; classtype:trojan-activity;sid:84714635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.206.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851536/; classtype:trojan-activity;sid:84714636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb055f0d-3036-411c-96cd-c7c7d05eb8e2/g.ch"; depth:42; endswith; nocase; http.host; content:"stack-control-plane.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851534/; classtype:trojan-activity;sid:84714634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.223.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851533/; classtype:trojan-activity;sid:84714633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.9.251"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851532/; classtype:trojan-activity;sid:84714632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.86.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851531/; classtype:trojan-activity;sid:84714631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.112.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851530/; classtype:trojan-activity;sid:84714630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps/53.ps1"; depth:10; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851529/; classtype:trojan-activity;sid:84714629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4f0faf1a-2385-40ec-be21-9cc6c5b50272/g.ch"; depth:42; endswith; nocase; http.host; content:"runtime-processing-node.christmas"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851528/; classtype:trojan-activity;sid:84714628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.112.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851527/; classtype:trojan-activity;sid:84714627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.79.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851526/; classtype:trojan-activity;sid:84714626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.212.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851525/; classtype:trojan-activity;sid:84714625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.111.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851524/; classtype:trojan-activity;sid:84714624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.112.27"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851523/; classtype:trojan-activity;sid:84714623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d66e592b39473479.msi"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851522/; classtype:trojan-activity;sid:84714622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.111.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851521/; classtype:trojan-activity;sid:84714621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a76e756-755c-46f4-bd25-fc5fb284423a/g.ch"; depth:42; endswith; nocase; http.host; content:"telemetrymesh.christmas"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851520/; classtype:trojan-activity;sid:84714620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.212.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851519/; classtype:trojan-activity;sid:84714619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.175.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851518/; classtype:trojan-activity;sid:84714618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.247.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851517/; classtype:trojan-activity;sid:84714617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/821b5c8e-31ec-4d56-96d8-d0348ba7d3f3/g.ch"; depth:42; endswith; nocase; http.host; content:"byte-network-hub.christmas"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851516/; classtype:trojan-activity;sid:84714616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.161.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851514/; classtype:trojan-activity;sid:84714614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.175.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851515/; classtype:trojan-activity;sid:84714615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.229.192.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851513/; classtype:trojan-activity;sid:84714613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3e3ac677186b4c6f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851512/; classtype:trojan-activity;sid:84714612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b369cfdf-60da-436a-9787-a65c01cdb3d3/g.ch"; depth:42; endswith; nocase; http.host; content:"signal-routing-framework.christmas"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851511/; classtype:trojan-activity;sid:84714611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.165.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851510/; classtype:trojan-activity;sid:84714610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/cbcicvq.i486"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851509/; classtype:trojan-activity;sid:84714609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/ijjlglb.i586"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851496/; classtype:trojan-activity;sid:84714596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/wgstmum.mpsl"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851497/; classtype:trojan-activity;sid:84714597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/lwsjpul.x86_64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851498/; classtype:trojan-activity;sid:84714598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/hxwdesw.i686"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851499/; classtype:trojan-activity;sid:84714599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/yxvnqde.ppc"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851500/; classtype:trojan-activity;sid:84714600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/djvefcm.arm7"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851501/; classtype:trojan-activity;sid:84714601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/gpzhoxc.mips64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851502/; classtype:trojan-activity;sid:84714602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/android.sh"; depth:20; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851503/; classtype:trojan-activity;sid:84714603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/xpbtiwv.aarch64"; depth:25; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851504/; classtype:trojan-activity;sid:84714604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/pbjwfob.arm5"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851505/; classtype:trojan-activity;sid:84714605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/mzpirni.arm"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851506/; classtype:trojan-activity;sid:84714606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/rzqgpso.arm6"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851507/; classtype:trojan-activity;sid:84714607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzxbzbpq/nrfhtqi.mips"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851508/; classtype:trojan-activity;sid:84714608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.72.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851492/; classtype:trojan-activity;sid:84714592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.37.72.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851493/; classtype:trojan-activity;sid:84714593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851494/; classtype:trojan-activity;sid:84714594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"110.37.72.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851495/; classtype:trojan-activity;sid:84714595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.37.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851491/; classtype:trojan-activity;sid:84714591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.229.192.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851490/; classtype:trojan-activity;sid:84714590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.165.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851489/; classtype:trojan-activity;sid:84714589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21e79495-b249-46e0-a9a4-8c894869e0d6/g.ch"; depth:42; endswith; nocase; http.host; content:"proxy-stream.christmas"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851488/; classtype:trojan-activity;sid:84714588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.119.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851487/; classtype:trojan-activity;sid:84714587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.37.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851486/; classtype:trojan-activity;sid:84714586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.170.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851485/; classtype:trojan-activity;sid:84714585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.119.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851484/; classtype:trojan-activity;sid:84714584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.124.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851483/; classtype:trojan-activity;sid:84714583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.164.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851482/; classtype:trojan-activity;sid:84714582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.78.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851480/; classtype:trojan-activity;sid:84714580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ddf4df6c-05cf-4e02-bb43-64505a5b070f/g.ch"; depth:42; endswith; nocase; http.host; content:"kernel-control-engine.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_22; reference:url, urlhaus.abuse.ch/url/3851481/; classtype:trojan-activity;sid:84714581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.170.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851479/; classtype:trojan-activity;sid:84714579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"103.84.57.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851477/; classtype:trojan-activity;sid:84714577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toot"; depth:5; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851478/; classtype:trojan-activity;sid:84714578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851474/; classtype:trojan-activity;sid:84714574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851475/; classtype:trojan-activity;sid:84714575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851476/; classtype:trojan-activity;sid:84714576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851473/; classtype:trojan-activity;sid:84714573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fff73df9-1428-43a3-acc9-8d0597dba1fe/g.ch"; depth:42; endswith; nocase; http.host; content:"cloudruntime.christmas"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851472/; classtype:trojan-activity;sid:84714572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.12.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851471/; classtype:trojan-activity;sid:84714571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.28.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851470/; classtype:trojan-activity;sid:84714570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.162.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851469/; classtype:trojan-activity;sid:84714569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.241.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851468/; classtype:trojan-activity;sid:84714568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.157.169.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851467/; classtype:trojan-activity;sid:84714567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.241.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851466/; classtype:trojan-activity;sid:84714566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.194.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851465/; classtype:trojan-activity;sid:84714565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a8a06604-6284-4b24-8a3b-ac76f3884920/g.ch"; depth:42; endswith; nocase; http.host; content:"packet-distribution-core.christmas"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851464/; classtype:trojan-activity;sid:84714564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.118.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851463/; classtype:trojan-activity;sid:84714563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.228.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851462/; classtype:trojan-activity;sid:84714562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.1.83"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851461/; classtype:trojan-activity;sid:84714561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851460/; classtype:trojan-activity;sid:84714560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.28.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851459/; classtype:trojan-activity;sid:84714559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851458/; classtype:trojan-activity;sid:84714558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.1.83"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851457/; classtype:trojan-activity;sid:84714557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5dff1e15-07cf-41aa-853e-094be4ca2aec/g.ch"; depth:42; endswith; nocase; http.host; content:"container-mesh.christmas"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851456/; classtype:trojan-activity;sid:84714556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.33.251"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851455/; classtype:trojan-activity;sid:84714555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851454/; classtype:trojan-activity;sid:84714554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.28.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851453/; classtype:trojan-activity;sid:84714553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.226.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851452/; classtype:trojan-activity;sid:84714552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.229.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851451/; classtype:trojan-activity;sid:84714551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a5ef6ea-aff7-420f-97dc-f9d824824654/g.ch"; depth:42; endswith; nocase; http.host; content:"telemetry-control-hub.christmas"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851450/; classtype:trojan-activity;sid:84714550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/android.sh"; depth:20; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851449/; classtype:trojan-activity;sid:84714549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.31.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851448/; classtype:trojan-activity;sid:84714548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.33.251"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851447/; classtype:trojan-activity;sid:84714547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/wyszztw.arm5"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851434/; classtype:trojan-activity;sid:84714534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/iwhcwck.arm7"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851435/; classtype:trojan-activity;sid:84714535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/ljwqgms.x86_64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851436/; classtype:trojan-activity;sid:84714536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/uagkrww.aarch64"; depth:25; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851437/; classtype:trojan-activity;sid:84714537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/iovmytx.i586"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851438/; classtype:trojan-activity;sid:84714538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/einqgiy.mips64"; depth:24; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851439/; classtype:trojan-activity;sid:84714539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/znebtbj.i686"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851440/; classtype:trojan-activity;sid:84714540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/nbhpcpg.mips"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851441/; classtype:trojan-activity;sid:84714541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/lduhsjo.i486"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851442/; classtype:trojan-activity;sid:84714542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/tpprwsu.ppc"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851443/; classtype:trojan-activity;sid:84714543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/atbtjft.arm"; depth:21; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851444/; classtype:trojan-activity;sid:84714544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/iztsowy.arm6"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851445/; classtype:trojan-activity;sid:84714545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2s3dkw7s/edykljw.mpsl"; depth:22; endswith; nocase; http.host; content:"176.65.139.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851446/; classtype:trojan-activity;sid:84714546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.117.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851433/; classtype:trojan-activity;sid:84714533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.35.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851432/; classtype:trojan-activity;sid:84714532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.229.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851431/; classtype:trojan-activity;sid:84714531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e5a01d55-d272-4e70-97f5-32f8da384549/g.ch"; depth:42; endswith; nocase; http.host; content:"stackbridge.christmas"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851430/; classtype:trojan-activity;sid:84714530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.31.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851429/; classtype:trojan-activity;sid:84714529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.119.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851427/; classtype:trojan-activity;sid:84714527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.204.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851428/; classtype:trojan-activity;sid:84714528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.64.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851426/; classtype:trojan-activity;sid:84714526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.35.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851425/; classtype:trojan-activity;sid:84714525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.64.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851424/; classtype:trojan-activity;sid:84714524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.204.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851423/; classtype:trojan-activity;sid:84714523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2e6c986-8be9-43ca-a1a9-3180380aad4a/g.ch"; depth:42; endswith; nocase; http.host; content:"network-flow-system.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851422/; classtype:trojan-activity;sid:84714522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.164.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851421/; classtype:trojan-activity;sid:84714521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.42.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851420/; classtype:trojan-activity;sid:84714520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.119.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851419/; classtype:trojan-activity;sid:84714519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6fcd3983-7edf-4419-a07c-6f5ba1cc67ef/g.ch"; depth:42; endswith; nocase; http.host; content:"byte-vault.christmas"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851418/; classtype:trojan-activity;sid:84714518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.36.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851417/; classtype:trojan-activity;sid:84714517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851411/; classtype:trojan-activity;sid:84714511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851412/; classtype:trojan-activity;sid:84714512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"165.227.155.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851413/; classtype:trojan-activity;sid:84714513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"134.199.190.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851414/; classtype:trojan-activity;sid:84714514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"134.199.190.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851415/; classtype:trojan-activity;sid:84714515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"134.199.190.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851416/; classtype:trojan-activity;sid:84714516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.185.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851410/; classtype:trojan-activity;sid:84714510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.75.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851409/; classtype:trojan-activity;sid:84714509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.122.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851408/; classtype:trojan-activity;sid:84714508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de1ede75-0cc2-4104-9d8d-e289c3645697/g.ch"; depth:42; endswith; nocase; http.host; content:"signal-processing-core.christmas"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851407/; classtype:trojan-activity;sid:84714507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.150.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851406/; classtype:trojan-activity;sid:84714506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.202.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851405/; classtype:trojan-activity;sid:84714505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.12.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851404/; classtype:trojan-activity;sid:84714504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.44.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851403/; classtype:trojan-activity;sid:84714503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.245.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851402/; classtype:trojan-activity;sid:84714502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/652f1bc5-e123-452e-9b8f-4dabded787a9/g.ch"; depth:42; endswith; nocase; http.host; content:"proxy-hub.christmas"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851401/; classtype:trojan-activity;sid:84714501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.46.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851400/; classtype:trojan-activity;sid:84714500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.46.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851399/; classtype:trojan-activity;sid:84714499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.202.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851398/; classtype:trojan-activity;sid:84714498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.164.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851397/; classtype:trojan-activity;sid:84714497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.54.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851396/; classtype:trojan-activity;sid:84714496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851395/; classtype:trojan-activity;sid:84714495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fb89b25-45fa-4267-bf89-9dba7489b2a8/g.ch"; depth:42; endswith; nocase; http.host; content:"cloud-sync-engine.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851394/; classtype:trojan-activity;sid:84714494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.1.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851393/; classtype:trojan-activity;sid:84714493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.1.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851392/; classtype:trojan-activity;sid:84714492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.7.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851391/; classtype:trojan-activity;sid:84714491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.84.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851390/; classtype:trojan-activity;sid:84714490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851389/; classtype:trojan-activity;sid:84714489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8f82153-4c34-4b9d-a842-791cf45d3bdc/g.ch"; depth:42; endswith; nocase; http.host; content:"microservice-hub.christmas"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851388/; classtype:trojan-activity;sid:84714488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.185.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851387/; classtype:trojan-activity;sid:84714487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.54.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851386/; classtype:trojan-activity;sid:84714486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1372c504-375d-467b-9978-c2d199db2a80/g.ch"; depth:42; endswith; nocase; http.host; content:"telemetry-grid.christmas"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851385/; classtype:trojan-activity;sid:84714485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.7.244"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851384/; classtype:trojan-activity;sid:84714484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghkjkghlkgl/ghf/downloads/2.jpg"; depth:32; endswith; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851383/; classtype:trojan-activity;sid:84714483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/bv/refs/heads/main/sijgpca.txt"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851380/; classtype:trojan-activity;sid:84714480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tr.vbs"; depth:7; endswith; nocase; http.host; content:"toptionlab.co.za"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851381/; classtype:trojan-activity;sid:84714481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/birdsknocked"; depth:13; endswith; nocase; http.host; content:"paste.sensio.no"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851382/; classtype:trojan-activity;sid:84714482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=92fa774c-a9f6-4cd1-ab4e-b18058e58bb4"; depth:47; endswith; nocase; http.host; content:"0frduisp.cloud-meridian.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851379/; classtype:trojan-activity;sid:84714479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58350bdd-1b1c-4830-9c1c-fe1ddfe98e9a/g.ch"; depth:42; endswith; nocase; http.host; content:"stack-flow.christmas"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851378/; classtype:trojan-activity;sid:84714478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.7.244"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851377/; classtype:trojan-activity;sid:84714477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.232.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851376/; classtype:trojan-activity;sid:84714476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.79.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851375/; classtype:trojan-activity;sid:84714475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b176b5c0-e343-43ed-a792-08c71e38f649/g.ch"; depth:42; endswith; nocase; http.host; content:"signal-core-engine.christmas"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851374/; classtype:trojan-activity;sid:84714474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.79.137"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851373/; classtype:trojan-activity;sid:84714473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851372/; classtype:trojan-activity;sid:84714472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"65.20.102.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851371/; classtype:trojan-activity;sid:84714471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"65.20.102.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851370/; classtype:trojan-activity;sid:84714470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"65.20.102.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851369/; classtype:trojan-activity;sid:84714469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851368/; classtype:trojan-activity;sid:84714468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.242.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851367/; classtype:trojan-activity;sid:84714467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e2aead27-190e-4dd5-91a5-a29e3b34c767/g.ch"; depth:42; endswith; nocase; http.host; content:"runtime-control.christmas"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851366/; classtype:trojan-activity;sid:84714466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.225.163.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851365/; classtype:trojan-activity;sid:84714465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.101.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851364/; classtype:trojan-activity;sid:84714464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.124.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851363/; classtype:trojan-activity;sid:84714463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.101.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851361/; classtype:trojan-activity;sid:84714461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.242.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851362/; classtype:trojan-activity;sid:84714462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0cd3d71a-1bb7-4e3e-b6e9-2fde3b3b1d79/zone.id"; depth:45; endswith; nocase; http.host; content:"runtime-control.christmas"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851360/; classtype:trojan-activity;sid:84714460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.234.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851359/; classtype:trojan-activity;sid:84714459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.124.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851358/; classtype:trojan-activity;sid:84714458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.156.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851357/; classtype:trojan-activity;sid:84714457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7b33fc05-4a1a-4cc8-beed-bfdc487eae85"; depth:47; endswith; nocase; http.host; content:"x3o11wkp.signal-bridge.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851356/; classtype:trojan-activity;sid:84714456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.249.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851355/; classtype:trojan-activity;sid:84714455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.234.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851354/; classtype:trojan-activity;sid:84714454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d7f4205-3be6-4111-b787-b7f7655dde07/zone.id"; depth:45; endswith; nocase; http.host; content:"ice-evergreen.christmas"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851353/; classtype:trojan-activity;sid:84714453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.51.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851352/; classtype:trojan-activity;sid:84714452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.64.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851351/; classtype:trojan-activity;sid:84714451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aa5f89df-2b20-4b2e-aa64-e2b460c6fe6d/zone.id"; depth:45; endswith; nocase; http.host; content:"tree-observatory.christmas"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851350/; classtype:trojan-activity;sid:84714450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.72.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851349/; classtype:trojan-activity;sid:84714449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.130.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851348/; classtype:trojan-activity;sid:84714448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.64.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851347/; classtype:trojan-activity;sid:84714447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m"; depth:2; endswith; nocase; http.host; content:"104.248.119.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851346/; classtype:trojan-activity;sid:84714446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851345/; classtype:trojan-activity;sid:84714445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yc5ygskg/ste-payload.png"; depth:25; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851344/; classtype:trojan-activity;sid:84714444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1p6ct81hwfslgfjlgpg8tn-8afd8q2cx4"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851341/; classtype:trojan-activity;sid:84714441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_khklquqzh9zzdvezayfdbdlmk-jzcin"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851342/; classtype:trojan-activity;sid:84714442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1cmfdfipwo9fnmicp375llpjgfqqll8vh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851343/; classtype:trojan-activity;sid:84714443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.130.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851340/; classtype:trojan-activity;sid:84714440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9ec27899-ba4e-4ba0-abf9-fa9e99593a25/zone.id"; depth:45; endswith; nocase; http.host; content:"gift-harbor.christmas"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851339/; classtype:trojan-activity;sid:84714439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"98.252.87.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851338/; classtype:trojan-activity;sid:84714438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.44.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851337/; classtype:trojan-activity;sid:84714437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_7b8550224a5622b6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851336/; classtype:trojan-activity;sid:84714436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.243.128.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851335/; classtype:trojan-activity;sid:84714435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.88.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851334/; classtype:trojan-activity;sid:84714434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.84.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851333/; classtype:trojan-activity;sid:84714433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bdd0d6a0-0a3d-4ab2-b93d-f0397977e338"; depth:47; endswith; nocase; http.host; content:"nhr83i9y.kernel-vertex.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851332/; classtype:trojan-activity;sid:84714432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.137.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851331/; classtype:trojan-activity;sid:84714431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.26.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851330/; classtype:trojan-activity;sid:84714430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851329/; classtype:trojan-activity;sid:84714429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.88.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851328/; classtype:trojan-activity;sid:84714428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.156.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851327/; classtype:trojan-activity;sid:84714427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.42.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851326/; classtype:trojan-activity;sid:84714426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.209.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851325/; classtype:trojan-activity;sid:84714425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.166.215.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851324/; classtype:trojan-activity;sid:84714424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ed705d0-6198-4273-9177-6590c4457894/zone.id"; depth:45; endswith; nocase; http.host; content:"star-workshop.christmas"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851323/; classtype:trojan-activity;sid:84714423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.133.102.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851322/; classtype:trojan-activity;sid:84714422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.42.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851321/; classtype:trojan-activity;sid:84714421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.137.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851320/; classtype:trojan-activity;sid:84714420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851319/; classtype:trojan-activity;sid:84714419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.85.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851317/; classtype:trojan-activity;sid:84714417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.209.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851318/; classtype:trojan-activity;sid:84714418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"104.236.198.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851316/; classtype:trojan-activity;sid:84714416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"104.236.198.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851315/; classtype:trojan-activity;sid:84714415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; endswith; nocase; http.host; content:"104.236.191.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851314/; classtype:trojan-activity;sid:84714414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.166.215.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851313/; classtype:trojan-activity;sid:84714413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71e79d24-b3c3-4cf5-ae3c-b2dd7835ef59/zone.id"; depth:45; endswith; nocase; http.host; content:"frost-marketplace.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851312/; classtype:trojan-activity;sid:84714412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.191.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851311/; classtype:trojan-activity;sid:84714411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.85.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851310/; classtype:trojan-activity;sid:84714410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.71.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851309/; classtype:trojan-activity;sid:84714409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.6.90"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851308/; classtype:trojan-activity;sid:84714408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.62.184.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851307/; classtype:trojan-activity;sid:84714407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.133.102.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851306/; classtype:trojan-activity;sid:84714406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.98.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851305/; classtype:trojan-activity;sid:84714405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.191.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851304/; classtype:trojan-activity;sid:84714404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.99.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851302/; classtype:trojan-activity;sid:84714402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.99.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851303/; classtype:trojan-activity;sid:84714403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.189.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851301/; classtype:trojan-activity;sid:84714401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/81bff505-b183-4bd9-9913-31031f0fa4de/zone.id"; depth:45; endswith; nocase; http.host; content:"labshift-winmail-get.christmas"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851300/; classtype:trojan-activity;sid:84714400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.71.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851299/; classtype:trojan-activity;sid:84714399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"1.62.184.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851298/; classtype:trojan-activity;sid:84714398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.37.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851297/; classtype:trojan-activity;sid:84714397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.236.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851296/; classtype:trojan-activity;sid:84714396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=addc135f-672d-447a-a7ea-dfae8cdd0d0f"; depth:47; endswith; nocase; http.host; content:"bjzrz6je.packet-cascade.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851295/; classtype:trojan-activity;sid:84714395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.189.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851294/; classtype:trojan-activity;sid:84714394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.92.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851293/; classtype:trojan-activity;sid:84714393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi"; depth:34; endswith; nocase; http.host; content:"app.idanburuku.sbs"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851292/; classtype:trojan-activity;sid:84714392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37fb1fdf-f5cf-4c53-b784-230a9d811734/zone.id"; depth:45; endswith; nocase; http.host; content:"forcrash-classnet.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851291/; classtype:trojan-activity;sid:84714391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.236.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851290/; classtype:trojan-activity;sid:84714390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.57.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851289/; classtype:trojan-activity;sid:84714389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98b81e3d-566d-494f-a07a-8bd645d9f2f0/zone.id"; depth:45; endswith; nocase; http.host; content:"pigtweet-kitdiff-it.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851288/; classtype:trojan-activity;sid:84714388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.113.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851287/; classtype:trojan-activity;sid:84714387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851286/; classtype:trojan-activity;sid:84714386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1826589a-96d7-41c7-bf01-e6af60b1b115/zone.id"; depth:45; endswith; nocase; http.host; content:"pigtweet-kitdiff-it.christmas"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851285/; classtype:trojan-activity;sid:84714385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.ps1|3f|key=hpk9mqasd324asdf23oasdfw"; depth:44; endswith; nocase; http.host; content:"89.124.94.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851284/; classtype:trojan-activity;sid:84714384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.74.20"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851283/; classtype:trojan-activity;sid:84714383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/lorgnon.pcz"; depth:15; endswith; nocase; http.host; content:"metecgroup.cam"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851282/; classtype:trojan-activity;sid:84714382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ucc/aj.js"; depth:10; endswith; nocase; http.host; content:"franklinfuelings.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851277/; classtype:trojan-activity;sid:84714377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nfps/aj.js"; depth:11; endswith; nocase; http.host; content:"variovac.com.de"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851278/; classtype:trojan-activity;sid:84714378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ucc/aj.js"; depth:10; endswith; nocase; http.host; content:"cantieridelmediterraneo.it.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851279/; classtype:trojan-activity;sid:84714379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.ps1"; depth:12; endswith; nocase; http.host; content:"89.124.94.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851280/; classtype:trojan-activity;sid:84714380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ac.cmd"; depth:7; endswith; nocase; http.host; content:"89.124.94.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851281/; classtype:trojan-activity;sid:84714381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nfps/aj.js"; depth:11; endswith; nocase; http.host; content:"variovac.com.de"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851274/; classtype:trojan-activity;sid:84714374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ucc/aj.js"; depth:10; endswith; nocase; http.host; content:"franklinfuelings.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851275/; classtype:trojan-activity;sid:84714375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nfps/aj.js"; depth:11; endswith; nocase; http.host; content:"fele.com.de"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851276/; classtype:trojan-activity;sid:84714376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1a8274dfe0c54517.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851272/; classtype:trojan-activity;sid:84714372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_60f25696fe0ad71f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851273/; classtype:trojan-activity;sid:84714373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.36.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851271/; classtype:trojan-activity;sid:84714371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851270/; classtype:trojan-activity;sid:84714370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4a77d309-c9b8-4e76-8fb2-995b0939910f/zone.id"; depth:45; endswith; nocase; http.host; content:"icevault-cutshift.christmas"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851269/; classtype:trojan-activity;sid:84714369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.165.253.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851268/; classtype:trojan-activity;sid:84714368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.74.20"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851267/; classtype:trojan-activity;sid:84714367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.236.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851266/; classtype:trojan-activity;sid:84714366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6464871c-26f3-41a3-8974-ebe3c9c23ad6/zone.id"; depth:45; endswith; nocase; http.host; content:"busbytesadd.christmas"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851265/; classtype:trojan-activity;sid:84714365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.182.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851264/; classtype:trojan-activity;sid:84714364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=45f1c6fa-fbf7-4e22-8cee-f9058ff59366"; depth:47; endswith; nocase; http.host; content:"22goulm8.runtime-nexus.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851263/; classtype:trojan-activity;sid:84714363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.89.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851262/; classtype:trojan-activity;sid:84714362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.165.253.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851261/; classtype:trojan-activity;sid:84714361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.9.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851260/; classtype:trojan-activity;sid:84714360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.159.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851259/; classtype:trojan-activity;sid:84714359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851258/; classtype:trojan-activity;sid:84714358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.236.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851257/; classtype:trojan-activity;sid:84714357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.182.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851256/; classtype:trojan-activity;sid:84714356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.88.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851255/; classtype:trojan-activity;sid:84714355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.36.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851254/; classtype:trojan-activity;sid:84714354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.47.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851253/; classtype:trojan-activity;sid:84714353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.47.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851252/; classtype:trojan-activity;sid:84714352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.9.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851251/; classtype:trojan-activity;sid:84714351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.12.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851250/; classtype:trojan-activity;sid:84714350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.37.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851249/; classtype:trojan-activity;sid:84714349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.87.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851247/; classtype:trojan-activity;sid:84714347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.87.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851248/; classtype:trojan-activity;sid:84714348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.140.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851246/; classtype:trojan-activity;sid:84714346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.247.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851245/; classtype:trojan-activity;sid:84714345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.37.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851244/; classtype:trojan-activity;sid:84714344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.128.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851243/; classtype:trojan-activity;sid:84714343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.12.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851242/; classtype:trojan-activity;sid:84714342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2160fdd-7269-4c68-8d6c-d5efad920c71/zone.id"; depth:45; endswith; nocase; http.host; content:"graphnewclass.christmas"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851241/; classtype:trojan-activity;sid:84714341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.100.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851240/; classtype:trojan-activity;sid:84714340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.108.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851239/; classtype:trojan-activity;sid:84714339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.100.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851238/; classtype:trojan-activity;sid:84714338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.95.81"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851237/; classtype:trojan-activity;sid:84714337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.128.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851236/; classtype:trojan-activity;sid:84714336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.122.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851235/; classtype:trojan-activity;sid:84714335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.122.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851234/; classtype:trojan-activity;sid:84714334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.101.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851233/; classtype:trojan-activity;sid:84714333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.100.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851232/; classtype:trojan-activity;sid:84714332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.177.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851231/; classtype:trojan-activity;sid:84714331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.239.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851230/; classtype:trojan-activity;sid:84714330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.239.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851229/; classtype:trojan-activity;sid:84714329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=78e9b019-e631-4301-a930-5256899e3c25"; depth:47; endswith; nocase; http.host; content:"6jcrkuht.container-beacon.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851228/; classtype:trojan-activity;sid:84714328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.108.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851227/; classtype:trojan-activity;sid:84714327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.255.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851226/; classtype:trojan-activity;sid:84714326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.177.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851225/; classtype:trojan-activity;sid:84714325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851224/; classtype:trojan-activity;sid:84714324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.86.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851223/; classtype:trojan-activity;sid:84714323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.156.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851222/; classtype:trojan-activity;sid:84714322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.196.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851221/; classtype:trojan-activity;sid:84714321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.196.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851220/; classtype:trojan-activity;sid:84714320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.32.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851219/; classtype:trojan-activity;sid:84714319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.208.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851218/; classtype:trojan-activity;sid:84714318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.247.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851217/; classtype:trojan-activity;sid:84714317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.86.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851216/; classtype:trojan-activity;sid:84714316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.56.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851215/; classtype:trojan-activity;sid:84714315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.56.46"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851214/; classtype:trojan-activity;sid:84714314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.208.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851213/; classtype:trojan-activity;sid:84714313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/75a0c85c-cd34-4a9f-b671-b0a65c1638c5/zone.id"; depth:45; endswith; nocase; http.host; content:"tuplediskdkey.christmas"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851212/; classtype:trojan-activity;sid:84714312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.9.251"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851211/; classtype:trojan-activity;sid:84714311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b9f98708-123a-4f94-83a7-40d13a79bec6"; depth:47; endswith; nocase; http.host; content:"fikvjna5.telemetry-orbit.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851210/; classtype:trojan-activity;sid:84714310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.141.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851209/; classtype:trojan-activity;sid:84714309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8pswbzht/stego-payload.png"; depth:27; endswith; nocase; http.host; content:"i.postimg.cc"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851208/; classtype:trojan-activity;sid:84714308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.113.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851207/; classtype:trojan-activity;sid:84714307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851206/; classtype:trojan-activity;sid:84714306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.154.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851205/; classtype:trojan-activity;sid:84714305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2f58e8cb-6b6d-439c-97ec-6892fd7e9f07/zone.id"; depth:45; endswith; nocase; http.host; content:"boblegvlist.christmas"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851204/; classtype:trojan-activity;sid:84714304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.188.141.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851203/; classtype:trojan-activity;sid:84714303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.225.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851202/; classtype:trojan-activity;sid:84714302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851201/; classtype:trojan-activity;sid:84714301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.99.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851200/; classtype:trojan-activity;sid:84714300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.16.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851199/; classtype:trojan-activity;sid:84714299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.75.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851198/; classtype:trojan-activity;sid:84714298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/newversion20"; depth:18; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851196/; classtype:trojan-activity;sid:84714296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/xclaudeversionmac"; depth:23; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851197/; classtype:trojan-activity;sid:84714297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ead1c02-748e-4ea5-ad16-f2496948e8fc/zone.id"; depth:45; endswith; nocase; http.host; content:"hasvideoproxy.christmas"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851195/; classtype:trojan-activity;sid:84714295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.228.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851194/; classtype:trojan-activity;sid:84714294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.116.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851193/; classtype:trojan-activity;sid:84714293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851192/; classtype:trojan-activity;sid:84714292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.125.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851191/; classtype:trojan-activity;sid:84714291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.103.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851190/; classtype:trojan-activity;sid:84714290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.125.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851189/; classtype:trojan-activity;sid:84714289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/fclju2b.txt"; depth:25; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851188/; classtype:trojan-activity;sid:84714288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/dc0cl7b.txt"; depth:25; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851183/; classtype:trojan-activity;sid:84714283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/l1klqa3.txt"; depth:25; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851184/; classtype:trojan-activity;sid:84714284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/dnmn9tt.txt"; depth:25; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851185/; classtype:trojan-activity;sid:84714285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/160066.jpg"; depth:24; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851186/; classtype:trojan-activity;sid:84714286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/ft4neuk.txt"; depth:25; endswith; nocase; http.host; content:"196.251.107.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851187/; classtype:trojan-activity;sid:84714287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.254.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851182/; classtype:trojan-activity;sid:84714282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.151.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851181/; classtype:trojan-activity;sid:84714281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.254.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851180/; classtype:trojan-activity;sid:84714280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=9482e39b-e389-4095-9851-37ec26ed5c1b"; depth:47; endswith; nocase; http.host; content:"td5323u3.primordialsoupevolution.digital"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851179/; classtype:trojan-activity;sid:84714279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.227.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851178/; classtype:trojan-activity;sid:84714278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3588ac55bab70f4e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851177/; classtype:trojan-activity;sid:84714277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/valliere.asi"; depth:22; endswith; nocase; http.host; content:"freeomovie.info"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851176/; classtype:trojan-activity;sid:84714276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ihhsp.mp3"; depth:10; endswith; nocase; http.host; content:"196.251.70.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851175/; classtype:trojan-activity;sid:84714275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.225.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851174/; classtype:trojan-activity;sid:84714274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.32.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851173/; classtype:trojan-activity;sid:84714273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/common.dat"; depth:11; endswith; nocase; http.host; content:"dynga.pl"; depth:8; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851172/; classtype:trojan-activity;sid:84714272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.227.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851171/; classtype:trojan-activity;sid:84714271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.php"; depth:6; endswith; nocase; http.host; content:"209.54.102.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851170/; classtype:trojan-activity;sid:84714270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ici2ryfs-geanafmuh0mkfy02fb9b7pn"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851169/; classtype:trojan-activity;sid:84714269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1nu2vvy7npzx7u2sun8smcfp2sasdumaa"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851168/; classtype:trojan-activity;sid:84714268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.225.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851167/; classtype:trojan-activity;sid:84714267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.55.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851166/; classtype:trojan-activity;sid:84714266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/remasd-6c702.firebasestorage.app/o/frost%2fpic2.jpg|3f|alt=media|7c|26|7c|token=589f956e-d019-4472-a000-29f8eb203489"; depth:122; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851165/; classtype:trojan-activity;sid:84714265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.151.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851164/; classtype:trojan-activity;sid:84714264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p0pjpf32vd5a4rq"; depth:16; endswith; nocase; http.host; content:"hasteb.in"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851163/; classtype:trojan-activity;sid:84714263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hgxdbdvy/raw"; depth:13; endswith; nocase; http.host; content:"pastefy.app"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851162/; classtype:trojan-activity;sid:84714262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21/sccw/verygoodpeoplesaroundonme.hta"; depth:38; endswith; nocase; http.host; content:"107.172.135.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851160/; classtype:trojan-activity;sid:84714260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21/smallonebutgoodoneeverseeninmylife.js"; depth:41; endswith; nocase; http.host; content:"107.172.135.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851161/; classtype:trojan-activity;sid:84714261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.211.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851159/; classtype:trojan-activity;sid:84714259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.232.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851158/; classtype:trojan-activity;sid:84714258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gotextileltd.zip"; depth:17; endswith; nocase; http.host; content:"gotextileltd.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851157/; classtype:trojan-activity;sid:84714257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documentopcpe.exe"; depth:18; endswith; nocase; http.host; content:"gaviao.ba.gov.br"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851156/; classtype:trojan-activity;sid:84714256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/python.zip"; depth:11; endswith; nocase; http.host; content:"vaci-cloud.b-cdn.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851155/; classtype:trojan-activity;sid:84714255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3armyeu.exe"; depth:12; endswith; nocase; http.host; content:"klichkogov.pro"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851153/; classtype:trojan-activity;sid:84714253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_2e4e1082336e95de.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851154/; classtype:trojan-activity;sid:84714254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_f63a4ae1cbc0bfa1.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851151/; classtype:trojan-activity;sid:84714251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/screen/panel1.vbs"; depth:18; endswith; nocase; http.host; content:"96.126.176.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851152/; classtype:trojan-activity;sid:84714252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/borlndmm.dll"; depth:13; endswith; nocase; http.host; content:"79.110.50.15"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851149/; classtype:trojan-activity;sid:84714249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/80ad8f13-a651-414f-8be5-0252e6fd5ad0/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"gardeninfrastructurecore.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851150/; classtype:trojan-activity;sid:84714250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1b59b8f34ac01b65.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851146/; classtype:trojan-activity;sid:84714246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_469080b13781a71e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851147/; classtype:trojan-activity;sid:84714247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_44b6595cf70d3f32.dll:::ddd"; depth:54; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851148/; classtype:trojan-activity;sid:84714248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.ppc440fp"; depth:15; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851145/; classtype:trojan-activity;sid:84714245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851144/; classtype:trojan-activity;sid:84714244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.230.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851143/; classtype:trojan-activity;sid:84714243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.211.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851142/; classtype:trojan-activity;sid:84714242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.166.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851141/; classtype:trojan-activity;sid:84714241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fa603fda-db92-4076-9c6c-a89fa306b822/zone.id"; depth:45; endswith; nocase; http.host; content:"hasmysql.christmas"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851139/; classtype:trojan-activity;sid:84714239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851140/; classtype:trojan-activity;sid:84714240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.166.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851138/; classtype:trojan-activity;sid:84714238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.91.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851137/; classtype:trojan-activity;sid:84714237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=48e0d0ba-a30a-4710-bf8d-2c181f9b94ef"; depth:47; endswith; nocase; http.host; content:"okb0lvez.subdermalbiometricchip.digital"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851136/; classtype:trojan-activity;sid:84714236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/784faaec-059c-4fc5-9812-5df35c549fba/zone.id"; depth:45; endswith; nocase; http.host; content:"regexcar.christmas"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851135/; classtype:trojan-activity;sid:84714235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.91.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851134/; classtype:trojan-activity;sid:84714234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.81.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851133/; classtype:trojan-activity;sid:84714233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.80.46.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851132/; classtype:trojan-activity;sid:84714232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.179.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851131/; classtype:trojan-activity;sid:84714231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af1f4e1e-919c-46f6-90e0-092da270a594/zone.id"; depth:45; endswith; nocase; http.host; content:"telemetry-orbit.buzz"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851130/; classtype:trojan-activity;sid:84714230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6012f3d4-316c-45ab-9481-14c396946301/zone.id"; depth:45; endswith; nocase; http.host; content:"abyssalkraken.fit"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851129/; classtype:trojan-activity;sid:84714229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.130.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851128/; classtype:trojan-activity;sid:84714228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.230.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851127/; classtype:trojan-activity;sid:84714227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.43.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851126/; classtype:trojan-activity;sid:84714226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.179.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851125/; classtype:trojan-activity;sid:84714225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.21.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851124/; classtype:trojan-activity;sid:84714224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/018b89e9-79eb-4aa7-afba-edc294d38766/zone.id"; depth:45; endswith; nocase; http.host; content:"abyssalkraken.fit"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851123/; classtype:trojan-activity;sid:84714223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"123.5.185.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851122/; classtype:trojan-activity;sid:84714222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5763dea5-3ada-47fb-b605-646ec5e417ac/zone.id"; depth:45; endswith; nocase; http.host; content:"abyssalkraken.fit"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851121/; classtype:trojan-activity;sid:84714221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.43.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851120/; classtype:trojan-activity;sid:84714220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/outsidepantherpucker/shngmkfy/releases/download/urgant/123.exe"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851119/; classtype:trojan-activity;sid:84714219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/594c0340-e897-4ef6-856a-16912f1ae821/zone.id"; depth:45; endswith; nocase; http.host; content:"abyssalkraken.fit"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851118/; classtype:trojan-activity;sid:84714218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.21.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851117/; classtype:trojan-activity;sid:84714217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.46.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851116/; classtype:trojan-activity;sid:84714216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7322572c-c26a-4597-9a93-65fdebc11653/zone.id"; depth:45; endswith; nocase; http.host; content:"chickencutlethacks.fit"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851115/; classtype:trojan-activity;sid:84714215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=074378f2-badc-4a74-b9e0-91ff2a40745c"; depth:47; endswith; nocase; http.host; content:"ntm4xnw3.renaissancefrescorestoration.digital"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851114/; classtype:trojan-activity;sid:84714214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.32.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851113/; classtype:trojan-activity;sid:84714213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.116.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851112/; classtype:trojan-activity;sid:84714212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"110.37.116.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851111/; classtype:trojan-activity;sid:84714211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.116.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851110/; classtype:trojan-activity;sid:84714210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.37.116.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851109/; classtype:trojan-activity;sid:84714209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.46.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851108/; classtype:trojan-activity;sid:84714208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.128.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851107/; classtype:trojan-activity;sid:84714207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eee2f6c7-ef09-4838-8901-8e33fb759171/zone.id"; depth:45; endswith; nocase; http.host; content:"cyber-prosthetic.fit"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851106/; classtype:trojan-activity;sid:84714206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.98.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851105/; classtype:trojan-activity;sid:84714205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.15.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851104/; classtype:trojan-activity;sid:84714204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.15.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851103/; classtype:trojan-activity;sid:84714203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.98.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851102/; classtype:trojan-activity;sid:84714202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.215.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851101/; classtype:trojan-activity;sid:84714201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15dfc7e3-ff49-4028-a50d-13fcd1d61104/zone.id"; depth:45; endswith; nocase; http.host; content:"bakingstonetheory.fit"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851100/; classtype:trojan-activity;sid:84714200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.118.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851099/; classtype:trojan-activity;sid:84714199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.56.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851098/; classtype:trojan-activity;sid:84714198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.42.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851097/; classtype:trojan-activity;sid:84714197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98a1df5c-d42b-4208-b5c1-ab4d41d96217/zone.id"; depth:45; endswith; nocase; http.host; content:"orbital-velocity.fit"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851096/; classtype:trojan-activity;sid:84714196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.118.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851095/; classtype:trojan-activity;sid:84714195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.56.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851094/; classtype:trojan-activity;sid:84714194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.118.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851093/; classtype:trojan-activity;sid:84714193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.74.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851092/; classtype:trojan-activity;sid:84714192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.42.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_21; reference:url, urlhaus.abuse.ch/url/3851091/; classtype:trojan-activity;sid:84714191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.203.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851090/; classtype:trojan-activity;sid:84714190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=6cdda7ea-a402-4533-a21f-640d3b374be6"; depth:47; endswith; nocase; http.host; content:"u2fl6mod.stratosphericweatherballoon.digital"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851089/; classtype:trojan-activity;sid:84714189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a92c584-94a4-4297-b90d-f75f989161e9/zone.id"; depth:45; endswith; nocase; http.host; content:"lasagnabakingsecrets.study"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851088/; classtype:trojan-activity;sid:84714188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851087/; classtype:trojan-activity;sid:84714187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.237.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851086/; classtype:trojan-activity;sid:84714186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.34.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851085/; classtype:trojan-activity;sid:84714185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.180.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851084/; classtype:trojan-activity;sid:84714184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.105.131.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851083/; classtype:trojan-activity;sid:84714183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.74.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851082/; classtype:trojan-activity;sid:84714182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupsh4"; depth:9; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851079/; classtype:trojan-activity;sid:84714179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupx86"; depth:9; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851080/; classtype:trojan-activity;sid:84714180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuparm7"; depth:10; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851081/; classtype:trojan-activity;sid:84714181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupm68k"; depth:10; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851069/; classtype:trojan-activity;sid:84714169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuparm"; depth:9; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851070/; classtype:trojan-activity;sid:84714170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuparm6"; depth:10; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851071/; classtype:trojan-activity;sid:84714171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupmpsl"; depth:10; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851072/; classtype:trojan-activity;sid:84714172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupppc"; depth:9; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851073/; classtype:trojan-activity;sid:84714173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupspc"; depth:9; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851074/; classtype:trojan-activity;sid:84714174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newuparm5"; depth:10; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851075/; classtype:trojan-activity;sid:84714175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupx64"; depth:9; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851076/; classtype:trojan-activity;sid:84714176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newupmips"; depth:10; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851077/; classtype:trojan-activity;sid:84714177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dck"; depth:4; endswith; nocase; http.host; content:"151.242.125.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851078/; classtype:trojan-activity;sid:84714178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eadc918f-5a19-4391-aa4e-4d8e16acd931/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"lasagnabakingsecrets.study"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851068/; classtype:trojan-activity;sid:84714168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851067/; classtype:trojan-activity;sid:84714167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.237.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851066/; classtype:trojan-activity;sid:84714166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.81.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851065/; classtype:trojan-activity;sid:84714165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.180.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851064/; classtype:trojan-activity;sid:84714164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.137.157.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851063/; classtype:trojan-activity;sid:84714163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851062/; classtype:trojan-activity;sid:84714162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.105.131.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851061/; classtype:trojan-activity;sid:84714161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.174.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851060/; classtype:trojan-activity;sid:84714160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.34.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851059/; classtype:trojan-activity;sid:84714159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.255.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851058/; classtype:trojan-activity;sid:84714158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/14.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851056/; classtype:trojan-activity;sid:84714156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/13.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851057/; classtype:trojan-activity;sid:84714157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6f0a374-82c8-4db4-b643-11faeac072a8/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"mpvcbz.quantumvelocitylabs.study"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851055/; classtype:trojan-activity;sid:84714155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.81.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851054/; classtype:trojan-activity;sid:84714154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851053/; classtype:trojan-activity;sid:84714153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2fd2fc28-dbe8-4486-ba35-156ef280d1ef/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"sdnzyq.botanical-control-system.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851052/; classtype:trojan-activity;sid:84714152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.249.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851051/; classtype:trojan-activity;sid:84714151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.137.157.133"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851050/; classtype:trojan-activity;sid:84714150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.246.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851049/; classtype:trojan-activity;sid:84714149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9817e90e-4131-4a6d-b74c-70783eae83d8/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"icfzyz.distributedgrowthengine.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851048/; classtype:trojan-activity;sid:84714148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.181.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851047/; classtype:trojan-activity;sid:84714147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.118.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851046/; classtype:trojan-activity;sid:84714146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fdfd834c-fa9a-453c-be53-f12c71dc1213/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"wknzex.petalresourcehub.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851045/; classtype:trojan-activity;sid:84714145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.249.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851044/; classtype:trojan-activity;sid:84714144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06b418ca-748f-48a6-a20b-734b940a6b25/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"azktfv.wildflora-processing-network.garden"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851043/; classtype:trojan-activity;sid:84714143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.2.191"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851042/; classtype:trojan-activity;sid:84714142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1d5423bf-35bc-40e2-b6c5-1510da2bc4b6/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"jalfms.gardenworkflowplatform.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851041/; classtype:trojan-activity;sid:84714141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.231.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851040/; classtype:trojan-activity;sid:84714140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5002dd12-4d3c-4ba5-a6d6-d10b81a01af6/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"microflora-management-hub.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851039/; classtype:trojan-activity;sid:84714139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c6f2d6a-e99f-4df0-b3a5-a5f4bcbb234d/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"bloomdistributioncenter.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851038/; classtype:trojan-activity;sid:84714138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.246.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851037/; classtype:trojan-activity;sid:84714137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c3ae8f5-11dc-41f8-a9d0-1f68c169f758/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"bloomdistributioncenter.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851036/; classtype:trojan-activity;sid:84714136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=4751ca68-e62b-467c-890f-2e4b2af0624b"; depth:47; endswith; nocase; http.host; content:"37lzounh.holographicprojectiongrid.digital"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851035/; classtype:trojan-activity;sid:84714135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.132.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851034/; classtype:trojan-activity;sid:84714134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.113.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851033/; classtype:trojan-activity;sid:84714133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.128.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851032/; classtype:trojan-activity;sid:84714132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeee4ce7-78b8-45f1-a191-b004e6812bb7/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"gardeninfrastructurecore.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851031/; classtype:trojan-activity;sid:84714131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.113.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851030/; classtype:trojan-activity;sid:84714130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e0d9fc225974f3bc.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851029/; classtype:trojan-activity;sid:84714129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851028/; classtype:trojan-activity;sid:84714128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.132.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851027/; classtype:trojan-activity;sid:84714127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.123.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851026/; classtype:trojan-activity;sid:84714126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a84633d24262c0c0.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851025/; classtype:trojan-activity;sid:84714125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/494aaf58-8c89-4813-889a-9d3dffc3b79f/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"ybhyrjaj.asynchronouswateringmesh.garden"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851024/; classtype:trojan-activity;sid:84714124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.135.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851023/; classtype:trojan-activity;sid:84714123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.135.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851022/; classtype:trojan-activity;sid:84714122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.204.196.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851021/; classtype:trojan-activity;sid:84714121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6aa2b68e-97af-479b-87e4-1c849c5adcae/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"bedzvnbo.ecosystemresourceplatform.garden"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851020/; classtype:trojan-activity;sid:84714120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.224.80.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851019/; classtype:trojan-activity;sid:84714119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0950cea8-0588-4d93-97c5-e14718431cfe"; depth:47; endswith; nocase; http.host; content:"frcdk4gw.deepseahydrothermalvent.digital"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851018/; classtype:trojan-activity;sid:84714118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.239.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851017/; classtype:trojan-activity;sid:84714117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.37.56"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851016/; classtype:trojan-activity;sid:84714116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4e81070d-014e-4096-9673-3fb5d09e81dc/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"tifameat.containerized-growth-engine.garden"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851015/; classtype:trojan-activity;sid:84714115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.239.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851014/; classtype:trojan-activity;sid:84714114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.206.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851013/; classtype:trojan-activity;sid:84714113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.37.56"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851012/; classtype:trojan-activity;sid:84714112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.235.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851011/; classtype:trojan-activity;sid:84714111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"138.204.196.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851010/; classtype:trojan-activity;sid:84714110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851009/; classtype:trojan-activity;sid:84714109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.128.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851008/; classtype:trojan-activity;sid:84714108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/22e55b61-15de-4da3-bf1e-2f0d875f58d6/ggl.bsc"; depth:45; endswith; nocase; http.host; content:"zqbegtka.floraanalyticshub.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851007/; classtype:trojan-activity;sid:84714107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.81.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851006/; classtype:trojan-activity;sid:84714106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.54.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851005/; classtype:trojan-activity;sid:84714105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.230.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851004/; classtype:trojan-activity;sid:84714104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbd819d8-cb31-41b8-8ca8-1d09a2cf3d98/google.cl"; depth:47; endswith; nocase; http.host; content:"jzufjrnq.floraanalyticshub.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851003/; classtype:trojan-activity;sid:84714103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"104.236.37.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851002/; classtype:trojan-activity;sid:84714102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.3.3.190"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851001/; classtype:trojan-activity;sid:84714101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3851000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3851000/; classtype:trojan-activity;sid:84714100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.54.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850999/; classtype:trojan-activity;sid:84714099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.17.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850998/; classtype:trojan-activity;sid:84714098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850996/; classtype:trojan-activity;sid:84714096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.253.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850997/; classtype:trojan-activity;sid:84714097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850995/; classtype:trojan-activity;sid:84714095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.170.120.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850994/; classtype:trojan-activity;sid:84714094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.3.3.190"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850993/; classtype:trojan-activity;sid:84714093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850992/; classtype:trojan-activity;sid:84714092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/963d16d1-e176-49a4-9a71-1df9549e4b2f/google.cl"; depth:47; endswith; nocase; http.host; content:"fxwklbyr.meadowprocessingframework.garden"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850991/; classtype:trojan-activity;sid:84714091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.209.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850989/; classtype:trojan-activity;sid:84714089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.133.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850990/; classtype:trojan-activity;sid:84714090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.255.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850988/; classtype:trojan-activity;sid:84714088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850987/; classtype:trojan-activity;sid:84714087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.17.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850986/; classtype:trojan-activity;sid:84714086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.253.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850985/; classtype:trojan-activity;sid:84714085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=d96b118b-c632-4f00-9440-af1b09eb48e9"; depth:47; endswith; nocase; http.host; content:"wrhorqww.gothiccathedralblueprint.digital"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850984/; classtype:trojan-activity;sid:84714084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850983/; classtype:trojan-activity;sid:84714083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.113.106.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850982/; classtype:trojan-activity;sid:84714082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.76.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850981/; classtype:trojan-activity;sid:84714081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.210.123.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850980/; classtype:trojan-activity;sid:84714080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.183.254.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850976/; classtype:trojan-activity;sid:84714076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.23.87.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850977/; classtype:trojan-activity;sid:84714077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.3.108.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850978/; classtype:trojan-activity;sid:84714078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.35.13.228"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850979/; classtype:trojan-activity;sid:84714079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"65.186.8.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850971/; classtype:trojan-activity;sid:84714071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.109.132.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850972/; classtype:trojan-activity;sid:84714072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.51.156.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850973/; classtype:trojan-activity;sid:84714073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.225.67.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850974/; classtype:trojan-activity;sid:84714074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.229.20.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850975/; classtype:trojan-activity;sid:84714075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.78.191.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850970/; classtype:trojan-activity;sid:84714070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.43.75.2"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850968/; classtype:trojan-activity;sid:84714068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.203.168.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850969/; classtype:trojan-activity;sid:84714069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.51.122.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850967/; classtype:trojan-activity;sid:84714067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.248.101.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850962/; classtype:trojan-activity;sid:84714062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.117.51.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850963/; classtype:trojan-activity;sid:84714063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850964/; classtype:trojan-activity;sid:84714064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850965/; classtype:trojan-activity;sid:84714065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850966/; classtype:trojan-activity;sid:84714066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.248.101.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850953/; classtype:trojan-activity;sid:84714053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.198.224.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850954/; classtype:trojan-activity;sid:84714054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.100.36.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850955/; classtype:trojan-activity;sid:84714055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850956/; classtype:trojan-activity;sid:84714056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.174.153.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850957/; classtype:trojan-activity;sid:84714057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.100.36.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850958/; classtype:trojan-activity;sid:84714058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.112.124.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850959/; classtype:trojan-activity;sid:84714059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850960/; classtype:trojan-activity;sid:84714060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.123.4.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850961/; classtype:trojan-activity;sid:84714061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.248.101.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850950/; classtype:trojan-activity;sid:84714050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"158.94.208.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850951/; classtype:trojan-activity;sid:84714051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.174.153.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850952/; classtype:trojan-activity;sid:84714052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.69.218.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850947/; classtype:trojan-activity;sid:84714047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.39.60.206"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850948/; classtype:trojan-activity;sid:84714048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.203.81.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850949/; classtype:trojan-activity;sid:84714049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.149.160.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850944/; classtype:trojan-activity;sid:84714044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.16.236.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850945/; classtype:trojan-activity;sid:84714045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.90.225.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850946/; classtype:trojan-activity;sid:84714046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.46.58.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850935/; classtype:trojan-activity;sid:84714035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.250.157.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850936/; classtype:trojan-activity;sid:84714036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.142.70.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850937/; classtype:trojan-activity;sid:84714037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.102.89.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850938/; classtype:trojan-activity;sid:84714038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.168.128.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850939/; classtype:trojan-activity;sid:84714039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.4.156.50"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850940/; classtype:trojan-activity;sid:84714040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.203.86.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850941/; classtype:trojan-activity;sid:84714041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.46.73.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850942/; classtype:trojan-activity;sid:84714042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.114.239.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850943/; classtype:trojan-activity;sid:84714043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.229.5.214"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850932/; classtype:trojan-activity;sid:84714032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.165.146.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850933/; classtype:trojan-activity;sid:84714033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.112.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850934/; classtype:trojan-activity;sid:84714034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.217.3.191"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850913/; classtype:trojan-activity;sid:84714013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.62.41.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850914/; classtype:trojan-activity;sid:84714014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"158.94.208.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850915/; classtype:trojan-activity;sid:84714015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.174.153.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850916/; classtype:trojan-activity;sid:84714016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"158.94.208.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850917/; classtype:trojan-activity;sid:84714017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.18.147.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850918/; classtype:trojan-activity;sid:84714018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.151.178.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850919/; classtype:trojan-activity;sid:84714019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.133.239.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850920/; classtype:trojan-activity;sid:84714020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.123.4.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850921/; classtype:trojan-activity;sid:84714021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850922/; classtype:trojan-activity;sid:84714022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850923/; classtype:trojan-activity;sid:84714023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850924/; classtype:trojan-activity;sid:84714024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.123.4.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850925/; classtype:trojan-activity;sid:84714025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850926/; classtype:trojan-activity;sid:84714026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850927/; classtype:trojan-activity;sid:84714027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.58.73.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850928/; classtype:trojan-activity;sid:84714028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850929/; classtype:trojan-activity;sid:84714029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.111.109.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850930/; classtype:trojan-activity;sid:84714030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.123.4.165"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850931/; classtype:trojan-activity;sid:84714031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850909/; classtype:trojan-activity;sid:84714009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850910/; classtype:trojan-activity;sid:84714010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.248.101.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850911/; classtype:trojan-activity;sid:84714011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.82.62.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850912/; classtype:trojan-activity;sid:84714012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.11.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850908/; classtype:trojan-activity;sid:84714008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.10.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850907/; classtype:trojan-activity;sid:84714007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.133.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850906/; classtype:trojan-activity;sid:84714006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/553205c1-7f6b-4950-a3ba-27dbf65e52ea/google.cl"; depth:47; endswith; nocase; http.host; content:"tvlhpsjn.meadowprocessingframework.garden"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850905/; classtype:trojan-activity;sid:84714005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.196.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850904/; classtype:trojan-activity;sid:84714004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850903/; classtype:trojan-activity;sid:84714003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.236.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850902/; classtype:trojan-activity;sid:84714002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.124.54.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850901/; classtype:trojan-activity;sid:84714001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.196.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850900/; classtype:trojan-activity;sid:84714000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fc3759bf-7e4e-41f2-a5d8-08a0b0dbd2b9/google.ct"; depth:47; endswith; nocase; http.host; content:"fgbojhem.meadowprocessingframework.garden"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850899/; classtype:trojan-activity;sid:84713999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.212.61.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850898/; classtype:trojan-activity;sid:84713998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.19.123.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850897/; classtype:trojan-activity;sid:84713997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.17.58.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850896/; classtype:trojan-activity;sid:84713996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"120.157.4.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850894/; classtype:trojan-activity;sid:84713994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.28.19.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850895/; classtype:trojan-activity;sid:84713995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.125.33.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850890/; classtype:trojan-activity;sid:84713990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.151.0.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850891/; classtype:trojan-activity;sid:84713991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"149.210.44.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850892/; classtype:trojan-activity;sid:84713992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"41.146.12.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850893/; classtype:trojan-activity;sid:84713993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"120.157.59.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850889/; classtype:trojan-activity;sid:84713989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"120.157.59.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850888/; classtype:trojan-activity;sid:84713988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"74.66.64.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850887/; classtype:trojan-activity;sid:84713987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"27.69.76.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850886/; classtype:trojan-activity;sid:84713986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"120.157.59.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850880/; classtype:trojan-activity;sid:84713980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"105.225.99.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850881/; classtype:trojan-activity;sid:84713981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.85.90"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850882/; classtype:trojan-activity;sid:84713982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.31.201.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850883/; classtype:trojan-activity;sid:84713983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"152.173.210.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850884/; classtype:trojan-activity;sid:84713984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"41.146.12.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850885/; classtype:trojan-activity;sid:84713985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.63.101.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850876/; classtype:trojan-activity;sid:84713976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"45.144.93.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850877/; classtype:trojan-activity;sid:84713977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.81.12"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850878/; classtype:trojan-activity;sid:84713978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"42.116.145.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850879/; classtype:trojan-activity;sid:84713979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.8.20.75"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850874/; classtype:trojan-activity;sid:84713974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.29.69.141"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850875/; classtype:trojan-activity;sid:84713975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"120.157.59.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850867/; classtype:trojan-activity;sid:84713967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"120.157.59.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850868/; classtype:trojan-activity;sid:84713968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.25.2.23"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850869/; classtype:trojan-activity;sid:84713969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.152.253.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850870/; classtype:trojan-activity;sid:84713970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"5.185.55.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850871/; classtype:trojan-activity;sid:84713971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.212.61.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850872/; classtype:trojan-activity;sid:84713972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"74.66.64.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850873/; classtype:trojan-activity;sid:84713973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.212.61.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850865/; classtype:trojan-activity;sid:84713965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"203.114.63.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850866/; classtype:trojan-activity;sid:84713966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"120.157.59.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850860/; classtype:trojan-activity;sid:84713960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.32.179.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850861/; classtype:trojan-activity;sid:84713961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.89.92"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850862/; classtype:trojan-activity;sid:84713962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"79.1.229.42"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850863/; classtype:trojan-activity;sid:84713963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.29.186.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850864/; classtype:trojan-activity;sid:84713964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"5.185.55.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850858/; classtype:trojan-activity;sid:84713958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.136.203.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850859/; classtype:trojan-activity;sid:84713959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.19.49.215"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850856/; classtype:trojan-activity;sid:84713956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.80.149.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850857/; classtype:trojan-activity;sid:84713957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.31.201.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850853/; classtype:trojan-activity;sid:84713953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"113.165.199.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850854/; classtype:trojan-activity;sid:84713954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.8.24.176"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850855/; classtype:trojan-activity;sid:84713955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"113.166.94.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850851/; classtype:trojan-activity;sid:84713951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"14.250.149.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850852/; classtype:trojan-activity;sid:84713952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.110.207.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850850/; classtype:trojan-activity;sid:84713950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.73.169.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850848/; classtype:trojan-activity;sid:84713948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"116.106.114.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850849/; classtype:trojan-activity;sid:84713949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"136.233.149.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850842/; classtype:trojan-activity;sid:84713942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.96.52"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850843/; classtype:trojan-activity;sid:84713943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.40.52.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850844/; classtype:trojan-activity;sid:84713944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"183.185.247.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850845/; classtype:trojan-activity;sid:84713945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"5.185.55.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850846/; classtype:trojan-activity;sid:84713946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.96.198"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850847/; classtype:trojan-activity;sid:84713947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.25.2.23"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850838/; classtype:trojan-activity;sid:84713938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.132.114.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850839/; classtype:trojan-activity;sid:84713939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850840/; classtype:trojan-activity;sid:84713940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.30.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850841/; classtype:trojan-activity;sid:84713941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.8.20.75"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850837/; classtype:trojan-activity;sid:84713937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"14.185.85.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850835/; classtype:trojan-activity;sid:84713935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"212.156.106.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850836/; classtype:trojan-activity;sid:84713936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.210.131.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850834/; classtype:trojan-activity;sid:84713934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.96.91"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850826/; classtype:trojan-activity;sid:84713926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"5.185.55.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850827/; classtype:trojan-activity;sid:84713927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"5.185.55.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850828/; classtype:trojan-activity;sid:84713928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.152.253.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850829/; classtype:trojan-activity;sid:84713929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"74.66.64.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850830/; classtype:trojan-activity;sid:84713930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"171.235.204.103"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850831/; classtype:trojan-activity;sid:84713931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"116.103.170.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850832/; classtype:trojan-activity;sid:84713932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"116.105.132.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850833/; classtype:trojan-activity;sid:84713933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.8.20.75"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850824/; classtype:trojan-activity;sid:84713924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.124.98.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850825/; classtype:trojan-activity;sid:84713925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"45.144.93.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850823/; classtype:trojan-activity;sid:84713923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.25.2.23"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850821/; classtype:trojan-activity;sid:84713921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"45.144.93.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850822/; classtype:trojan-activity;sid:84713922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.8.20.75"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850818/; classtype:trojan-activity;sid:84713918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.94.142"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850819/; classtype:trojan-activity;sid:84713919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.151.0.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850820/; classtype:trojan-activity;sid:84713920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.236.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850817/; classtype:trojan-activity;sid:84713917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.124.54.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850816/; classtype:trojan-activity;sid:84713916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.162.46.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850815/; classtype:trojan-activity;sid:84713915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.204.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850814/; classtype:trojan-activity;sid:84713914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.219.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850813/; classtype:trojan-activity;sid:84713913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850812/; classtype:trojan-activity;sid:84713912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.js"; depth:8; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850806/; classtype:trojan-activity;sid:84713906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsfot22h2.wsf"; depth:18; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850807/; classtype:trojan-activity;sid:84713907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tarea%20de%20js.wsf"; depth:20; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850808/; classtype:trojan-activity;sid:84713908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bat.wsf"; depth:8; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850809/; classtype:trojan-activity;sid:84713909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows22h2.wsf"; depth:16; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850810/; classtype:trojan-activity;sid:84713910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tarea%20pogramada.wsf"; depth:22; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850811/; classtype:trojan-activity;sid:84713911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svchost.exe"; depth:12; endswith; nocase; http.host; content:"202.10.47.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850801/; classtype:trojan-activity;sid:84713901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prueba%202.cmd"; depth:15; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850802/; classtype:trojan-activity;sid:84713902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.bat"; depth:9; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850803/; classtype:trojan-activity;sid:84713903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seend.bat"; depth:10; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850804/; classtype:trojan-activity;sid:84713904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudohold.vbs"; depth:13; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850805/; classtype:trojan-activity;sid:84713905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exclsuion.vbs"; depth:14; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850798/; classtype:trojan-activity;sid:84713898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stager.vbs"; depth:11; endswith; nocase; http.host; content:"202.10.47.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850799/; classtype:trojan-activity;sid:84713899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold.vbs"; depth:9; endswith; nocase; http.host; content:"190.255.90.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850800/; classtype:trojan-activity;sid:84713900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.171.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850797/; classtype:trojan-activity;sid:84713897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"108.61.209.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850796/; classtype:trojan-activity;sid:84713896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"108.61.209.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850794/; classtype:trojan-activity;sid:84713894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"108.61.209.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850795/; classtype:trojan-activity;sid:84713895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.42.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850793/; classtype:trojan-activity;sid:84713893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.143.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850792/; classtype:trojan-activity;sid:84713892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c84e71a5-9a8a-4af0-aa57-27664fc71ace/google.ct"; depth:47; endswith; nocase; http.host; content:"kzwvrleb.irrigation-monitoring-system.garden"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850791/; classtype:trojan-activity;sid:84713891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.x86_64"; depth:14; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850786/; classtype:trojan-activity;sid:84713886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.sparc"; depth:13; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850787/; classtype:trojan-activity;sid:84713887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.mips"; depth:12; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850788/; classtype:trojan-activity;sid:84713888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850789/; classtype:trojan-activity;sid:84713889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.armv7l"; depth:14; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850790/; classtype:trojan-activity;sid:84713890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850785/; classtype:trojan-activity;sid:84713885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850778/; classtype:trojan-activity;sid:84713878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot"; depth:4; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850779/; classtype:trojan-activity;sid:84713879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850780/; classtype:trojan-activity;sid:84713880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850781/; classtype:trojan-activity;sid:84713881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850782/; classtype:trojan-activity;sid:84713882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850783/; classtype:trojan-activity;sid:84713883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850784/; classtype:trojan-activity;sid:84713884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850777/; classtype:trojan-activity;sid:84713877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850774/; classtype:trojan-activity;sid:84713874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850775/; classtype:trojan-activity;sid:84713875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850776/; classtype:trojan-activity;sid:84713876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850773/; classtype:trojan-activity;sid:84713873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.arc"; depth:11; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850770/; classtype:trojan-activity;sid:84713870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.aarch64"; depth:20; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850771/; classtype:trojan-activity;sid:84713871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850772/; classtype:trojan-activity;sid:84713872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850768/; classtype:trojan-activity;sid:84713868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850769/; classtype:trojan-activity;sid:84713869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850765/; classtype:trojan-activity;sid:84713865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850766/; classtype:trojan-activity;sid:84713866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.armv5l"; depth:19; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850767/; classtype:trojan-activity;sid:84713867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850763/; classtype:trojan-activity;sid:84713863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850764/; classtype:trojan-activity;sid:84713864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.aarch64"; depth:15; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850762/; classtype:trojan-activity;sid:84713862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850760/; classtype:trojan-activity;sid:84713860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850761/; classtype:trojan-activity;sid:84713861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.mips"; depth:17; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850759/; classtype:trojan-activity;sid:84713859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850746/; classtype:trojan-activity;sid:84713846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.sparc"; depth:18; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850747/; classtype:trojan-activity;sid:84713847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.armv6l"; depth:19; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850748/; classtype:trojan-activity;sid:84713848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850749/; classtype:trojan-activity;sid:84713849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850750/; classtype:trojan-activity;sid:84713850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850751/; classtype:trojan-activity;sid:84713851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsrouter"; depth:11; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850752/; classtype:trojan-activity;sid:84713852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850753/; classtype:trojan-activity;sid:84713853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"163.61.39.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850754/; classtype:trojan-activity;sid:84713854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850755/; classtype:trojan-activity;sid:84713855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850756/; classtype:trojan-activity;sid:84713856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850757/; classtype:trojan-activity;sid:84713857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.armv7l"; depth:19; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850758/; classtype:trojan-activity;sid:84713858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850739/; classtype:trojan-activity;sid:84713839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.mipsrouter"; depth:18; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850740/; classtype:trojan-activity;sid:84713840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.armv4l"; depth:19; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850741/; classtype:trojan-activity;sid:84713841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.i486"; depth:12; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850742/; classtype:trojan-activity;sid:84713842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850743/; classtype:trojan-activity;sid:84713843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.armv5l"; depth:14; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850744/; classtype:trojan-activity;sid:84713844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.m68k"; depth:12; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850745/; classtype:trojan-activity;sid:84713845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm7"; depth:15; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850736/; classtype:trojan-activity;sid:84713836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850737/; classtype:trojan-activity;sid:84713837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.sh4"; depth:11; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850738/; classtype:trojan-activity;sid:84713838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850735/; classtype:trojan-activity;sid:84713835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850734/; classtype:trojan-activity;sid:84713834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850719/; classtype:trojan-activity;sid:84713819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.x86_64"; depth:19; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850720/; classtype:trojan-activity;sid:84713820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.arc"; depth:16; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850721/; classtype:trojan-activity;sid:84713821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.m68k"; depth:17; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850722/; classtype:trojan-activity;sid:84713822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.sh4"; depth:16; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850723/; classtype:trojan-activity;sid:84713823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.mipsel"; depth:14; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850724/; classtype:trojan-activity;sid:84713824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850725/; classtype:trojan-activity;sid:84713825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850726/; classtype:trojan-activity;sid:84713826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.armv4l"; depth:14; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850727/; classtype:trojan-activity;sid:84713827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.armv6l"; depth:14; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850728/; classtype:trojan-activity;sid:84713828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.powerpc"; depth:20; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850729/; classtype:trojan-activity;sid:84713829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.powerpc"; depth:15; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850730/; classtype:trojan-activity;sid:84713830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.i486"; depth:17; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850731/; classtype:trojan-activity;sid:84713831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.mipsel"; depth:19; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850732/; classtype:trojan-activity;sid:84713832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/update.mipsrouter"; depth:23; endswith; nocase; http.host; content:"163.5.102.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850733/; classtype:trojan-activity;sid:84713833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850703/; classtype:trojan-activity;sid:84713803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850704/; classtype:trojan-activity;sid:84713804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850705/; classtype:trojan-activity;sid:84713805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850706/; classtype:trojan-activity;sid:84713806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850707/; classtype:trojan-activity;sid:84713807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850708/; classtype:trojan-activity;sid:84713808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850709/; classtype:trojan-activity;sid:84713809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850710/; classtype:trojan-activity;sid:84713810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850711/; classtype:trojan-activity;sid:84713811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"176.65.139.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850712/; classtype:trojan-activity;sid:84713812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850713/; classtype:trojan-activity;sid:84713813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"happytugsbakery.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850714/; classtype:trojan-activity;sid:84713814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850715/; classtype:trojan-activity;sid:84713815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850716/; classtype:trojan-activity;sid:84713816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850717/; classtype:trojan-activity;sid:84713817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"185.254.28.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850718/; classtype:trojan-activity;sid:84713818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850692/; classtype:trojan-activity;sid:84713792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850693/; classtype:trojan-activity;sid:84713793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850694/; classtype:trojan-activity;sid:84713794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850695/; classtype:trojan-activity;sid:84713795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850696/; classtype:trojan-activity;sid:84713796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm6"; depth:15; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850697/; classtype:trojan-activity;sid:84713797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850698/; classtype:trojan-activity;sid:84713798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850699/; classtype:trojan-activity;sid:84713799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850700/; classtype:trojan-activity;sid:84713800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pm68k"; depth:15; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850701/; classtype:trojan-activity;sid:84713801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm"; depth:14; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850702/; classtype:trojan-activity;sid:84713802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850671/; classtype:trojan-activity;sid:84713771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.px86"; depth:14; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850672/; classtype:trojan-activity;sid:84713772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850673/; classtype:trojan-activity;sid:84713773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.x86_64"; depth:16; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850674/; classtype:trojan-activity;sid:84713774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmpsl"; depth:15; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850675/; classtype:trojan-activity;sid:84713775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850676/; classtype:trojan-activity;sid:84713776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850677/; classtype:trojan-activity;sid:84713777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850678/; classtype:trojan-activity;sid:84713778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.psh4"; depth:14; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850679/; classtype:trojan-activity;sid:84713779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850680/; classtype:trojan-activity;sid:84713780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pspc"; depth:14; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850681/; classtype:trojan-activity;sid:84713781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850682/; classtype:trojan-activity;sid:84713782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850683/; classtype:trojan-activity;sid:84713783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850684/; classtype:trojan-activity;sid:84713784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850685/; classtype:trojan-activity;sid:84713785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm7"; depth:15; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850686/; classtype:trojan-activity;sid:84713786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850687/; classtype:trojan-activity;sid:84713787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850688/; classtype:trojan-activity;sid:84713788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm7"; depth:15; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850689/; classtype:trojan-activity;sid:84713789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850690/; classtype:trojan-activity;sid:84713790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850691/; classtype:trojan-activity;sid:84713791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm6"; depth:15; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850669/; classtype:trojan-activity;sid:84713769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850670/; classtype:trojan-activity;sid:84713770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm5"; depth:15; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850665/; classtype:trojan-activity;sid:84713765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850666/; classtype:trojan-activity;sid:84713766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850667/; classtype:trojan-activity;sid:84713767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850668/; classtype:trojan-activity;sid:84713768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850663/; classtype:trojan-activity;sid:84713763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm"; depth:14; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850664/; classtype:trojan-activity;sid:84713764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmips"; depth:15; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850646/; classtype:trojan-activity;sid:84713746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850647/; classtype:trojan-activity;sid:84713747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.x86_64"; depth:16; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850648/; classtype:trojan-activity;sid:84713748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850649/; classtype:trojan-activity;sid:84713749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850650/; classtype:trojan-activity;sid:84713750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850651/; classtype:trojan-activity;sid:84713751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850652/; classtype:trojan-activity;sid:84713752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmips"; depth:15; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850653/; classtype:trojan-activity;sid:84713753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm5"; depth:15; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850654/; classtype:trojan-activity;sid:84713754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmips"; depth:15; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850655/; classtype:trojan-activity;sid:84713755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850656/; classtype:trojan-activity;sid:84713756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850657/; classtype:trojan-activity;sid:84713757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm6"; depth:15; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850658/; classtype:trojan-activity;sid:84713758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.psh4"; depth:14; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850659/; classtype:trojan-activity;sid:84713759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850660/; classtype:trojan-activity;sid:84713760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.x86_64"; depth:16; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850661/; classtype:trojan-activity;sid:84713761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850662/; classtype:trojan-activity;sid:84713762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850628/; classtype:trojan-activity;sid:84713728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm6"; depth:15; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850629/; classtype:trojan-activity;sid:84713729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850630/; classtype:trojan-activity;sid:84713730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmpsl"; depth:15; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850631/; classtype:trojan-activity;sid:84713731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.px86"; depth:14; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850632/; classtype:trojan-activity;sid:84713732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850633/; classtype:trojan-activity;sid:84713733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850634/; classtype:trojan-activity;sid:84713734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pm68k"; depth:15; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850635/; classtype:trojan-activity;sid:84713735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850636/; classtype:trojan-activity;sid:84713736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmpsl"; depth:15; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850637/; classtype:trojan-activity;sid:84713737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850638/; classtype:trojan-activity;sid:84713738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850639/; classtype:trojan-activity;sid:84713739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850640/; classtype:trojan-activity;sid:84713740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850641/; classtype:trojan-activity;sid:84713741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850642/; classtype:trojan-activity;sid:84713742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850643/; classtype:trojan-activity;sid:84713743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.px86"; depth:14; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850644/; classtype:trojan-activity;sid:84713744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm7"; depth:15; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850645/; classtype:trojan-activity;sid:84713745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmpsl"; depth:15; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850627/; classtype:trojan-activity;sid:84713727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850618/; classtype:trojan-activity;sid:84713718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm5"; depth:15; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850619/; classtype:trojan-activity;sid:84713719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850620/; classtype:trojan-activity;sid:84713720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850621/; classtype:trojan-activity;sid:84713721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm"; depth:14; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850622/; classtype:trojan-activity;sid:84713722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850623/; classtype:trojan-activity;sid:84713723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850624/; classtype:trojan-activity;sid:84713724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850625/; classtype:trojan-activity;sid:84713725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.x86_64"; depth:16; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850626/; classtype:trojan-activity;sid:84713726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850594/; classtype:trojan-activity;sid:84713694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850595/; classtype:trojan-activity;sid:84713695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850596/; classtype:trojan-activity;sid:84713696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850597/; classtype:trojan-activity;sid:84713697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850598/; classtype:trojan-activity;sid:84713698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pspc"; depth:14; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850599/; classtype:trojan-activity;sid:84713699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm5"; depth:15; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850600/; classtype:trojan-activity;sid:84713700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850601/; classtype:trojan-activity;sid:84713701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850602/; classtype:trojan-activity;sid:84713702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850603/; classtype:trojan-activity;sid:84713703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pm68k"; depth:15; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850604/; classtype:trojan-activity;sid:84713704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850605/; classtype:trojan-activity;sid:84713705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850606/; classtype:trojan-activity;sid:84713706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmips"; depth:15; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850607/; classtype:trojan-activity;sid:84713707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pspc"; depth:14; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850608/; classtype:trojan-activity;sid:84713708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850609/; classtype:trojan-activity;sid:84713709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850610/; classtype:trojan-activity;sid:84713710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pspc"; depth:14; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850611/; classtype:trojan-activity;sid:84713711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.psh4"; depth:14; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850612/; classtype:trojan-activity;sid:84713712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850613/; classtype:trojan-activity;sid:84713713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850614/; classtype:trojan-activity;sid:84713714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850615/; classtype:trojan-activity;sid:84713715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pm68k"; depth:15; endswith; nocase; http.host; content:"vpn630921230.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850616/; classtype:trojan-activity;sid:84713716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.psh4"; depth:14; endswith; nocase; http.host; content:"vpn741123374.softether.net"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850617/; classtype:trojan-activity;sid:84713717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850589/; classtype:trojan-activity;sid:84713689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm"; depth:14; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850590/; classtype:trojan-activity;sid:84713690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.px86"; depth:14; endswith; nocase; http.host; content:"badoxa7777.lol"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850591/; classtype:trojan-activity;sid:84713691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850592/; classtype:trojan-activity;sid:84713692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"ns.barnamenevis.shop"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850593/; classtype:trojan-activity;sid:84713693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.162.46.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850588/; classtype:trojan-activity;sid:84713688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850584/; classtype:trojan-activity;sid:84713684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850585/; classtype:trojan-activity;sid:84713685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850586/; classtype:trojan-activity;sid:84713686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850587/; classtype:trojan-activity;sid:84713687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.sparc"; depth:12; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850570/; classtype:trojan-activity;sid:84713670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850571/; classtype:trojan-activity;sid:84713671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.m68k"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850572/; classtype:trojan-activity;sid:84713672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.ppc"; depth:10; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850573/; classtype:trojan-activity;sid:84713673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.sh4"; depth:10; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850574/; classtype:trojan-activity;sid:84713674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.arm5"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850575/; classtype:trojan-activity;sid:84713675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.mpsl"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850576/; classtype:trojan-activity;sid:84713676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.arm4"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850577/; classtype:trojan-activity;sid:84713677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.i586"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850578/; classtype:trojan-activity;sid:84713678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.x86"; depth:10; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850579/; classtype:trojan-activity;sid:84713679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.mips"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850580/; classtype:trojan-activity;sid:84713680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.arm6"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850581/; classtype:trojan-activity;sid:84713681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.i686"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850582/; classtype:trojan-activity;sid:84713682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prism.arm7"; depth:11; endswith; nocase; http.host; content:"102.220.160.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850583/; classtype:trojan-activity;sid:84713683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.86.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850569/; classtype:trojan-activity;sid:84713669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.86.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850568/; classtype:trojan-activity;sid:84713668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.104.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850567/; classtype:trojan-activity;sid:84713667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.204.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850566/; classtype:trojan-activity;sid:84713666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.143.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850565/; classtype:trojan-activity;sid:84713665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b08c1ddb-f037-4878-a85f-e2ccd6a769e6/google.ct"; depth:47; endswith; nocase; http.host; content:"hppbtwyk.petal-growth-platform.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850564/; classtype:trojan-activity;sid:84713664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm/"; depth:5; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850562/; classtype:trojan-activity;sid:84713662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850563/; classtype:trojan-activity;sid:84713663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/institute/cloudiyaf/index.php"; depth:30; endswith; nocase; http.host; content:"abimj.edu.af"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850561/; classtype:trojan-activity;sid:84713661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file123"; depth:8; endswith; nocase; http.host; content:"vantarat.st"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850560/; classtype:trojan-activity;sid:84713660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rem"; depth:4; endswith; nocase; http.host; content:"vantarat.st"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850559/; classtype:trojan-activity;sid:84713659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/gamble-rig/gambling-rig-1.21.x.jar"; depth:45; endswith; nocase; http.host; content:"donutsmpcheats.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850558/; classtype:trojan-activity;sid:84713658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/spawner-protect/spawnerprotect-1.21.11-n-15.jar"; depth:58; endswith; nocase; http.host; content:"donutsmpcheats.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850557/; classtype:trojan-activity;sid:84713657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/krypton%201.21.1.jar"; depth:27; endswith; nocase; http.host; content:"v0-krypton-client-clone.vercel.app"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850556/; classtype:trojan-activity;sid:84713656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/2026-05-20/5855cc12-9621-4b14-85ae-b935380953bb/ghhjgr.png"; depth:66; endswith; nocase; http.host; content:"d.tmpfile.link"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850554/; classtype:trojan-activity;sid:84713654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/glazed-addon/glazed-1.21.11-n-16.1.jar"; depth:49; endswith; nocase; http.host; content:"donutsmpcheats.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850555/; classtype:trojan-activity;sid:84713655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/bedrock-base-finder/bedrock-triangulator-1.0.0.jar"; depth:61; endswith; nocase; http.host; content:"donutsmpcheats.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850552/; classtype:trojan-activity;sid:84713652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/fakepay/fakepay-1.21.x.jar"; depth:37; endswith; nocase; http.host; content:"donutsmpcheats.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850553/; classtype:trojan-activity;sid:84713653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vxrdg/banco_bpm_bonifico_bancario.pdf.bat"; depth:42; endswith; nocase; http.host; content:"temp.sh"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850551/; classtype:trojan-activity;sid:84713651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.127.232.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850550/; classtype:trojan-activity;sid:84713650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9cf24c3c-7f68-45b6-9cf8-a87013852c9c/google.ct"; depth:47; endswith; nocase; http.host; content:"qmzbbjle.microfloraresource.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850549/; classtype:trojan-activity;sid:84713649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.116.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850548/; classtype:trojan-activity;sid:84713648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.51.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850547/; classtype:trojan-activity;sid:84713647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.132.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850546/; classtype:trojan-activity;sid:84713646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.117.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850545/; classtype:trojan-activity;sid:84713645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cc331331-caae-4f0b-a600-0d2f7330553a/google.ct"; depth:47; endswith; nocase; http.host; content:"bcypppaq.asynchronous-growth-platform.garden"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850544/; classtype:trojan-activity;sid:84713644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.51.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850543/; classtype:trojan-activity;sid:84713643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850542/; classtype:trojan-activity;sid:84713642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.59.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850541/; classtype:trojan-activity;sid:84713641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.23.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850540/; classtype:trojan-activity;sid:84713640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.168.137.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850539/; classtype:trojan-activity;sid:84713639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.23.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850538/; classtype:trojan-activity;sid:84713638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.9.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850537/; classtype:trojan-activity;sid:84713637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.150.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850536/; classtype:trojan-activity;sid:84713636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.168.137.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850535/; classtype:trojan-activity;sid:84713635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28f46d6a-3b00-4312-940b-c4e5ffabbfb4/google.ct"; depth:47; endswith; nocase; http.host; content:"kampoxks.bloommanagementengine.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850534/; classtype:trojan-activity;sid:84713634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.117.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850533/; classtype:trojan-activity;sid:84713633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.59.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850532/; classtype:trojan-activity;sid:84713632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.150.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850531/; classtype:trojan-activity;sid:84713631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850530/; classtype:trojan-activity;sid:84713630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=ecacb7ad-6ce3-450b-9d6e-01207924dc78"; depth:47; endswith; nocase; http.host; content:"zeiqv2hk.subfossiloakchronology.digital"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850529/; classtype:trojan-activity;sid:84713629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.9.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850528/; classtype:trojan-activity;sid:84713628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35496a56-d84b-4eba-b61c-3e6370ecfc9c/google.ct"; depth:47; endswith; nocase; http.host; content:"containerized-plant-system.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850527/; classtype:trojan-activity;sid:84713627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.201.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850526/; classtype:trojan-activity;sid:84713626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.155.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850525/; classtype:trojan-activity;sid:84713625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.203.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850524/; classtype:trojan-activity;sid:84713624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850523/; classtype:trojan-activity;sid:84713623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.155.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850522/; classtype:trojan-activity;sid:84713622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cea1817-eb95-4ad9-a81a-8a1bdfcdd4c8/google.ct"; depth:47; endswith; nocase; http.host; content:"floraecosystemhub.garden"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850521/; classtype:trojan-activity;sid:84713621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850520/; classtype:trojan-activity;sid:84713620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850519/; classtype:trojan-activity;sid:84713619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850518/; classtype:trojan-activity;sid:84713618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.218.112.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850517/; classtype:trojan-activity;sid:84713617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850516/; classtype:trojan-activity;sid:84713616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64bf73d9-7ab9-4010-bd91-6139f28aabc6/google.ct"; depth:47; endswith; nocase; http.host; content:"meadow-processing-core.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850515/; classtype:trojan-activity;sid:84713615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850514/; classtype:trojan-activity;sid:84713614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.227.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850512/; classtype:trojan-activity;sid:84713612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shell.exe"; depth:10; endswith; nocase; http.host; content:"104.131.37.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850511/; classtype:trojan-activity;sid:84713611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.233.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850510/; classtype:trojan-activity;sid:84713610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4975ab7-89d3-4a00-bdc9-d5e598e3f48b/google.ct"; depth:47; endswith; nocase; http.host; content:"irrigation-monitoring-framework.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850509/; classtype:trojan-activity;sid:84713609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=ae1817d4-6cd7-410f-bf4b-842f9dbd7110"; depth:47; endswith; nocase; http.host; content:"mnkggwzm.crispychickencutlets.digital"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850508/; classtype:trojan-activity;sid:84713608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/radiumclient-1.21.10.jar"; depth:35; endswith; nocase; http.host; content:"radiumclient-com.lovable.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850507/; classtype:trojan-activity;sid:84713607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/radiumclient-1.21.1.jar"; depth:34; endswith; nocase; http.host; content:"radiumclient-com.lovable.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850506/; classtype:trojan-activity;sid:84713606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.17.153.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850505/; classtype:trojan-activity;sid:84713605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cl-ncl-start"; depth:13; endswith; nocase; http.host; content:"193.143.1.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850504/; classtype:trojan-activity;sid:84713604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.22.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850503/; classtype:trojan-activity;sid:84713603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"fucktermedfir.st"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850500/; classtype:trojan-activity;sid:84713600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"fucktermedfir.st"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850501/; classtype:trojan-activity;sid:84713601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"fucktermedfir.st"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850502/; classtype:trojan-activity;sid:84713602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/pjibf.exe"; depth:20; endswith; nocase; http.host; content:"fucktermedfir.st"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850496/; classtype:trojan-activity;sid:84713596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"fucktermedfir.st"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850497/; classtype:trojan-activity;sid:84713597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"fucktermedfir.st"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850498/; classtype:trojan-activity;sid:84713598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"fucktermedfir.st"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850499/; classtype:trojan-activity;sid:84713599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/radiumclient-1.21.11.jar"; depth:35; endswith; nocase; http.host; content:"radiumclient-com.lovable.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850495/; classtype:trojan-activity;sid:84713595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850494/; classtype:trojan-activity;sid:84713594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63278af0-e2f9-4658-9c35-b8228dd4c012/google.ct"; depth:47; endswith; nocase; http.host; content:"gardenprocessinghub.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850493/; classtype:trojan-activity;sid:84713593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.154.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850492/; classtype:trojan-activity;sid:84713592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.112.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850491/; classtype:trojan-activity;sid:84713591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.154.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850490/; classtype:trojan-activity;sid:84713590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.112.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850488/; classtype:trojan-activity;sid:84713588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e8f5075d-9f41-48bb-96d8-8056d4b53d9f/google.ct"; depth:47; endswith; nocase; http.host; content:"bloom-distribution-engine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850489/; classtype:trojan-activity;sid:84713589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=f16cb78f-d6de-4a34-89b1-ab6feb3ae80a"; depth:47; endswith; nocase; http.host; content:"0gmqmb12.orbitaldockingmodule.digital"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850487/; classtype:trojan-activity;sid:84713587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.5.146"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850486/; classtype:trojan-activity;sid:84713586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.230.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850485/; classtype:trojan-activity;sid:84713585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4cb3dfe9-4e4e-45b2-9b7c-1a4584df16b7/google.ct"; depth:47; endswith; nocase; http.host; content:"ecosystemworkflow.garden"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850484/; classtype:trojan-activity;sid:84713584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3ce4a73-89b7-4aa4-9688-7c2a1ee21a71/google.ct"; depth:47; endswith; nocase; http.host; content:"containerized-growth-platform.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850483/; classtype:trojan-activity;sid:84713583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.5.146"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850482/; classtype:trojan-activity;sid:84713582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850481/; classtype:trojan-activity;sid:84713581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.157.47.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850480/; classtype:trojan-activity;sid:84713580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.235.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850479/; classtype:trojan-activity;sid:84713579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850478/; classtype:trojan-activity;sid:84713578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850477/; classtype:trojan-activity;sid:84713577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7663be56-db0b-4116-9ee0-914b8298c559/google.ct"; depth:47; endswith; nocase; http.host; content:"floraresourcecenter.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850476/; classtype:trojan-activity;sid:84713576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"41.251.99.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850474/; classtype:trojan-activity;sid:84713574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.251.99.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850475/; classtype:trojan-activity;sid:84713575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.72.161.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850473/; classtype:trojan-activity;sid:84713573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850471/; classtype:trojan-activity;sid:84713571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.241.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850472/; classtype:trojan-activity;sid:84713572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.86.65.206"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850470/; classtype:trojan-activity;sid:84713570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/84ef3dfd-6b83-4b82-8547-71cd5dfc7e4c/google.ct"; depth:47; endswith; nocase; http.host; content:"meadow-observability-core.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850469/; classtype:trojan-activity;sid:84713569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56789023.exe"; depth:13; endswith; nocase; http.host; content:"kevtel.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850468/; classtype:trojan-activity;sid:84713568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|id=1gymmk_eycqzjgpmjewmpunafxwhkjlnw|7c|26|7c|export=download|7c|26|7c|authuser=0"; depth:94; endswith; nocase; http.host; content:"drive.usercontent.google.com"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850466/; classtype:trojan-activity;sid:84713566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flizzz.exe"; depth:11; endswith; nocase; http.host; content:"linkinglanguageliteracy.com"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850467/; classtype:trojan-activity;sid:84713567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850465/; classtype:trojan-activity;sid:84713565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.160.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850464/; classtype:trojan-activity;sid:84713564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850463/; classtype:trojan-activity;sid:84713563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.50.148.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850462/; classtype:trojan-activity;sid:84713562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850461/; classtype:trojan-activity;sid:84713561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99f784de-bd42-4afc-aef6-7881bdf3b17d/google.ct"; depth:47; endswith; nocase; http.host; content:"meadow-observability-core.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850460/; classtype:trojan-activity;sid:84713560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.218.58.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850459/; classtype:trojan-activity;sid:84713559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.236.65.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850458/; classtype:trojan-activity;sid:84713558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.28.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850457/; classtype:trojan-activity;sid:84713557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.218.58.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850456/; classtype:trojan-activity;sid:84713556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86_64"; depth:23; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850455/; classtype:trojan-activity;sid:84713555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.x86"; depth:20; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850454/; classtype:trojan-activity;sid:84713554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.spc_32"; depth:22; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850451/; classtype:trojan-activity;sid:84713551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sparc"; depth:22; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850452/; classtype:trojan-activity;sid:84713552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips64"; depth:23; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850453/; classtype:trojan-activity;sid:84713553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d51d997c-ac95-43e6-b436-c2c24e946c31/google.ct"; depth:47; endswith; nocase; http.host; content:"meadow-observability-core.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850450/; classtype:trojan-activity;sid:84713550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.82.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850449/; classtype:trojan-activity;sid:84713549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=1e984110-40dc-455d-90fe-c04a932871a9"; depth:47; endswith; nocase; http.host; content:"vt40b8nw.badabingsopranoslounge.digital"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850448/; classtype:trojan-activity;sid:84713548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.166.21.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850447/; classtype:trojan-activity;sid:84713547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aec518d1-92cf-4177-93a0-8228b8eef37a/google.ct"; depth:47; endswith; nocase; http.host; content:"meadow-observability-core.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850446/; classtype:trojan-activity;sid:84713546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.sh"; depth:5; endswith; nocase; http.host; content:"194.58.47.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850445/; classtype:trojan-activity;sid:84713545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.0.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850444/; classtype:trojan-activity;sid:84713544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.0.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850443/; classtype:trojan-activity;sid:84713543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.82.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850442/; classtype:trojan-activity;sid:84713542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.166.21.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850441/; classtype:trojan-activity;sid:84713541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.205.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850440/; classtype:trojan-activity;sid:84713540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9ff95e8f-34a8-4304-a526-fbdb2e2f349d/google.ct"; depth:47; endswith; nocase; http.host; content:"federatedplantmesh.garden"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850439/; classtype:trojan-activity;sid:84713539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.16.159.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850438/; classtype:trojan-activity;sid:84713538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"31.42.176.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850437/; classtype:trojan-activity;sid:84713537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"31.42.176.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850436/; classtype:trojan-activity;sid:84713536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.160.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850435/; classtype:trojan-activity;sid:84713535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.12.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850434/; classtype:trojan-activity;sid:84713534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850433/; classtype:trojan-activity;sid:84713533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.112.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850432/; classtype:trojan-activity;sid:84713532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.231.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850431/; classtype:trojan-activity;sid:84713531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/49bdcbe2-cb1a-42f8-ad94-8956a05dac1c/google.ct"; depth:47; endswith; nocase; http.host; content:"irrigation-control-framework.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850430/; classtype:trojan-activity;sid:84713530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.242.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850429/; classtype:trojan-activity;sid:84713529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850428/; classtype:trojan-activity;sid:84713528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=14878b21-a9ff-45c7-8d6f-bd6889c267c0"; depth:47; endswith; nocase; http.host; content:"jfmz4630.badabingsopranoslounge.digital"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850427/; classtype:trojan-activity;sid:84713527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.231.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850426/; classtype:trojan-activity;sid:84713526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/474a6131-4608-4b21-95b8-4f47dd2a8766/google.ct"; depth:47; endswith; nocase; http.host; content:"botanicalprocessing.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850425/; classtype:trojan-activity;sid:84713525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.88.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850424/; classtype:trojan-activity;sid:84713524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.242.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850423/; classtype:trojan-activity;sid:84713523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850422/; classtype:trojan-activity;sid:84713522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.13.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850421/; classtype:trojan-activity;sid:84713521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.233.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850420/; classtype:trojan-activity;sid:84713520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.164.238.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850419/; classtype:trojan-activity;sid:84713519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/700d8643-1d61-41c4-a317-82e8142078fc/google.ct"; depth:47; endswith; nocase; http.host; content:"wildfloraanalyticshub.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850418/; classtype:trojan-activity;sid:84713518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.13.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850417/; classtype:trojan-activity;sid:84713517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.110.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850416/; classtype:trojan-activity;sid:84713516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11625f76-9a47-4089-9e67-83f2f6988547/google.ct"; depth:47; endswith; nocase; http.host; content:"petal-resource-engine.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850415/; classtype:trojan-activity;sid:84713515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.46.247"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850414/; classtype:trojan-activity;sid:84713514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/xezuj597y3oyca0pnrsji/re00390380-r-rechnung.vbs|3f|rlkey=o6pkuexjduv15f66uvb6s0fgy|7c|26|7c|st=8h5bbaca|7c|26|7c|dl=1"; depth:125; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850413/; classtype:trojan-activity;sid:84713513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_20ba2fb181155ace.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850412/; classtype:trojan-activity;sid:84713512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6tfy2o2cjurgavza-xwtyvj0orceeszwftz6e0jjpn5yzxrjfwr-2epbvvqh_hdlzgvh1jxpldlz06dxnyqqew7wx0thbvfi_0cl2oguhfdhwzmuidwfduyyn61jo8n_esvks3ugf688rbj9vco8mhrzyio1jjvot3f4ccb2ic8/7tcz0vplf5n54j5/d27a336f89e3b8d.exe"; depth:208; endswith; nocase; http.host; content:"download1077.mediafire.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850411/; classtype:trojan-activity;sid:84713511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wawan.sh"; depth:9; endswith; nocase; http.host; content:"103.226.139.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850409/; classtype:trojan-activity;sid:84713509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cuacir8tczuggmu3tgzf2dsgwxlwjmk2syoiriukiuocxk5biuyaiuoe5vqmq_cplhug6r6y3wkktzfirao6gfy1tvhh-hiagru5et1csqje_ulvb-q6f2c8rwwm0kp7cvvei5n1ob_pbwzvidilf7cdh0wdbbypvaqbtlbrowe/1xr2em95kdk08nd/4f6f7sdf6sadf85g6l645.exe"; depth:214; endswith; nocase; http.host; content:"download853.mediafire.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850410/; classtype:trojan-activity;sid:84713510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; endswith; nocase; http.host; content:"wincheck.ink"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850406/; classtype:trojan-activity;sid:84713506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_c1bc56d31b414ab6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850399/; classtype:trojan-activity;sid:84713499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_f714c0717cb513c6.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850400/; classtype:trojan-activity;sid:84713500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_15d73c4c43421b6f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850401/; classtype:trojan-activity;sid:84713501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_6aac4d0cfeeb3840.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850402/; classtype:trojan-activity;sid:84713502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5ab3abbbdad65db3.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850403/; classtype:trojan-activity;sid:84713503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_05143eba35be17e1.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850404/; classtype:trojan-activity;sid:84713504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_fb6cf2b6355e56d8.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850405/; classtype:trojan-activity;sid:84713505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850398/; classtype:trojan-activity;sid:84713498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.218.157.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850397/; classtype:trojan-activity;sid:84713497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98c54476-c660-4cde-8092-13f3f903c8a1/google.ct"; depth:47; endswith; nocase; http.host; content:"baking-stone-thermal-mass.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850396/; classtype:trojan-activity;sid:84713496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.56.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850395/; classtype:trojan-activity;sid:84713495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.46.247"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850394/; classtype:trojan-activity;sid:84713494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.56.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850393/; classtype:trojan-activity;sid:84713493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.58.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850392/; classtype:trojan-activity;sid:84713492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.129.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850391/; classtype:trojan-activity;sid:84713491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.252.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850390/; classtype:trojan-activity;sid:84713490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.129.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850389/; classtype:trojan-activity;sid:84713489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.218.157.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850388/; classtype:trojan-activity;sid:84713488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/74e5c988-4e1e-4b99-a3ad-2738f83a9000/google.ct"; depth:47; endswith; nocase; http.host; content:"baking-stone-thermal-mass.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850387/; classtype:trojan-activity;sid:84713487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850386/; classtype:trojan-activity;sid:84713486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=2897a368-da61-44b7-a104-12985a052ff6"; depth:47; endswith; nocase; http.host; content:"0zfu07h8.audioattenuatorschematic.digital"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850385/; classtype:trojan-activity;sid:84713485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850384/; classtype:trojan-activity;sid:84713484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850383/; classtype:trojan-activity;sid:84713483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.188.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850382/; classtype:trojan-activity;sid:84713482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4f8006b4-9542-4bdc-8297-abe7ef4b020c/google.ct"; depth:47; endswith; nocase; http.host; content:"vintage-telemetry-receiver.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850381/; classtype:trojan-activity;sid:84713481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.76.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850380/; classtype:trojan-activity;sid:84713480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.80.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850379/; classtype:trojan-activity;sid:84713479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.90.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850378/; classtype:trojan-activity;sid:84713478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.237.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850377/; classtype:trojan-activity;sid:84713477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.188.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850376/; classtype:trojan-activity;sid:84713476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63a3eb75-655e-4bd5-b489-0bce29e4001b/google.ct"; depth:47; endswith; nocase; http.host; content:"isochronous-cyclotron-beam.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850375/; classtype:trojan-activity;sid:84713475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.94.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850374/; classtype:trojan-activity;sid:84713474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.237.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850373/; classtype:trojan-activity;sid:84713473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_6845ec29f4c651aa.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850372/; classtype:trojan-activity;sid:84713472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d03d4a3-6824-460a-9c44-afc850e7cb27/google.ct"; depth:47; endswith; nocase; http.host; content:"gothic-vault-engineering.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850371/; classtype:trojan-activity;sid:84713471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.79.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850370/; classtype:trojan-activity;sid:84713470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.25.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850369/; classtype:trojan-activity;sid:84713469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.80.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850368/; classtype:trojan-activity;sid:84713468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.2.25"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850367/; classtype:trojan-activity;sid:84713467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.94.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850366/; classtype:trojan-activity;sid:84713466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.187.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850365/; classtype:trojan-activity;sid:84713465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.38.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850364/; classtype:trojan-activity;sid:84713464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.248.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850363/; classtype:trojan-activity;sid:84713463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.10.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850362/; classtype:trojan-activity;sid:84713462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f600ff02-9b3d-437d-9f2d-da6a8bce13f0/google.ct"; depth:47; endswith; nocase; http.host; content:"submerged-continental-shelf.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850361/; classtype:trojan-activity;sid:84713461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.25.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850360/; classtype:trojan-activity;sid:84713460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.148.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850359/; classtype:trojan-activity;sid:84713459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.158.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850358/; classtype:trojan-activity;sid:84713458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.249.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850357/; classtype:trojan-activity;sid:84713457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massload"; depth:9; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850356/; classtype:trojan-activity;sid:84713456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.198.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850355/; classtype:trojan-activity;sid:84713455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850354/; classtype:trojan-activity;sid:84713454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.187.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850353/; classtype:trojan-activity;sid:84713453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.38.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850352/; classtype:trojan-activity;sid:84713452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=2c9d995e-85a4-44f3-baec-5441728bed5a"; depth:47; endswith; nocase; http.host; content:"mlye7rvg.siciliandefensetheory.digital"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850351/; classtype:trojan-activity;sid:84713451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.223.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850350/; classtype:trojan-activity;sid:84713450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850349/; classtype:trojan-activity;sid:84713449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850348/; classtype:trojan-activity;sid:84713448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3b7b39c0-4e1e-4b6a-9ae9-5d347f3b7284/google.ct"; depth:47; endswith; nocase; http.host; content:"maglev-propulsion-system.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850347/; classtype:trojan-activity;sid:84713447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850345/; classtype:trojan-activity;sid:84713445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850346/; classtype:trojan-activity;sid:84713446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850344/; classtype:trojan-activity;sid:84713444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850342/; classtype:trojan-activity;sid:84713442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.181.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850343/; classtype:trojan-activity;sid:84713443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.158.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850341/; classtype:trojan-activity;sid:84713441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.223.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850340/; classtype:trojan-activity;sid:84713440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.122.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850339/; classtype:trojan-activity;sid:84713439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.193.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850338/; classtype:trojan-activity;sid:84713438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.41.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850337/; classtype:trojan-activity;sid:84713437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.182.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850336/; classtype:trojan-activity;sid:84713436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9d13b8a7-6c7c-4ad5-bdd9-157c98a2bcba/google.ct"; depth:47; endswith; nocase; http.host; content:"carbon-dating-calibration.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850335/; classtype:trojan-activity;sid:84713435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850334/; classtype:trojan-activity;sid:84713434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.221.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850333/; classtype:trojan-activity;sid:84713433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.140.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850332/; classtype:trojan-activity;sid:84713432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850331/; classtype:trojan-activity;sid:84713431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.41.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850330/; classtype:trojan-activity;sid:84713430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.193.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850329/; classtype:trojan-activity;sid:84713429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/85862810-59b2-426d-99ea-5d33e1bd88a9/google.ct"; depth:47; endswith; nocase; http.host; content:"geostationary-orbit-altitude.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850328/; classtype:trojan-activity;sid:84713428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850327/; classtype:trojan-activity;sid:84713427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.140.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850326/; classtype:trojan-activity;sid:84713426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.213.192"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850325/; classtype:trojan-activity;sid:84713425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850324/; classtype:trojan-activity;sid:84713424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1e66f220-cbad-47c5-9641-d5ab0bc5815c/google.ct"; depth:47; endswith; nocase; http.host; content:"byzantine-mosaic-restoration.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850323/; classtype:trojan-activity;sid:84713423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850322/; classtype:trojan-activity;sid:84713422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.254.192.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850321/; classtype:trojan-activity;sid:84713421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.91.141.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850320/; classtype:trojan-activity;sid:84713420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.199.194.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850319/; classtype:trojan-activity;sid:84713419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb3bee94-2817-46e3-b438-f2740a893218/google.ct"; depth:47; endswith; nocase; http.host; content:"hydraulic-actuator-valve.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850318/; classtype:trojan-activity;sid:84713418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850317/; classtype:trojan-activity;sid:84713417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e3cdfcb8-3c65-4ddc-92b2-f360d38a352d/google.ct"; depth:47; endswith; nocase; http.host; content:"weyland-yutani-corporate-file.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850316/; classtype:trojan-activity;sid:84713416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.137.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850315/; classtype:trojan-activity;sid:84713415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.199.194.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850314/; classtype:trojan-activity;sid:84713414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.32.92"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850313/; classtype:trojan-activity;sid:84713413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.112.123"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850312/; classtype:trojan-activity;sid:84713412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850311/; classtype:trojan-activity;sid:84713411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850310/; classtype:trojan-activity;sid:84713410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.spc"; depth:9; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850309/; classtype:trojan-activity;sid:84713409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm5"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850308/; classtype:trojan-activity;sid:84713408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm6"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850307/; classtype:trojan-activity;sid:84713407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.ppc"; depth:9; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850302/; classtype:trojan-activity;sid:84713402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.i686"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850303/; classtype:trojan-activity;sid:84713403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.mpsl"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850304/; classtype:trojan-activity;sid:84713404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/ppc"; depth:9; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850305/; classtype:trojan-activity;sid:84713405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm4"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850306/; classtype:trojan-activity;sid:84713406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/sparc"; depth:11; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850293/; classtype:trojan-activity;sid:84713393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.mips"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850294/; classtype:trojan-activity;sid:84713394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/arm6"; depth:10; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850295/; classtype:trojan-activity;sid:84713395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.arm7"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850296/; classtype:trojan-activity;sid:84713396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/sh4"; depth:9; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850297/; classtype:trojan-activity;sid:84713397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/m68k"; depth:10; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850298/; classtype:trojan-activity;sid:84713398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.i486"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850299/; classtype:trojan-activity;sid:84713399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.m68k"; depth:10; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850300/; classtype:trojan-activity;sid:84713400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.sh4"; depth:9; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850301/; classtype:trojan-activity;sid:84713401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.85.68.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_20; reference:url, urlhaus.abuse.ch/url/3850292/; classtype:trojan-activity;sid:84713392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/22a7ddea-a9f9-4d06-9bbe-488986abfa5d/google.ct"; depth:47; endswith; nocase; http.host; content:"vacuum-tube-amplifier.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850291/; classtype:trojan-activity;sid:84713391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.126.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850290/; classtype:trojan-activity;sid:84713390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.85.68.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850289/; classtype:trojan-activity;sid:84713389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wife.x86"; depth:9; endswith; nocase; http.host; content:"31.56.209.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850288/; classtype:trojan-activity;sid:84713388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dcddbe35-9f45-4b34-a208-ed88ac5363a5/google.ct"; depth:47; endswith; nocase; http.host; content:"perfect-bolognese-simmer.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850287/; classtype:trojan-activity;sid:84713387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.219.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850286/; classtype:trojan-activity;sid:84713386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.180.232.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850285/; classtype:trojan-activity;sid:84713385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/rozizkz.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850284/; classtype:trojan-activity;sid:84713384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.219.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850283/; classtype:trojan-activity;sid:84713383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.189.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850282/; classtype:trojan-activity;sid:84713382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/68eddc74-bc47-4ee9-bcf6-067bc79f85cc/google.ct"; depth:47; endswith; nocase; http.host; content:"abyssal-plain-topography.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850281/; classtype:trojan-activity;sid:84713381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.242.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850280/; classtype:trojan-activity;sid:84713380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.191.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850278/; classtype:trojan-activity;sid:84713378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.180.232.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850279/; classtype:trojan-activity;sid:84713379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11/a"; depth:5; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850277/; classtype:trojan-activity;sid:84713377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12/a"; depth:5; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850276/; classtype:trojan-activity;sid:84713376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.242.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850275/; classtype:trojan-activity;sid:84713375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.19.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850274/; classtype:trojan-activity;sid:84713374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.170.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850273/; classtype:trojan-activity;sid:84713373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850271/; classtype:trojan-activity;sid:84713371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850272/; classtype:trojan-activity;sid:84713372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850269/; classtype:trojan-activity;sid:84713369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850270/; classtype:trojan-activity;sid:84713370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.116.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850268/; classtype:trojan-activity;sid:84713368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850266/; classtype:trojan-activity;sid:84713366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850267/; classtype:trojan-activity;sid:84713367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.205.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850265/; classtype:trojan-activity;sid:84713365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850264/; classtype:trojan-activity;sid:84713364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10/a"; depth:5; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850262/; classtype:trojan-activity;sid:84713362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850263/; classtype:trojan-activity;sid:84713363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850261/; classtype:trojan-activity;sid:84713361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/a"; depth:4; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850260/; classtype:trojan-activity;sid:84713360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.88.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850259/; classtype:trojan-activity;sid:84713359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.60.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850258/; classtype:trojan-activity;sid:84713358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.90.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850257/; classtype:trojan-activity;sid:84713357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.19.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850256/; classtype:trojan-activity;sid:84713356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.3.245"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850255/; classtype:trojan-activity;sid:84713355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.131.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850254/; classtype:trojan-activity;sid:84713354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.248.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850253/; classtype:trojan-activity;sid:84713353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850252/; classtype:trojan-activity;sid:84713352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.156.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850251/; classtype:trojan-activity;sid:84713351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.117.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850250/; classtype:trojan-activity;sid:84713350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850249/; classtype:trojan-activity;sid:84713349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.235.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850248/; classtype:trojan-activity;sid:84713348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.227.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850247/; classtype:trojan-activity;sid:84713347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850246/; classtype:trojan-activity;sid:84713346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.37.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850245/; classtype:trojan-activity;sid:84713345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850244/; classtype:trojan-activity;sid:84713344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.17.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850243/; classtype:trojan-activity;sid:84713343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.156.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850242/; classtype:trojan-activity;sid:84713342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850241/; classtype:trojan-activity;sid:84713341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850240/; classtype:trojan-activity;sid:84713340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.106.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850239/; classtype:trojan-activity;sid:84713339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.124.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850238/; classtype:trojan-activity;sid:84713338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850236/; classtype:trojan-activity;sid:84713336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.28.223"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850237/; classtype:trojan-activity;sid:84713337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.225.163.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850235/; classtype:trojan-activity;sid:84713335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"93.115.172.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850230/; classtype:trojan-activity;sid:84713330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"93.115.172.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850231/; classtype:trojan-activity;sid:84713331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boss.exe"; depth:9; endswith; nocase; http.host; content:"93.115.172.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850232/; classtype:trojan-activity;sid:84713332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.exe"; depth:9; endswith; nocase; http.host; content:"93.115.172.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850233/; classtype:trojan-activity;sid:84713333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build_protected.exe"; depth:20; endswith; nocase; http.host; content:"93.115.172.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850234/; classtype:trojan-activity;sid:84713334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verification.vrf"; depth:17; endswith; nocase; http.host; content:"93.115.172.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850229/; classtype:trojan-activity;sid:84713329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.tst"; depth:9; endswith; nocase; http.host; content:"93.115.172.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850228/; classtype:trojan-activity;sid:84713328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.57.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850227/; classtype:trojan-activity;sid:84713327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.57.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850226/; classtype:trojan-activity;sid:84713326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teste.exe"; depth:10; endswith; nocase; http.host; content:"176.65.149.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850224/; classtype:trojan-activity;sid:84713324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.11.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850223/; classtype:trojan-activity;sid:84713323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaws.exe"; depth:11; endswith; nocase; http.host; content:"176.65.149.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850222/; classtype:trojan-activity;sid:84713322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bps.exe"; depth:8; endswith; nocase; http.host; content:"176.65.149.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850221/; classtype:trojan-activity;sid:84713321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chrome_decrypt.dll"; depth:19; endswith; nocase; http.host; content:"176.65.149.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850220/; classtype:trojan-activity;sid:84713320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.146.92.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850219/; classtype:trojan-activity;sid:84713319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.28.223"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850218/; classtype:trojan-activity;sid:84713318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.113.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850217/; classtype:trojan-activity;sid:84713317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.225.163.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850216/; classtype:trojan-activity;sid:84713316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.209.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850215/; classtype:trojan-activity;sid:84713315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.103.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850214/; classtype:trojan-activity;sid:84713314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.29.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850213/; classtype:trojan-activity;sid:84713313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.218.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850212/; classtype:trojan-activity;sid:84713312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850203/; classtype:trojan-activity;sid:84713303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850204/; classtype:trojan-activity;sid:84713304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850205/; classtype:trojan-activity;sid:84713305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850206/; classtype:trojan-activity;sid:84713306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850207/; classtype:trojan-activity;sid:84713307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850208/; classtype:trojan-activity;sid:84713308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850209/; classtype:trojan-activity;sid:84713309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850210/; classtype:trojan-activity;sid:84713310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850211/; classtype:trojan-activity;sid:84713311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"102.220.160.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850202/; classtype:trojan-activity;sid:84713302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/arm7"; depth:10; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850200/; classtype:trojan-activity;sid:84713300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink.sh"; depth:10; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850201/; classtype:trojan-activity;sid:84713301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/arm"; depth:9; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850197/; classtype:trojan-activity;sid:84713297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/mpsl"; depth:10; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850198/; classtype:trojan-activity;sid:84713298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/mips"; depth:10; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850199/; classtype:trojan-activity;sid:84713299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/x86"; depth:9; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850195/; classtype:trojan-activity;sid:84713295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meow/arm5"; depth:10; endswith; nocase; http.host; content:"92.42.100.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850196/; classtype:trojan-activity;sid:84713296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850194/; classtype:trojan-activity;sid:84713294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/val-vip.exe"; depth:12; endswith; nocase; http.host; content:"176.65.139.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850193/; classtype:trojan-activity;sid:84713293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/val-vip.exe"; depth:12; endswith; nocase; http.host; content:"176.65.139.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850192/; classtype:trojan-activity;sid:84713292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.11.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850191/; classtype:trojan-activity;sid:84713291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm"; depth:20; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850169/; classtype:trojan-activity;sid:84713269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm5"; depth:21; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850170/; classtype:trojan-activity;sid:84713270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.ppc_32"; depth:22; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850171/; classtype:trojan-activity;sid:84713271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.armv4_32"; depth:24; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850172/; classtype:trojan-activity;sid:84713272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mpsl"; depth:21; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850173/; classtype:trojan-activity;sid:84713273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.arm5_32"; depth:23; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850174/; classtype:trojan-activity;sid:84713274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm7"; depth:21; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850175/; classtype:trojan-activity;sid:84713275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.spc"; depth:20; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850176/; classtype:trojan-activity;sid:84713276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.sh4"; depth:20; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850177/; classtype:trojan-activity;sid:84713277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arc"; depth:20; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850178/; classtype:trojan-activity;sid:84713278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.arm6"; depth:21; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850179/; classtype:trojan-activity;sid:84713279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.m68k"; depth:21; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850180/; classtype:trojan-activity;sid:84713280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.ppc"; depth:20; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850181/; classtype:trojan-activity;sid:84713281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.m68k"; depth:20; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850182/; classtype:trojan-activity;sid:84713282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.mips"; depth:21; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850183/; classtype:trojan-activity;sid:84713283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/space.i686"; depth:21; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850184/; classtype:trojan-activity;sid:84713284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.arm7_32"; depth:23; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850185/; classtype:trojan-activity;sid:84713285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.sh4"; depth:19; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850186/; classtype:trojan-activity;sid:84713286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.arm6_32"; depth:23; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850187/; classtype:trojan-activity;sid:84713287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.mips_32"; depth:23; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850188/; classtype:trojan-activity;sid:84713288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.x86_32"; depth:22; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850189/; classtype:trojan-activity;sid:84713289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/mynode.mpsl_32"; depth:23; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850190/; classtype:trojan-activity;sid:84713290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release/all.sh"; depth:15; endswith; nocase; http.host; content:"176.65.139.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850168/; classtype:trojan-activity;sid:84713268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.230.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850167/; classtype:trojan-activity;sid:84713267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.23.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850166/; classtype:trojan-activity;sid:84713266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.83.31.247"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850165/; classtype:trojan-activity;sid:84713265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.83.31.201"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850162/; classtype:trojan-activity;sid:84713262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.83.31.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850163/; classtype:trojan-activity;sid:84713263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.26.115.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850164/; classtype:trojan-activity;sid:84713264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.83.31.201"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850161/; classtype:trojan-activity;sid:84713261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.83.31.247"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850160/; classtype:trojan-activity;sid:84713260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.7.244"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850159/; classtype:trojan-activity;sid:84713259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.52.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850158/; classtype:trojan-activity;sid:84713258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.24.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850157/; classtype:trojan-activity;sid:84713257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.100.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850156/; classtype:trojan-activity;sid:84713256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.52.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850155/; classtype:trojan-activity;sid:84713255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.206.100.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850154/; classtype:trojan-activity;sid:84713254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850153/; classtype:trojan-activity;sid:84713253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.103.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850152/; classtype:trojan-activity;sid:84713252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.100.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850151/; classtype:trojan-activity;sid:84713251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850150/; classtype:trojan-activity;sid:84713250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.7.244"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850149/; classtype:trojan-activity;sid:84713249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.241.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850148/; classtype:trojan-activity;sid:84713248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850147/; classtype:trojan-activity;sid:84713247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.210.196.120"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850146/; classtype:trojan-activity;sid:84713246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850145/; classtype:trojan-activity;sid:84713245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.177.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850144/; classtype:trojan-activity;sid:84713244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.210.196.120"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850143/; classtype:trojan-activity;sid:84713243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.218.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850142/; classtype:trojan-activity;sid:84713242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.120.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850141/; classtype:trojan-activity;sid:84713241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.240.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850140/; classtype:trojan-activity;sid:84713240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f09ff42d-b909-4ff1-a435-32f0ac22a206/google.cl"; depth:47; endswith; nocase; http.host; content:"codepit-rized-denengine.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850139/; classtype:trojan-activity;sid:84713239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.120.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850138/; classtype:trojan-activity;sid:84713238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.168.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850137/; classtype:trojan-activity;sid:84713237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850136/; classtype:trojan-activity;sid:84713236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.239.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850135/; classtype:trojan-activity;sid:84713235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.240.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850134/; classtype:trojan-activity;sid:84713234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.8.57"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850133/; classtype:trojan-activity;sid:84713233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54f141ac-8b34-4461-b0ab-f8aae19825f6/google.cl"; depth:47; endswith; nocase; http.host; content:"dampcaps-flor-sou-rail.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850132/; classtype:trojan-activity;sid:84713232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.74.182"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850131/; classtype:trojan-activity;sid:84713231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.191.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850130/; classtype:trojan-activity;sid:84713230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850129/; classtype:trojan-activity;sid:84713229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=64e5455a-eeac-4fad-99ca-7b85ca4e46e6"; depth:47; endswith; nocase; http.host; content:"8xtx6dv2.gothiccathedralblueprint.digital"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850128/; classtype:trojan-activity;sid:84713228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.150.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850127/; classtype:trojan-activity;sid:84713227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de971083-b8b0-4be8-9fe1-d6779c90848d/google.cl"; depth:47; endswith; nocase; http.host; content:"mendocs-opera-shub-cowddos.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850126/; classtype:trojan-activity;sid:84713226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.238.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850125/; classtype:trojan-activity;sid:84713225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.104.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850124/; classtype:trojan-activity;sid:84713224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.162.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850122/; classtype:trojan-activity;sid:84713222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.96.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850123/; classtype:trojan-activity;sid:84713223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.168.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850121/; classtype:trojan-activity;sid:84713221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.111.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850120/; classtype:trojan-activity;sid:84713220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.111.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850119/; classtype:trojan-activity;sid:84713219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69de6905-f1fc-408e-a612-a49a123cfe40/google.cl"; depth:47; endswith; nocase; http.host; content:"agilebee-federate-growth-net.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850118/; classtype:trojan-activity;sid:84713218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.50.197.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850117/; classtype:trojan-activity;sid:84713217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"160.30.142.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850116/; classtype:trojan-activity;sid:84713216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.238.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850115/; classtype:trojan-activity;sid:84713215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.96.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850114/; classtype:trojan-activity;sid:84713214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.27.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850113/; classtype:trojan-activity;sid:84713213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.244.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850112/; classtype:trojan-activity;sid:84713212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.93.235"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850111/; classtype:trojan-activity;sid:84713211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.23.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850110/; classtype:trojan-activity;sid:84713210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.104.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850109/; classtype:trojan-activity;sid:84713209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.74.182"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850108/; classtype:trojan-activity;sid:84713208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.32.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850107/; classtype:trojan-activity;sid:84713207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.114.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850105/; classtype:trojan-activity;sid:84713205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.46.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850106/; classtype:trojan-activity;sid:84713206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvcs-0h91-09wd-ypdn/img_0atc3a.png"; depth:35; endswith; nocase; http.host; content:"small-morning-8be0.fsocietyandtools.workers.dev"; depth:47; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850104/; classtype:trojan-activity;sid:84713204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.93.235"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850103/; classtype:trojan-activity;sid:84713203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.7.134"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850102/; classtype:trojan-activity;sid:84713202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bc5a6b4-1345-4198-b7c4-3619c2b2f2f3/google.cl"; depth:47; endswith; nocase; http.host; content:"modesix-iontel-scalapie-system.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850101/; classtype:trojan-activity;sid:84713201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.46.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850100/; classtype:trojan-activity;sid:84713200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.50.197.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850099/; classtype:trojan-activity;sid:84713199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.114.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850098/; classtype:trojan-activity;sid:84713198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850097/; classtype:trojan-activity;sid:84713197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.43.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850096/; classtype:trojan-activity;sid:84713196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4a980ae-43cb-4312-91df-8117e9fe6ceb/google.cl"; depth:47; endswith; nocase; http.host; content:"modelcut-auto-frame-nodipfs.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850095/; classtype:trojan-activity;sid:84713195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.150.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850094/; classtype:trojan-activity;sid:84713194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/ea/random.exe"; depth:20; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850093/; classtype:trojan-activity;sid:84713193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.218.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850092/; classtype:trojan-activity;sid:84713192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.4.194"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850090/; classtype:trojan-activity;sid:84713190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.231.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850091/; classtype:trojan-activity;sid:84713191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/48385cab-8a7a-4ce4-94ae-04d88f3f4b7c/google.cl"; depth:47; endswith; nocase; http.host; content:"scaletax-bute-analytics-toeheap.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850089/; classtype:trojan-activity;sid:84713189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.150.252.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850088/; classtype:trojan-activity;sid:84713188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bda0f7c4-c0a9-4b79-aadd-0ed18d7ea400"; depth:47; endswith; nocase; http.host; content:"uh83re33.magneticlevitationtrain.digital"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850087/; classtype:trojan-activity;sid:84713187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.150.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850086/; classtype:trojan-activity;sid:84713186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.189.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850085/; classtype:trojan-activity;sid:84713185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.181.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850084/; classtype:trojan-activity;sid:84713184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.227.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850083/; classtype:trojan-activity;sid:84713183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.168.52.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850082/; classtype:trojan-activity;sid:84713182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.231.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850081/; classtype:trojan-activity;sid:84713181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6afe7946-ca5e-4b0d-b52f-996862518e8c/google.cl"; depth:47; endswith; nocase; http.host; content:"bagansi-wild-flowr-manage-form.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850080/; classtype:trojan-activity;sid:84713180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.101.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850079/; classtype:trojan-activity;sid:84713179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.67.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850078/; classtype:trojan-activity;sid:84713178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.150.252.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850077/; classtype:trojan-activity;sid:84713177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.67.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850076/; classtype:trojan-activity;sid:84713176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.101.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850075/; classtype:trojan-activity;sid:84713175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.168.52.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850074/; classtype:trojan-activity;sid:84713174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/04c77659-d8ad-4025-a7bd-72ae821ca6cc/google.cl"; depth:47; endswith; nocase; http.host; content:"dengrep-resource-opencut-engine.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850073/; classtype:trojan-activity;sid:84713173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.128.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850072/; classtype:trojan-activity;sid:84713172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8tsmopx"; depth:8; endswith; nocase; http.host; content:"buly.kr"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850071/; classtype:trojan-activity;sid:84713171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26/girlgoodforme.hta"; depth:21; endswith; nocase; http.host; content:"107.172.13.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850068/; classtype:trojan-activity;sid:84713168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26/img_235621.png"; depth:18; endswith; nocase; http.host; content:"107.172.13.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850069/; classtype:trojan-activity;sid:84713169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25/img_184906.png"; depth:18; endswith; nocase; http.host; content:"172.245.209.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850070/; classtype:trojan-activity;sid:84713170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatever.exe"; depth:13; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850067/; classtype:trojan-activity;sid:84713167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.10.132.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850066/; classtype:trojan-activity;sid:84713166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.247.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850065/; classtype:trojan-activity;sid:84713165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.164.128.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850064/; classtype:trojan-activity;sid:84713164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.117.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850063/; classtype:trojan-activity;sid:84713163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58e89562-8689-461c-b23b-1b46e709e9f4/google.cl"; depth:47; endswith; nocase; http.host; content:"green-macrohim-work-center.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850062/; classtype:trojan-activity;sid:84713162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.207.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850061/; classtype:trojan-activity;sid:84713161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.171.62.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850060/; classtype:trojan-activity;sid:84713160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.24.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850059/; classtype:trojan-activity;sid:84713159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a2586d64-a197-474f-92f5-89517f8bac30/google.cl"; depth:47; endswith; nocase; http.host; content:"containerizedgardenengine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850058/; classtype:trojan-activity;sid:84713158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.182.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850057/; classtype:trojan-activity;sid:84713157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850056/; classtype:trojan-activity;sid:84713156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.171.62.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850055/; classtype:trojan-activity;sid:84713155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.207.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850054/; classtype:trojan-activity;sid:84713154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850053/; classtype:trojan-activity;sid:84713153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850052/; classtype:trojan-activity;sid:84713152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfd2548e-d215-4117-8ece-17c3ee97e0ec/google.cl"; depth:47; endswith; nocase; http.host; content:"floraresourcecontroller.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850051/; classtype:trojan-activity;sid:84713151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=675270ff-25da-482e-abdc-062d0941560f"; depth:47; endswith; nocase; http.host; content:"lv5evztg.cyberneticprostheticlab.digital"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850050/; classtype:trojan-activity;sid:84713150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850049/; classtype:trojan-activity;sid:84713149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850048/; classtype:trojan-activity;sid:84713148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.240.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850047/; classtype:trojan-activity;sid:84713147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e0754d6b-438b-456d-80b9-6af028af793f/google.cl"; depth:47; endswith; nocase; http.host; content:"meadowoperationshub.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850046/; classtype:trojan-activity;sid:84713146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.209.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850045/; classtype:trojan-activity;sid:84713145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.47.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850044/; classtype:trojan-activity;sid:84713144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.245.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850043/; classtype:trojan-activity;sid:84713143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850042/; classtype:trojan-activity;sid:84713142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.29.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850041/; classtype:trojan-activity;sid:84713141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.12.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850040/; classtype:trojan-activity;sid:84713140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.167.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850039/; classtype:trojan-activity;sid:84713139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.240.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850038/; classtype:trojan-activity;sid:84713138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.240.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850037/; classtype:trojan-activity;sid:84713137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850036/; classtype:trojan-activity;sid:84713136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b35f6033-70ec-498c-bc4f-3ec41e689749/google.cl"; depth:47; endswith; nocase; http.host; content:"federatedgrowthnetwork.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850035/; classtype:trojan-activity;sid:84713135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850034/; classtype:trojan-activity;sid:84713134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.115.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850033/; classtype:trojan-activity;sid:84713133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.249.70.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850032/; classtype:trojan-activity;sid:84713132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850031/; classtype:trojan-activity;sid:84713131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.243.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850030/; classtype:trojan-activity;sid:84713130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.252.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850029/; classtype:trojan-activity;sid:84713129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.4.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850028/; classtype:trojan-activity;sid:84713128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/67cedf02-0da7-4f84-ad69-cd4f4b67f7e4/google.cl"; depth:47; endswith; nocase; http.host; content:"irrigationtelemetrysystem.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850027/; classtype:trojan-activity;sid:84713127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.209.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850026/; classtype:trojan-activity;sid:84713126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.4.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850025/; classtype:trojan-activity;sid:84713125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"88.249.70.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850024/; classtype:trojan-activity;sid:84713124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.81.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850023/; classtype:trojan-activity;sid:84713123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.243.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850021/; classtype:trojan-activity;sid:84713121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.4.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850022/; classtype:trojan-activity;sid:84713122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.136.86.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850020/; classtype:trojan-activity;sid:84713120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3f0493c2-1d7e-4eec-97d4-b79f68d6909f/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalautomationframework.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850019/; classtype:trojan-activity;sid:84713119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.92.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850018/; classtype:trojan-activity;sid:84713118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.233.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850017/; classtype:trojan-activity;sid:84713117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=34842bde-de43-48dc-bf78-418653d70220"; depth:47; endswith; nocase; http.host; content:"3zqfx034.subfossiloakchronology.digital"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850016/; classtype:trojan-activity;sid:84713116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.71.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850015/; classtype:trojan-activity;sid:84713115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e2f7316c-f595-4f54-a6b3-acf48e330f4c/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedgardenanalytics.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850014/; classtype:trojan-activity;sid:84713114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.69.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850013/; classtype:trojan-activity;sid:84713113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.87.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850012/; classtype:trojan-activity;sid:84713112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.81.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850011/; classtype:trojan-activity;sid:84713111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a49fac3f-acb0-4e73-8aec-dec37b0f879a/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloramanagementplatform.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850010/; classtype:trojan-activity;sid:84713110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.145.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850009/; classtype:trojan-activity;sid:84713109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.69.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850008/; classtype:trojan-activity;sid:84713108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850007/; classtype:trojan-activity;sid:84713107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/04f88403-b560-4b6e-b150-7c9d3f8d2d56/google.cl"; depth:47; endswith; nocase; http.host; content:"petalresourceengine.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850006/; classtype:trojan-activity;sid:84713106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lsmsjvel68.bin"; depth:15; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850005/; classtype:trojan-activity;sid:84713105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhekiqxjoh156.bin"; depth:18; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850000/; classtype:trojan-activity;sid:84713100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ciphp130.bin"; depth:13; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850001/; classtype:trojan-activity;sid:84713101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nnzrhucccknmou229.bin"; depth:22; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850002/; classtype:trojan-activity;sid:84713102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lsmsjvel68.bin"; depth:15; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850003/; classtype:trojan-activity;sid:84713103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3850004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upbhpexqormbmya151.bin"; depth:23; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3850004/; classtype:trojan-activity;sid:84713104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiuwxijvtjcqqzxvxiyw186.bin"; depth:28; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849997/; classtype:trojan-activity;sid:84713097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkmgqv11.bin"; depth:13; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849998/; classtype:trojan-activity;sid:84713098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nftdhrhyxbvweqprzgbpnafky164.bin"; depth:33; endswith; nocase; http.host; content:"185.29.9.115"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849999/; classtype:trojan-activity;sid:84713099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/vigilant-waffle/raw/refs/heads/main/loader.ps1"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849996/; classtype:trojan-activity;sid:84713096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/rammm/refs/heads/main/shellcode.bin"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849995/; classtype:trojan-activity;sid:84713095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1dlazbgzuqc7wa5ibjxj_mrl1rtp6l8vs"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849994/; classtype:trojan-activity;sid:84713094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/vigilant-waffle/refs/heads/main/shellcode.bin"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849992/; classtype:trojan-activity;sid:84713092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/rammm/raw/refs/heads/main/shellcode.bin"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849993/; classtype:trojan-activity;sid:84713093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/vigilant-waffle/refs/heads/main/loader.ps1"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849990/; classtype:trojan-activity;sid:84713090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/vigilant-waffle/raw/refs/heads/main/shellcode.bin"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849991/; classtype:trojan-activity;sid:84713091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.236.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849989/; classtype:trojan-activity;sid:84713089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.13.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849988/; classtype:trojan-activity;sid:84713088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849985/; classtype:trojan-activity;sid:84713085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.psh4"; depth:14; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849986/; classtype:trojan-activity;sid:84713086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmips"; depth:15; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849987/; classtype:trojan-activity;sid:84713087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pspc"; depth:14; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849978/; classtype:trojan-activity;sid:84713078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pm68k"; depth:15; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849979/; classtype:trojan-activity;sid:84713079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.px86"; depth:14; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849980/; classtype:trojan-activity;sid:84713080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849981/; classtype:trojan-activity;sid:84713081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849982/; classtype:trojan-activity;sid:84713082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.pmpsl"; depth:15; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849983/; classtype:trojan-activity;sid:84713083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849984/; classtype:trojan-activity;sid:84713084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.mpsl"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849957/; classtype:trojan-activity;sid:84713057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bz2xb9.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849958/; classtype:trojan-activity;sid:84713058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm4"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849959/; classtype:trojan-activity;sid:84713059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.sparc"; depth:14; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849960/; classtype:trojan-activity;sid:84713060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.m68k"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849961/; classtype:trojan-activity;sid:84713061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.x86"; depth:12; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849962/; classtype:trojan-activity;sid:84713062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm5"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849963/; classtype:trojan-activity;sid:84713063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm6"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849964/; classtype:trojan-activity;sid:84713064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.x86_32"; depth:15; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849965/; classtype:trojan-activity;sid:84713065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm7"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849966/; classtype:trojan-activity;sid:84713066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm5"; depth:15; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849967/; classtype:trojan-activity;sid:84713067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849968/; classtype:trojan-activity;sid:84713068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.sh4"; depth:12; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849969/; classtype:trojan-activity;sid:84713069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.x86_64"; depth:15; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849970/; classtype:trojan-activity;sid:84713070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.ppc"; depth:12; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849971/; classtype:trojan-activity;sid:84713071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm6"; depth:15; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849972/; classtype:trojan-activity;sid:84713072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm7"; depth:15; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849973/; classtype:trojan-activity;sid:84713073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.parm"; depth:14; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849974/; classtype:trojan-activity;sid:84713074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/dlr.x86_64"; depth:16; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849975/; classtype:trojan-activity;sid:84713075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849976/; classtype:trojan-activity;sid:84713076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849977/; classtype:trojan-activity;sid:84713077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.39.233.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849956/; classtype:trojan-activity;sid:84713056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.236.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849955/; classtype:trojan-activity;sid:84713055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.70.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849954/; classtype:trojan-activity;sid:84713054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.233.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849953/; classtype:trojan-activity;sid:84713053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.39.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849952/; classtype:trojan-activity;sid:84713052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.13.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849951/; classtype:trojan-activity;sid:84713051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63f9a529-b49f-4704-8249-78af7c915719/google.cl"; depth:47; endswith; nocase; http.host; content:"carbon-fiber-monocoque.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849950/; classtype:trojan-activity;sid:84713050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.44.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849949/; classtype:trojan-activity;sid:84713049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.163.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849948/; classtype:trojan-activity;sid:84713048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=1e13d931-cbb9-488c-be4d-e0bb12c9063a"; depth:47; endswith; nocase; http.host; content:"46fmfamd.crispychickencutlets.digital"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849947/; classtype:trojan-activity;sid:84713047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da4ccdc1-2edb-4dd3-8c0e-05c3082dd829/google.cl"; depth:47; endswith; nocase; http.host; content:"bioluminescent-fungi-spore.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849946/; classtype:trojan-activity;sid:84713046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849945/; classtype:trojan-activity;sid:84713045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.163.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849944/; classtype:trojan-activity;sid:84713044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849943/; classtype:trojan-activity;sid:84713043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff2118f2-7b15-4399-819d-e91c2a58c21d/google.cl"; depth:47; endswith; nocase; http.host; content:"interstellar-dust-nebula.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849942/; classtype:trojan-activity;sid:84713042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.241.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849941/; classtype:trojan-activity;sid:84713041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xvzpjyddlu/getdata.php"; depth:23; endswith; nocase; http.host; content:"196.251.107.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849940/; classtype:trojan-activity;sid:84713040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidrosys/api/rump18th.png"; depth:26; endswith; nocase; http.host; content:"desentupidora.pro.br"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849939/; classtype:trojan-activity;sid:84713039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"losslvs.surf"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849938/; classtype:trojan-activity;sid:84713038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/verbose-palm-tree/raw/refs/heads/main/file.vbproj"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849937/; classtype:trojan-activity;sid:84713037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/ovnq8pyjh2xo.exe"; depth:25; endswith; nocase; http.host; content:"id8796.cfd"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849936/; classtype:trojan-activity;sid:84713036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grere856-dot/verbose-palm-tree/refs/heads/main/file.vbproj"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849935/; classtype:trojan-activity;sid:84713035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/fktfmbe3kqp9.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849923/; classtype:trojan-activity;sid:84713023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/af2dee0f20b847ea_310.php"; depth:33; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849924/; classtype:trojan-activity;sid:84713024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/16b022998f754137b60a.php"; depth:25; endswith; nocase; http.host; content:"196.251.107.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849925/; classtype:trojan-activity;sid:84713025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/f6ab9f4da4ed74e4_301.php"; depth:33; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849926/; classtype:trojan-activity;sid:84713026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xvzpjyddlu/getdata.php"; depth:23; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849927/; classtype:trojan-activity;sid:84713027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/fznceashcgle.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849928/; classtype:trojan-activity;sid:84713028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849929/; classtype:trojan-activity;sid:84713029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/9lleukaxnxge.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849930/; classtype:trojan-activity;sid:84713030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/5aerydl4boo4.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849931/; classtype:trojan-activity;sid:84713031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/0z3ocw3ctbo8.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849932/; classtype:trojan-activity;sid:84713032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/swaqchrfqvfx.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849933/; classtype:trojan-activity;sid:84713033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api.php"; depth:8; endswith; nocase; http.host; content:"196.251.107.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849934/; classtype:trojan-activity;sid:84713034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/djmay.png"; depth:10; endswith; nocase; http.host; content:"crescentegramas.com.br"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849922/; classtype:trojan-activity;sid:84713022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/j07f9jflfile.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849921/; classtype:trojan-activity;sid:84713021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.84.115.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849920/; classtype:trojan-activity;sid:84713020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.209.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849919/; classtype:trojan-activity;sid:84713019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baee3115-fdaa-460b-92ca-7fb4bc12a525/google.cl"; depth:47; endswith; nocase; http.host; content:"ancient-colosseum-engineering.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849918/; classtype:trojan-activity;sid:84713018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.136.86.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849917/; classtype:trojan-activity;sid:84713017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.106.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849916/; classtype:trojan-activity;sid:84713016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e0590aee-5a6b-492e-942f-43a332afd22a/google.cl"; depth:47; endswith; nocase; http.host; content:"stealth-bomber-radar-cross.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849915/; classtype:trojan-activity;sid:84713015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849914/; classtype:trojan-activity;sid:84713014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.170.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849913/; classtype:trojan-activity;sid:84713013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.103.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849912/; classtype:trojan-activity;sid:84713012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.106.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849911/; classtype:trojan-activity;sid:84713011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/68520466-0a04-4be9-9492-a387da8a581a/google.cl"; depth:47; endswith; nocase; http.host; content:"stratographic-core-drill.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849910/; classtype:trojan-activity;sid:84713010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849909/; classtype:trojan-activity;sid:84713009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849908/; classtype:trojan-activity;sid:84713008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=873efc79-a61b-4ff5-8615-76b1bc971cc7"; depth:47; endswith; nocase; http.host; content:"rgx5w3o2.orbitaldockingmodule.digital"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849907/; classtype:trojan-activity;sid:84713007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849903/; classtype:trojan-activity;sid:84713003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849904/; classtype:trojan-activity;sid:84713004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"92.112.126.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849905/; classtype:trojan-activity;sid:84713005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.103.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849906/; classtype:trojan-activity;sid:84713006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.27.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849902/; classtype:trojan-activity;sid:84713002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.233.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849901/; classtype:trojan-activity;sid:84713001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.30.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849900/; classtype:trojan-activity;sid:84713000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.225.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849899/; classtype:trojan-activity;sid:84712999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849898/; classtype:trojan-activity;sid:84712998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.110.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849897/; classtype:trojan-activity;sid:84712997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r/5vai1jn1"; depth:11; endswith; nocase; http.host; content:"paste.ee"; depth:8; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849896/; classtype:trojan-activity;sid:84712996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r/5vai1jn1"; depth:11; endswith; nocase; http.host; content:"pastee.dev"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849895/; classtype:trojan-activity;sid:84712995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/maty-60fd2.firebasestorage.app/o/wedlincoln.ps1|3f|alt=media|7c|26|7c|token=176a0671-0105-4b5a-b16b-47bb323baf6b"; depth:118; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849894/; classtype:trojan-activity;sid:84712994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r/5vai1jn1"; depth:11; endswith; nocase; http.host; content:"pastee.dev"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849893/; classtype:trojan-activity;sid:84712993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bb6e176c-558d-4837-b6ae-77cb6cb26c56/google.cl"; depth:47; endswith; nocase; http.host; content:"modular-analog-synthesizer.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849892/; classtype:trojan-activity;sid:84712992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ansttelse.deploy"; depth:17; endswith; nocase; http.host; content:"107.173.47.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849891/; classtype:trojan-activity;sid:84712991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.243.128.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849890/; classtype:trojan-activity;sid:84712990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849889/; classtype:trojan-activity;sid:84712989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bf5deffb-d9f1-44ae-9bf6-8a2b0e4c8341/google.cl"; depth:47; endswith; nocase; http.host; content:"tectonic-fault-seismograph.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849888/; classtype:trojan-activity;sid:84712988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.31.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849887/; classtype:trojan-activity;sid:84712987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.30.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849885/; classtype:trojan-activity;sid:84712985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.225.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849886/; classtype:trojan-activity;sid:84712986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.36.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849884/; classtype:trojan-activity;sid:84712984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/td2"; depth:4; endswith; nocase; http.host; content:"62.181.55.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849883/; classtype:trojan-activity;sid:84712983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.192.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849882/; classtype:trojan-activity;sid:84712982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.157.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849881/; classtype:trojan-activity;sid:84712981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cabf8546-82b6-4404-a12e-342f0e311f02/google.cl"; depth:47; endswith; nocase; http.host; content:"subterranean-bunker-outpost.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849880/; classtype:trojan-activity;sid:84712980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.192.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849879/; classtype:trojan-activity;sid:84712979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849868/; classtype:trojan-activity;sid:84712968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.i586"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849869/; classtype:trojan-activity;sid:84712969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.m68k"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849870/; classtype:trojan-activity;sid:84712970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.armv7l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849871/; classtype:trojan-activity;sid:84712971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.armv5l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849872/; classtype:trojan-activity;sid:84712972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.powerpc"; depth:22; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849873/; classtype:trojan-activity;sid:84712973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.mips"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849874/; classtype:trojan-activity;sid:84712974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.armv6l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849875/; classtype:trojan-activity;sid:84712975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.sparc"; depth:20; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849876/; classtype:trojan-activity;sid:84712976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.mipsel"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849877/; classtype:trojan-activity;sid:84712977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.sh4"; depth:18; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849878/; classtype:trojan-activity;sid:84712978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.arc"; depth:18; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849867/; classtype:trojan-activity;sid:84712967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/dlr.armv4l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849866/; classtype:trojan-activity;sid:84712966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_9eba8ba0028ac2cf.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849864/; classtype:trojan-activity;sid:84712964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_d1817d35ffdfedd3.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849865/; classtype:trojan-activity;sid:84712965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.234.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849862/; classtype:trojan-activity;sid:84712962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af090082-74da-4f8e-a1e1-b01c1a57e7e5/google.cl"; depth:47; endswith; nocase; http.host; content:"the-sopranos-family-tree.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849863/; classtype:trojan-activity;sid:84712963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=f330dd3a-11fd-475c-9403-5bc6a7e598f4"; depth:47; endswith; nocase; http.host; content:"q956x3rl.badabingsopranoslounge.digital"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849861/; classtype:trojan-activity;sid:84712961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.31.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849859/; classtype:trojan-activity;sid:84712959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.19.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849860/; classtype:trojan-activity;sid:84712960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.16.159.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849858/; classtype:trojan-activity;sid:84712958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.234.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849857/; classtype:trojan-activity;sid:84712957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.80.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849856/; classtype:trojan-activity;sid:84712956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.194.253.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849855/; classtype:trojan-activity;sid:84712955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1355e8eb-0696-4a1e-b68f-7456031511bb/google.cl"; depth:47; endswith; nocase; http.host; content:"quantum-entanglement-crypt.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849854/; classtype:trojan-activity;sid:84712954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.224.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849853/; classtype:trojan-activity;sid:84712953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.118.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849852/; classtype:trojan-activity;sid:84712952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849851/; classtype:trojan-activity;sid:84712951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.96.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849850/; classtype:trojan-activity;sid:84712950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.80.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849849/; classtype:trojan-activity;sid:84712949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"79.125.226.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849848/; classtype:trojan-activity;sid:84712948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.198.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849847/; classtype:trojan-activity;sid:84712947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.236.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849846/; classtype:trojan-activity;sid:84712946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3ac57b2f-2bfc-4f12-b1cd-247c272c148f/google.cl"; depth:47; endswith; nocase; http.host; content:"amber-fossil-mosquito.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849845/; classtype:trojan-activity;sid:84712945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.163.55.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849844/; classtype:trojan-activity;sid:84712944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.92.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849843/; classtype:trojan-activity;sid:84712943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.78.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849841/; classtype:trojan-activity;sid:84712941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.198.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849842/; classtype:trojan-activity;sid:84712942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.195.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849840/; classtype:trojan-activity;sid:84712940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.192.238.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849839/; classtype:trojan-activity;sid:84712939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77ba6dfa-c0e0-4c28-982d-42f0146fdf04/google.cl"; depth:47; endswith; nocase; http.host; content:"phase-shift-bridge-driver.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849838/; classtype:trojan-activity;sid:84712938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.92.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849837/; classtype:trojan-activity;sid:84712937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.157.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849836/; classtype:trojan-activity;sid:84712936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.107.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849835/; classtype:trojan-activity;sid:84712935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.192.238.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849834/; classtype:trojan-activity;sid:84712934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc0f31bf-3444-42b5-92b9-86a23231fa5b/google.cl"; depth:47; endswith; nocase; http.host; content:"xenomorph-hive-intelligence.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849833/; classtype:trojan-activity;sid:84712933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"157.66.146.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849832/; classtype:trojan-activity;sid:84712932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=9db51ed9-7f9d-483b-b4c1-e1a439f55d18"; depth:47; endswith; nocase; http.host; content:"x8drf7ed.audioattenuatorschematic.digital"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849831/; classtype:trojan-activity;sid:84712931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.79.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849830/; classtype:trojan-activity;sid:84712930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849829/; classtype:trojan-activity;sid:84712929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/91275a46-2ac1-4eb0-86db-0c5962c2b611/google.cl"; depth:47; endswith; nocase; http.host; content:"holistic-detective-agency.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849828/; classtype:trojan-activity;sid:84712928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.70.159.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849827/; classtype:trojan-activity;sid:84712927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.0.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849826/; classtype:trojan-activity;sid:84712926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"223.123.38.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849824/; classtype:trojan-activity;sid:84712924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"223.29.233.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849825/; classtype:trojan-activity;sid:84712925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"24-35-228-16.fidnet.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849823/; classtype:trojan-activity;sid:84712923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.39.19.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849822/; classtype:trojan-activity;sid:84712922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.70.159.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849821/; classtype:trojan-activity;sid:84712921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9f337497-0af1-47a8-940b-b4c53821ec62/google.cl"; depth:47; endswith; nocase; http.host; content:"containerizedplantengine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849820/; classtype:trojan-activity;sid:84712920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849819/; classtype:trojan-activity;sid:84712919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.116.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849818/; classtype:trojan-activity;sid:84712918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uppermpsl"; depth:10; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849817/; classtype:trojan-activity;sid:84712917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperspc"; depth:9; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849805/; classtype:trojan-activity;sid:84712905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperx64"; depth:9; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849806/; classtype:trojan-activity;sid:84712906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperarm7"; depth:10; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849807/; classtype:trojan-activity;sid:84712907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperarm"; depth:9; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849808/; classtype:trojan-activity;sid:84712908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperx86"; depth:9; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849809/; classtype:trojan-activity;sid:84712909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uppersh4"; depth:9; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849810/; classtype:trojan-activity;sid:84712910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dck"; depth:4; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849811/; classtype:trojan-activity;sid:84712911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperarm5"; depth:10; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849812/; classtype:trojan-activity;sid:84712912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uppermips"; depth:10; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849813/; classtype:trojan-activity;sid:84712913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperppc"; depth:9; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849814/; classtype:trojan-activity;sid:84712914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperm68k"; depth:10; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849815/; classtype:trojan-activity;sid:84712915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upperarm6"; depth:10; endswith; nocase; http.host; content:"87.121.79.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849816/; classtype:trojan-activity;sid:84712916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.207.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849804/; classtype:trojan-activity;sid:84712904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bz2xb9.sh"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849803/; classtype:trojan-activity;sid:84712903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bab2318-6cb3-4469-820b-5b1fb408d3c8/google.cl"; depth:47; endswith; nocase; http.host; content:"floraobservabilitycenter.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849802/; classtype:trojan-activity;sid:84712902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.131.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849801/; classtype:trojan-activity;sid:84712901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9eae0fb3-ce9e-4772-a071-45c11a56a1c9/google.cl"; depth:47; endswith; nocase; http.host; content:"floraobservabilitycenter.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849800/; classtype:trojan-activity;sid:84712900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.211.89.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849799/; classtype:trojan-activity;sid:84712899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.211.89.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849798/; classtype:trojan-activity;sid:84712898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/92649efe-7014-4314-8cb5-1d4b8517f4b2/google.cl"; depth:47; endswith; nocase; http.host; content:"meadowworkflowframework.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849797/; classtype:trojan-activity;sid:84712897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.50.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849796/; classtype:trojan-activity;sid:84712896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.126.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849795/; classtype:trojan-activity;sid:84712895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.126.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849794/; classtype:trojan-activity;sid:84712894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.79.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849793/; classtype:trojan-activity;sid:84712893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.138.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849792/; classtype:trojan-activity;sid:84712892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.223.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849791/; classtype:trojan-activity;sid:84712891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/04b30246-681e-4f28-94ac-4abdf8c9e9c0/google.cl"; depth:47; endswith; nocase; http.host; content:"federatedgardenplatform.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849790/; classtype:trojan-activity;sid:84712890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.207.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849789/; classtype:trojan-activity;sid:84712889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.54.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849788/; classtype:trojan-activity;sid:84712888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=96088ca9-a952-4d48-bdac-691d9ba54c5f"; depth:47; endswith; nocase; http.host; content:"8duc5067.siciliandefensetheory.digital"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849787/; classtype:trojan-activity;sid:84712887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.143.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849786/; classtype:trojan-activity;sid:84712886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.26.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849785/; classtype:trojan-activity;sid:84712885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c2fb09e-0fa9-4f7c-8e39-44e5d2c85ce7/google.cl"; depth:47; endswith; nocase; http.host; content:"irrigationanalyticssystem.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849784/; classtype:trojan-activity;sid:84712884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.26.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849782/; classtype:trojan-activity;sid:84712882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.223.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849783/; classtype:trojan-activity;sid:84712883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aecf995d-327f-468d-99a3-86a9d06e1c0a/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalresourcecontroller.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849781/; classtype:trojan-activity;sid:84712881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.143.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849780/; classtype:trojan-activity;sid:84712880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.65.203"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849779/; classtype:trojan-activity;sid:84712879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.31.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849778/; classtype:trojan-activity;sid:84712878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.8.57"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849777/; classtype:trojan-activity;sid:84712877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/78fda414-505b-4817-8905-4304fa00da8f/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedbloomnetwork.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849776/; classtype:trojan-activity;sid:84712876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.36.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849775/; classtype:trojan-activity;sid:84712875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849774/; classtype:trojan-activity;sid:84712874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849773/; classtype:trojan-activity;sid:84712873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849768/; classtype:trojan-activity;sid:84712868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849769/; classtype:trojan-activity;sid:84712869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849770/; classtype:trojan-activity;sid:84712870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849771/; classtype:trojan-activity;sid:84712871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.144.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849772/; classtype:trojan-activity;sid:84712872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849764/; classtype:trojan-activity;sid:84712864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849765/; classtype:trojan-activity;sid:84712865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849766/; classtype:trojan-activity;sid:84712866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"220.158.232.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849767/; classtype:trojan-activity;sid:84712867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a5449b5c-f6c8-4f2a-b237-f7dbdd06245c/google.cl"; depth:47; endswith; nocase; http.host; content:"wildflorainfrastructurehub.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849763/; classtype:trojan-activity;sid:84712863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.109.120"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_19; reference:url, urlhaus.abuse.ch/url/3849762/; classtype:trojan-activity;sid:84712862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.140.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849761/; classtype:trojan-activity;sid:84712861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.230.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849760/; classtype:trojan-activity;sid:84712860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.176.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849759/; classtype:trojan-activity;sid:84712859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15062e4b-7ecb-4d6b-9bf4-4f8e2bdf429a/google.cl"; depth:47; endswith; nocase; http.host; content:"petalautomationplatform.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849758/; classtype:trojan-activity;sid:84712858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.100.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849757/; classtype:trojan-activity;sid:84712857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.162.169.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849756/; classtype:trojan-activity;sid:84712856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.144.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849755/; classtype:trojan-activity;sid:84712855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.59.201"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849754/; classtype:trojan-activity;sid:84712854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/858ef0eb-0ebe-4e8d-a09e-56e28ed6bdd6/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhousemanagementengine.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849753/; classtype:trojan-activity;sid:84712853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.206.85.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849752/; classtype:trojan-activity;sid:84712852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.65.203"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849751/; classtype:trojan-activity;sid:84712851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7e43a019-bbc8-48cc-9687-e11ab494be16"; depth:47; endswith; nocase; http.host; content:"v9rvls59.stack-matrix.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849750/; classtype:trojan-activity;sid:84712850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.59.201"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849748/; classtype:trojan-activity;sid:84712848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.176.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849749/; classtype:trojan-activity;sid:84712849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.36.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849747/; classtype:trojan-activity;sid:84712847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849746/; classtype:trojan-activity;sid:84712846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.100.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849745/; classtype:trojan-activity;sid:84712845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/861b485c-9477-494f-b5cc-9f770e848a77/google.cl"; depth:47; endswith; nocase; http.host; content:"gardenresourcecontroller.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849744/; classtype:trojan-activity;sid:84712844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.x86"; depth:12; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849743/; classtype:trojan-activity;sid:84712843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.sh4"; depth:12; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849742/; classtype:trojan-activity;sid:84712842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.sparc"; depth:14; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849738/; classtype:trojan-activity;sid:84712838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.mips"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849739/; classtype:trojan-activity;sid:84712839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.ppc"; depth:12; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849740/; classtype:trojan-activity;sid:84712840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm4"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849741/; classtype:trojan-activity;sid:84712841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.mpsl"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849737/; classtype:trojan-activity;sid:84712837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.m68k"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849731/; classtype:trojan-activity;sid:84712831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.x86_64"; depth:15; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849732/; classtype:trojan-activity;sid:84712832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm5"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849733/; classtype:trojan-activity;sid:84712833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm6"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849734/; classtype:trojan-activity;sid:84712834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.arm7"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849735/; classtype:trojan-activity;sid:84712835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heilong.x86_32"; depth:15; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849736/; classtype:trojan-activity;sid:84712836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849730/; classtype:trojan-activity;sid:84712830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/46478205-cd2d-4e2f-b951-4e25b91383f8/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedbotanicalnetwork.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849729/; classtype:trojan-activity;sid:84712829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.2.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849728/; classtype:trojan-activity;sid:84712828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5e6f0263-23ac-4776-8f0a-6e5c05b1f2e0/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloraintegrationplatform.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849727/; classtype:trojan-activity;sid:84712827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.4.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849726/; classtype:trojan-activity;sid:84712826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.194.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849725/; classtype:trojan-activity;sid:84712825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.176.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849724/; classtype:trojan-activity;sid:84712824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.50.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849723/; classtype:trojan-activity;sid:84712823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.127.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849722/; classtype:trojan-activity;sid:84712822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849721/; classtype:trojan-activity;sid:84712821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.2.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849720/; classtype:trojan-activity;sid:84712820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.125.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849719/; classtype:trojan-activity;sid:84712819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.83.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849717/; classtype:trojan-activity;sid:84712817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.36.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849718/; classtype:trojan-activity;sid:84712818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.194.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849716/; classtype:trojan-activity;sid:84712816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0dd7916b-3437-4def-ab73-94fbe8197288/google.cl"; depth:47; endswith; nocase; http.host; content:"petalworkflowengine.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849715/; classtype:trojan-activity;sid:84712815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.127.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849714/; classtype:trojan-activity;sid:84712814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849713/; classtype:trojan-activity;sid:84712813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.209.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849712/; classtype:trojan-activity;sid:84712812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.255.43.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849711/; classtype:trojan-activity;sid:84712811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8877000e-0057-4a48-84f5-bd5f043f5795/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhousedeploymenthub.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849710/; classtype:trojan-activity;sid:84712810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.22.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849708/; classtype:trojan-activity;sid:84712808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.125.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849709/; classtype:trojan-activity;sid:84712809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.196.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849707/; classtype:trojan-activity;sid:84712807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849706/; classtype:trojan-activity;sid:84712806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.141.195"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849705/; classtype:trojan-activity;sid:84712805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.255.43.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849704/; classtype:trojan-activity;sid:84712804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00802650-7147-4392-b474-28e4506a37ca/google.cl"; depth:47; endswith; nocase; http.host; content:"containerizedgardenhub.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849703/; classtype:trojan-activity;sid:84712803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.48.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849702/; classtype:trojan-activity;sid:84712802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=e7282688-6ce3-460b-98b1-b1eabb2fb575"; depth:47; endswith; nocase; http.host; content:"8qxg5lyp.logic-pulse.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849701/; classtype:trojan-activity;sid:84712801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.28.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849700/; classtype:trojan-activity;sid:84712800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a9d9159-edc6-4993-9ece-89288f96bdf9/google.cl"; depth:47; endswith; nocase; http.host; content:"floraautomationnetwork.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849699/; classtype:trojan-activity;sid:84712799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"219.155.73.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849698/; classtype:trojan-activity;sid:84712798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.123.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849697/; classtype:trojan-activity;sid:84712797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86b4aab1-6c00-4794-a7bb-8b0204fac9b6/google.cl"; depth:47; endswith; nocase; http.host; content:"meadowmanagementcenter.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849696/; classtype:trojan-activity;sid:84712796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.80.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849695/; classtype:trojan-activity;sid:84712795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.51.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849694/; classtype:trojan-activity;sid:84712794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1f70915c-5991-4d7a-9c2e-896b60a1099b/google.cl"; depth:47; endswith; nocase; http.host; content:"federatedplantplatform.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849693/; classtype:trojan-activity;sid:84712793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.123.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849692/; classtype:trojan-activity;sid:84712792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.182.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849691/; classtype:trojan-activity;sid:84712791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0a0248a6-256c-4e57-9f7f-bd24961098f9/google.cl"; depth:47; endswith; nocase; http.host; content:"irrigationworkflowsystem.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849690/; classtype:trojan-activity;sid:84712790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"14.46.136.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849687/; classtype:trojan-activity;sid:84712787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"14.46.136.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849688/; classtype:trojan-activity;sid:84712788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"14.46.136.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849689/; classtype:trojan-activity;sid:84712789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"14.46.136.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849686/; classtype:trojan-activity;sid:84712786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clean"; depth:6; endswith; nocase; http.host; content:"14.46.136.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849685/; classtype:trojan-activity;sid:84712785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.200.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849684/; classtype:trojan-activity;sid:84712784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/390c82e5-0af3-4d91-8666-9ce470fcb3ea/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalanalyticsengine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849683/; classtype:trojan-activity;sid:84712783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9367023a-5e35-4f56-9858-2ebf6ecc57c1/google.ct"; depth:47; endswith; nocase; http.host; content:"botanicalanalyticsengine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849682/; classtype:trojan-activity;sid:84712782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.236.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849681/; classtype:trojan-activity;sid:84712781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5fa3d62a-b327-468f-ad3e-cabf43ab209a/google.ct"; depth:47; endswith; nocase; http.host; content:"botanicalanalyticsengine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849680/; classtype:trojan-activity;sid:84712780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ccf1c79-7867-4fc8-a8c1-6e903f37c843/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalanalyticsengine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849679/; classtype:trojan-activity;sid:84712779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b5267948-eb77-4260-b262-dc5dceecfecd"; depth:47; endswith; nocase; http.host; content:"4qm7sqpa.cyber-harbor.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849678/; classtype:trojan-activity;sid:84712778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.236.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849677/; classtype:trojan-activity;sid:84712777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9de94932-1915-4c31-a900-fd0549727fcf/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedmeadownetwork.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849676/; classtype:trojan-activity;sid:84712776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"14.46.136.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849675/; classtype:trojan-activity;sid:84712775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5f921a41-a076-48e3-9408-f77eb4e4609e/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloraprocessinghub.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849674/; classtype:trojan-activity;sid:84712774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stego_payload23456.png"; depth:23; endswith; nocase; http.host; content:"jankop.shop"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849673/; classtype:trojan-activity;sid:84712773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e16331ef-9a2b-4898-b812-a4a6179d1d7c/google.cl"; depth:47; endswith; nocase; http.host; content:"petalresourceframework.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849672/; classtype:trojan-activity;sid:84712772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.83.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849671/; classtype:trojan-activity;sid:84712771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/job_addon-central-glazed/artifacts/yzvvrb5k_glazedaddon-1.21.4.jar"; depth:67; endswith; nocase; http.host; content:"customer-assets.emergentagent.com"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849667/; classtype:trojan-activity;sid:84712767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"falseflag1.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849668/; classtype:trojan-activity;sid:84712768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"falseflag1.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849669/; classtype:trojan-activity;sid:84712769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"falseflag1.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849670/; classtype:trojan-activity;sid:84712770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/pjibf.exe"; depth:20; endswith; nocase; http.host; content:"falseflag1.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849664/; classtype:trojan-activity;sid:84712764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kryptonplus.0.10.jar"; depth:21; endswith; nocase; http.host; content:"kryptongoofy.lovable.app"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849665/; classtype:trojan-activity;sid:84712765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/argon_client_1.21.11.jar"; depth:25; endswith; nocase; http.host; content:"argonclient.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849666/; classtype:trojan-activity;sid:84712766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"falseflag1.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849661/; classtype:trojan-activity;sid:84712761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"falseflag1.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849662/; classtype:trojan-activity;sid:84712762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"falseflag1.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849663/; classtype:trojan-activity;sid:84712763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/ecom4qzkheclqn7ml8dng/f175fcc7b1277b.exe|3f|rlkey=jctz6gr5wlpfas8bf48qokzgd|7c|26|7c|st=ur5dn56o|7c|26|7c|dl=1"; depth:118; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849660/; classtype:trojan-activity;sid:84712760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/jabwd47j7zwrjg3p13k1p/installer-acc-v2.1.1.exe|3f|rlkey=w4jpkgch7jjyqq9gu2om4xs8n|7c|26|7c|st=7wlat5pq|7c|26|7c|dl=0"; depth:124; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849659/; classtype:trojan-activity;sid:84712759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a99659e88279685c.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849656/; classtype:trojan-activity;sid:84712756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e0fe7b19c94f5d26.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849657/; classtype:trojan-activity;sid:84712757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_6993d4de4b47e311.cmd"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849658/; classtype:trojan-activity;sid:84712758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849655/; classtype:trojan-activity;sid:84712755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d0f0d0fc-1e26-4e87-a6b9-dbaf7c0c54e7/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhousecontrolplatform.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849654/; classtype:trojan-activity;sid:84712754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.223.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849653/; classtype:trojan-activity;sid:84712753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.80.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849652/; classtype:trojan-activity;sid:84712752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.115.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849651/; classtype:trojan-activity;sid:84712751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b4f79dce-a688-485a-b9e8-ef362ea98384/google.cl"; depth:47; endswith; nocase; http.host; content:"containerizedbloomhub.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849650/; classtype:trojan-activity;sid:84712750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.44.208"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849649/; classtype:trojan-activity;sid:84712749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ebe5fb67-e0c5-4f47-8c86-d1e455d31c5a/google.cl"; depth:47; endswith; nocase; http.host; content:"floraanalyticsresource.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849648/; classtype:trojan-activity;sid:84712748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.83.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849647/; classtype:trojan-activity;sid:84712747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=da0825f0-5b5c-4507-af13-d94bf2ed77bc"; depth:47; endswith; nocase; http.host; content:"xbgnx37a.byte-lattice.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849646/; classtype:trojan-activity;sid:84712746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849645/; classtype:trojan-activity;sid:84712745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.4.194"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849643/; classtype:trojan-activity;sid:84712743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.44.208"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849644/; classtype:trojan-activity;sid:84712744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f99cdc0c-51dc-4281-aca2-e0da01b3f9cd/google.cl"; depth:47; endswith; nocase; http.host; content:"gardenautomationframework.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849642/; classtype:trojan-activity;sid:84712742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.75.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849641/; classtype:trojan-activity;sid:84712741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.3.245"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849640/; classtype:trojan-activity;sid:84712740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.198.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849639/; classtype:trojan-activity;sid:84712739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0016c2ac-f51d-4b98-8ce2-41f560c990e8/google.cl"; depth:47; endswith; nocase; http.host; content:"federatedmeadowsystem.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849638/; classtype:trojan-activity;sid:84712738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849637/; classtype:trojan-activity;sid:84712737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.75.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849636/; classtype:trojan-activity;sid:84712736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.92.69"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849635/; classtype:trojan-activity;sid:84712735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.224.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849634/; classtype:trojan-activity;sid:84712734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.85.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849633/; classtype:trojan-activity;sid:84712733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2c46855d-8612-4926-be58-d7f8a06aef55/google.cl"; depth:47; endswith; nocase; http.host; content:"irrigationprocessingnetwork.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849632/; classtype:trojan-activity;sid:84712732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.220.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849631/; classtype:trojan-activity;sid:84712731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.198.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849630/; classtype:trojan-activity;sid:84712730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.85.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849629/; classtype:trojan-activity;sid:84712729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.107.48"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849627/; classtype:trojan-activity;sid:84712727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.45.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849628/; classtype:trojan-activity;sid:84712728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.224.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849626/; classtype:trojan-activity;sid:84712726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.230.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849625/; classtype:trojan-activity;sid:84712725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71866231-5540-4c9e-9db2-1864b22dc0d8/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalworkflowplatform.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849624/; classtype:trojan-activity;sid:84712724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.220.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849623/; classtype:trojan-activity;sid:84712723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.159.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849622/; classtype:trojan-activity;sid:84712722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.187.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849621/; classtype:trojan-activity;sid:84712721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.75.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849620/; classtype:trojan-activity;sid:84712720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f4505e3d-0dc7-4573-a2c6-f9c31e11e911/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedgardencontrol.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849619/; classtype:trojan-activity;sid:84712719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.219.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849618/; classtype:trojan-activity;sid:84712718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.75.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849617/; classtype:trojan-activity;sid:84712717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a48ce5e4-ef46-472e-b5ca-33442e983f70/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloraresourceengine.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849616/; classtype:trojan-activity;sid:84712716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=1a53cb6a-e65f-4b16-aa88-705ca0f267bc"; depth:47; endswith; nocase; http.host; content:"0h5smwzp.network-forge.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849615/; classtype:trojan-activity;sid:84712715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.187.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849614/; classtype:trojan-activity;sid:84712714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.208.112.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849613/; classtype:trojan-activity;sid:84712713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b41a4d09-899c-466a-9317-e4de33c6c66d/google.cl"; depth:47; endswith; nocase; http.host; content:"petaldistributioncenter.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849612/; classtype:trojan-activity;sid:84712712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.219.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849611/; classtype:trojan-activity;sid:84712711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.103.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849610/; classtype:trojan-activity;sid:84712710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.61.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849609/; classtype:trojan-activity;sid:84712709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.35.41"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849608/; classtype:trojan-activity;sid:84712708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/923c0c1b-e6a3-42fa-a7b3-b6edd95cdab5/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhousemonitoringhub.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849607/; classtype:trojan-activity;sid:84712707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.208.112.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849606/; classtype:trojan-activity;sid:84712706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.85.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849605/; classtype:trojan-activity;sid:84712705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.41.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849604/; classtype:trojan-activity;sid:84712704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849603/; classtype:trojan-activity;sid:84712703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a655712-da7d-465f-bab3-6abed05ce64f/google.cl"; depth:47; endswith; nocase; http.host; content:"ecosystem-processing-tienginx-center.garden"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849602/; classtype:trojan-activity;sid:84712702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.49.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849601/; classtype:trojan-activity;sid:84712701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.81.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849600/; classtype:trojan-activity;sid:84712700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.35.41"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849599/; classtype:trojan-activity;sid:84712699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849598/; classtype:trojan-activity;sid:84712698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.152.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849597/; classtype:trojan-activity;sid:84712697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.229.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849595/; classtype:trojan-activity;sid:84712695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.85.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849596/; classtype:trojan-activity;sid:84712696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c6376c7e-448e-4b8d-9cdb-b3de0f6fdd5a/google.cl"; depth:47; endswith; nocase; http.host; content:"mongofly-container-gard-mesh.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849594/; classtype:trojan-activity;sid:84712694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.41.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849593/; classtype:trojan-activity;sid:84712693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.152.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849592/; classtype:trojan-activity;sid:84712692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8f9c1eec-d56f-4a79-8274-ad9c72dbc6c4/google.cl"; depth:47; endswith; nocase; http.host; content:"docsfan-flora-ability-system.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849591/; classtype:trojan-activity;sid:84712691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.81.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849590/; classtype:trojan-activity;sid:84712690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.229.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849588/; classtype:trojan-activity;sid:84712688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.191.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849589/; classtype:trojan-activity;sid:84712689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.113.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849587/; classtype:trojan-activity;sid:84712687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849586/; classtype:trojan-activity;sid:84712686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.48.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849585/; classtype:trojan-activity;sid:84712685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"163.142.85.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849584/; classtype:trojan-activity;sid:84712684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.73.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849583/; classtype:trojan-activity;sid:84712683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=134179f0-63ef-4cd2-beb8-2b558468e035"; depth:47; endswith; nocase; http.host; content:"jmaeciy3.signal-vault.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849582/; classtype:trojan-activity;sid:84712682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bb6a394e-a9a3-44b4-869b-3dfcadff9c9b/google.cl"; depth:47; endswith; nocase; http.host; content:"vbytelot-mead-automation-form.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849581/; classtype:trojan-activity;sid:84712681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.203.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849580/; classtype:trojan-activity;sid:84712680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.232.0.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849579/; classtype:trojan-activity;sid:84712679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.109.120"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849578/; classtype:trojan-activity;sid:84712678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4d1f470b-683a-4684-9ccf-a1b638857924/google.cl"; depth:47; endswith; nocase; http.host; content:"porthot-irr-gation-menthub.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849577/; classtype:trojan-activity;sid:84712677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.150.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849576/; classtype:trojan-activity;sid:84712676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.11.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849575/; classtype:trojan-activity;sid:84712675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.246.16.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849574/; classtype:trojan-activity;sid:84712674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.232.0.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849573/; classtype:trojan-activity;sid:84712673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.102.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849572/; classtype:trojan-activity;sid:84712672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.150.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849571/; classtype:trojan-activity;sid:84712671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8f0cd9b-8b2c-47dc-909b-871f5280ff51/google.cl"; depth:47; endswith; nocase; http.host; content:"radiopin-botn-monitor-in-gengine.garden"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849570/; classtype:trojan-activity;sid:84712670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.246.16.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849569/; classtype:trojan-activity;sid:84712669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.73.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849568/; classtype:trojan-activity;sid:84712668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.11.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849567/; classtype:trojan-activity;sid:84712667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.141.150.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849566/; classtype:trojan-activity;sid:84712666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.102.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849565/; classtype:trojan-activity;sid:84712665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/858c81bc-73a7-4c9a-b64e-8c7237717514/google.cl"; depth:47; endswith; nocase; http.host; content:"pcapshay-bute-gard-source.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849564/; classtype:trojan-activity;sid:84712664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.163.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849563/; classtype:trojan-activity;sid:84712663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.212.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849562/; classtype:trojan-activity;sid:84712662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849561/; classtype:trojan-activity;sid:84712661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.241.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849559/; classtype:trojan-activity;sid:84712659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.163.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849560/; classtype:trojan-activity;sid:84712660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.m68k"; depth:17; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849546/; classtype:trojan-activity;sid:84712646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.riscv32"; depth:20; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849547/; classtype:trojan-activity;sid:84712647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.riscv64"; depth:20; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849548/; classtype:trojan-activity;sid:84712648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.mips"; depth:17; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849549/; classtype:trojan-activity;sid:84712649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.loongarch64"; depth:24; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849550/; classtype:trojan-activity;sid:84712650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.x86_64"; depth:19; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849551/; classtype:trojan-activity;sid:84712651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.sh2"; depth:16; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849552/; classtype:trojan-activity;sid:84712652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.sh4"; depth:16; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849553/; classtype:trojan-activity;sid:84712653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.or1k"; depth:17; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849554/; classtype:trojan-activity;sid:84712654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.powerpc"; depth:20; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849555/; classtype:trojan-activity;sid:84712655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.i386"; depth:17; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849556/; classtype:trojan-activity;sid:84712656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.aarch64"; depth:20; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849557/; classtype:trojan-activity;sid:84712657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/vaxbot.microblaze"; depth:23; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849558/; classtype:trojan-activity;sid:84712658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a195fa1d-8a71-4713-a1e1-823544121503/google.cl"; depth:47; endswith; nocase; http.host; content:"wilder-flow-work-lmsystem.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849545/; classtype:trojan-activity;sid:84712645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.91.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849544/; classtype:trojan-activity;sid:84712644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.71.28.44"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849543/; classtype:trojan-activity;sid:84712643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_24308024a80d8cad.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849542/; classtype:trojan-activity;sid:84712642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849541/; classtype:trojan-activity;sid:84712641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arc"; depth:10; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849540/; classtype:trojan-activity;sid:84712640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.ppc"; depth:23; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849539/; classtype:trojan-activity;sid:84712639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86"; depth:10; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849537/; classtype:trojan-activity;sid:84712637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849538/; classtype:trojan-activity;sid:84712638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.i686"; depth:11; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849536/; classtype:trojan-activity;sid:84712636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm5"; depth:11; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849531/; classtype:trojan-activity;sid:84712631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86_64"; depth:13; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849532/; classtype:trojan-activity;sid:84712632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.sh"; depth:6; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849533/; classtype:trojan-activity;sid:84712633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm5"; depth:11; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849534/; classtype:trojan-activity;sid:84712634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/c.sh"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849535/; classtype:trojan-activity;sid:84712635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.ppc"; depth:10; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849527/; classtype:trojan-activity;sid:84712627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.m68k"; depth:24; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849528/; classtype:trojan-activity;sid:84712628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849529/; classtype:trojan-activity;sid:84712629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849530/; classtype:trojan-activity;sid:84712630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849523/; classtype:trojan-activity;sid:84712623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssai486"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849524/; classtype:trojan-activity;sid:84712624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849525/; classtype:trojan-activity;sid:84712625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849526/; classtype:trojan-activity;sid:84712626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849513/; classtype:trojan-activity;sid:84712613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.sh4"; depth:10; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849514/; classtype:trojan-activity;sid:84712614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86_64"; depth:13; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849515/; classtype:trojan-activity;sid:84712615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849516/; classtype:trojan-activity;sid:84712616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849517/; classtype:trojan-activity;sid:84712617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.sh"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849518/; classtype:trojan-activity;sid:84712618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/sh4"; depth:7; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849519/; classtype:trojan-activity;sid:84712619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssappc"; depth:10; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849520/; classtype:trojan-activity;sid:84712620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mpsl"; depth:11; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849521/; classtype:trojan-activity;sid:84712621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849522/; classtype:trojan-activity;sid:84712622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p.sh"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849505/; classtype:trojan-activity;sid:84712605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849506/; classtype:trojan-activity;sid:84712606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.ppc"; depth:10; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849507/; classtype:trojan-activity;sid:84712607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm5"; depth:24; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849508/; classtype:trojan-activity;sid:84712608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w.sh"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849509/; classtype:trojan-activity;sid:84712609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.m68k"; depth:11; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849510/; classtype:trojan-activity;sid:84712610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849511/; classtype:trojan-activity;sid:84712611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr.sh"; depth:7; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849512/; classtype:trojan-activity;sid:84712612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.sh4"; depth:23; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849499/; classtype:trojan-activity;sid:84712599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/lterouter"; depth:13; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849500/; classtype:trojan-activity;sid:84712600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm"; depth:10; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849501/; classtype:trojan-activity;sid:84712601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849502/; classtype:trojan-activity;sid:84712602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849503/; classtype:trojan-activity;sid:84712603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/x86_64"; depth:10; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849504/; classtype:trojan-activity;sid:84712604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849497/; classtype:trojan-activity;sid:84712597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849498/; classtype:trojan-activity;sid:84712598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssai586"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849495/; classtype:trojan-activity;sid:84712595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm"; depth:10; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849496/; classtype:trojan-activity;sid:84712596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm5"; depth:11; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849493/; classtype:trojan-activity;sid:84712593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849494/; classtype:trojan-activity;sid:84712594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm6"; depth:15; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849491/; classtype:trojan-activity;sid:84712591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g"; depth:2; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849492/; classtype:trojan-activity;sid:84712592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm6"; depth:11; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849486/; classtype:trojan-activity;sid:84712586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm"; depth:10; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849487/; classtype:trojan-activity;sid:84712587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssamips"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849488/; classtype:trojan-activity;sid:84712588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.i686"; depth:11; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849489/; classtype:trojan-activity;sid:84712589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bee"; depth:4; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849490/; classtype:trojan-activity;sid:84712590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm6"; depth:11; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849482/; classtype:trojan-activity;sid:84712582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849483/; classtype:trojan-activity;sid:84712583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849484/; classtype:trojan-activity;sid:84712584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849485/; classtype:trojan-activity;sid:84712585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849479/; classtype:trojan-activity;sid:84712579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849480/; classtype:trojan-activity;sid:84712580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssampsl"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849481/; classtype:trojan-activity;sid:84712581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arc"; depth:23; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849473/; classtype:trojan-activity;sid:84712573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewx86"; depth:14; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849474/; classtype:trojan-activity;sid:84712574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849475/; classtype:trojan-activity;sid:84712575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849476/; classtype:trojan-activity;sid:84712576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv7l"; depth:10; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849477/; classtype:trojan-activity;sid:84712577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm5"; depth:15; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849478/; classtype:trojan-activity;sid:84712578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86"; depth:10; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849464/; classtype:trojan-activity;sid:84712564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arc"; depth:10; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849465/; classtype:trojan-activity;sid:84712565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849466/; classtype:trojan-activity;sid:84712566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/aarch64"; depth:11; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849467/; classtype:trojan-activity;sid:84712567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849468/; classtype:trojan-activity;sid:84712568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaarm5"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849469/; classtype:trojan-activity;sid:84712569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.spc"; depth:10; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849470/; classtype:trojan-activity;sid:84712570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewx8664"; depth:16; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849471/; classtype:trojan-activity;sid:84712571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.spc"; depth:10; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849472/; classtype:trojan-activity;sid:84712572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm6"; depth:24; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849460/; classtype:trojan-activity;sid:84712560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mpsl"; depth:24; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849461/; classtype:trojan-activity;sid:84712561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.i686"; depth:11; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849462/; classtype:trojan-activity;sid:84712562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849463/; classtype:trojan-activity;sid:84712563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm7"; depth:11; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849458/; classtype:trojan-activity;sid:84712558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr"; depth:4; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849459/; classtype:trojan-activity;sid:84712559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.spc"; depth:10; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849454/; classtype:trojan-activity;sid:84712554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849455/; classtype:trojan-activity;sid:84712555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mpsl"; depth:11; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849456/; classtype:trojan-activity;sid:84712556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86"; depth:10; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849457/; classtype:trojan-activity;sid:84712557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849449/; classtype:trojan-activity;sid:84712549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86"; depth:23; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849450/; classtype:trojan-activity;sid:84712550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arc"; depth:10; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849451/; classtype:trojan-activity;sid:84712551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849452/; classtype:trojan-activity;sid:84712552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849453/; classtype:trojan-activity;sid:84712553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssai686"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849447/; classtype:trojan-activity;sid:84712547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysupdate.sh"; depth:13; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849448/; classtype:trojan-activity;sid:84712548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mips"; depth:24; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849446/; classtype:trojan-activity;sid:84712546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn"; depth:3; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849441/; classtype:trojan-activity;sid:84712541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86_64"; depth:26; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849442/; classtype:trojan-activity;sid:84712542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaarm6"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849443/; classtype:trojan-activity;sid:84712543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86_64"; depth:13; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849444/; classtype:trojan-activity;sid:84712544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm/"; depth:5; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849445/; classtype:trojan-activity;sid:84712545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849438/; classtype:trojan-activity;sid:84712538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.sh4"; depth:10; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849439/; classtype:trojan-activity;sid:84712539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massload"; depth:9; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849440/; classtype:trojan-activity;sid:84712540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849436/; classtype:trojan-activity;sid:84712536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849437/; classtype:trojan-activity;sid:84712537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849430/; classtype:trojan-activity;sid:84712530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849431/; classtype:trojan-activity;sid:84712531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.m68k"; depth:11; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849432/; classtype:trojan-activity;sid:84712532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849433/; classtype:trojan-activity;sid:84712533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.sh"; depth:6; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849434/; classtype:trojan-activity;sid:84712534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl.sh"; depth:8; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849435/; classtype:trojan-activity;sid:84712535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.m68k"; depth:11; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849422/; classtype:trojan-activity;sid:84712522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849423/; classtype:trojan-activity;sid:84712523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mips"; depth:11; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849424/; classtype:trojan-activity;sid:84712524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"isellchildren.online"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849425/; classtype:trojan-activity;sid:84712525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssam68k"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849426/; classtype:trojan-activity;sid:84712526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm7"; depth:11; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849427/; classtype:trojan-activity;sid:84712527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mpsl"; depth:11; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849428/; classtype:trojan-activity;sid:84712528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849429/; classtype:trojan-activity;sid:84712529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm"; depth:23; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849417/; classtype:trojan-activity;sid:84712517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849418/; classtype:trojan-activity;sid:84712518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.sh4"; depth:10; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849419/; classtype:trojan-activity;sid:84712519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm4"; depth:15; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849420/; classtype:trojan-activity;sid:84712520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849421/; classtype:trojan-activity;sid:84712521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mips"; depth:11; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849410/; classtype:trojan-activity;sid:84712510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849411/; classtype:trojan-activity;sid:84712511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/amd64"; depth:11; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849412/; classtype:trojan-activity;sid:84712512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mips"; depth:11; endswith; nocase; http.host; content:"zupreme-qbot.duckdns.org"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849413/; classtype:trojan-activity;sid:84712513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp.sh"; depth:8; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849414/; classtype:trojan-activity;sid:84712514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm6"; depth:11; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849415/; classtype:trojan-activity;sid:84712515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv5l"; depth:10; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849416/; classtype:trojan-activity;sid:84712516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849404/; classtype:trojan-activity;sid:84712504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"zyrec2.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849405/; classtype:trojan-activity;sid:84712505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm7"; depth:24; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849406/; classtype:trojan-activity;sid:84712506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/m68k"; depth:8; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849407/; classtype:trojan-activity;sid:84712507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849408/; classtype:trojan-activity;sid:84712508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mips"; depth:8; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849409/; classtype:trojan-activity;sid:84712509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv4l"; depth:10; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849402/; classtype:trojan-activity;sid:84712502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i686"; depth:24; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849403/; classtype:trojan-activity;sid:84712503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.spc"; depth:23; endswith; nocase; http.host; content:"newenewmew.duckdns.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849400/; classtype:trojan-activity;sid:84712500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaarm7"; depth:11; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849401/; classtype:trojan-activity;sid:84712501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewmpsl"; depth:15; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849390/; classtype:trojan-activity;sid:84712490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849391/; classtype:trojan-activity;sid:84712491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssh.sh"; depth:7; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849392/; classtype:trojan-activity;sid:84712492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c"; depth:2; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849393/; classtype:trojan-activity;sid:84712493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.sh"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849394/; classtype:trojan-activity;sid:84712494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.ppc"; depth:10; endswith; nocase; http.host; content:"fucker1.duckdns.org"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849395/; classtype:trojan-activity;sid:84712495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.sh"; depth:6; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849396/; classtype:trojan-activity;sid:84712496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/tbk"; depth:7; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849397/; classtype:trojan-activity;sid:84712497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tp"; depth:3; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849398/; classtype:trojan-activity;sid:84712498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm7"; depth:11; endswith; nocase; http.host; content:"boatdome.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849399/; classtype:trojan-activity;sid:84712499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849388/; classtype:trojan-activity;sid:84712488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wget.sh"; depth:13; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849389/; classtype:trojan-activity;sid:84712489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewmips"; depth:15; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849382/; classtype:trojan-activity;sid:84712482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/x86"; depth:7; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849383/; classtype:trojan-activity;sid:84712483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849384/; classtype:trojan-activity;sid:84712484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaanewarm7"; depth:15; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849385/; classtype:trojan-activity;sid:84712485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849386/; classtype:trojan-activity;sid:84712486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849387/; classtype:trojan-activity;sid:84712487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/armv6l"; depth:10; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849376/; classtype:trojan-activity;sid:84712476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849377/; classtype:trojan-activity;sid:84712477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/mpsl"; depth:8; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849378/; classtype:trojan-activity;sid:84712478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849379/; classtype:trojan-activity;sid:84712479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2/ppc"; depth:7; endswith; nocase; http.host; content:"9z.wtf"; depth:6; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849380/; classtype:trojan-activity;sid:84712480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"cliftycreek.anondns.net"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849381/; classtype:trojan-activity;sid:84712481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyssaarm"; depth:10; endswith; nocase; http.host; content:"gigs.us.1e.cm"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849375/; classtype:trojan-activity;sid:84712475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6466cab1-314e-4349-af6c-a39360851245/google.cl"; depth:47; endswith; nocase; http.host; content:"slashbob-distrib-plat-form.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849374/; classtype:trojan-activity;sid:84712474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.212.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849373/; classtype:trojan-activity;sid:84712473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.110.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849372/; classtype:trojan-activity;sid:84712472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=fc05ce2f-285a-4100-b353-4038908b481e"; depth:47; endswith; nocase; http.host; content:"q41liphc.packet-vector.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849371/; classtype:trojan-activity;sid:84712471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.54.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849370/; classtype:trojan-activity;sid:84712470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2affdbb2-9683-4155-a1c1-df08222b9e33/google.cl"; depth:47; endswith; nocase; http.host; content:"zoneday-green-house-oper-center.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849369/; classtype:trojan-activity;sid:84712469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"207.244.199.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849368/; classtype:trojan-activity;sid:84712468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"207.244.199.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849364/; classtype:trojan-activity;sid:84712464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"207.244.199.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849365/; classtype:trojan-activity;sid:84712465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"207.244.199.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849366/; classtype:trojan-activity;sid:84712466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"207.244.199.251"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849367/; classtype:trojan-activity;sid:84712467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.71.28.44"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849363/; classtype:trojan-activity;sid:84712463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.110.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849362/; classtype:trojan-activity;sid:84712462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.91.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849361/; classtype:trojan-activity;sid:84712461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.42.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849360/; classtype:trojan-activity;sid:84712460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.168.0.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849359/; classtype:trojan-activity;sid:84712459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.79.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849358/; classtype:trojan-activity;sid:84712458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/866dd8fb-f069-4f96-9e5b-fb881ed8dfb3/google.cl"; depth:47; endswith; nocase; http.host; content:"ecosystemmanagementcore.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849357/; classtype:trojan-activity;sid:84712457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.225.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849356/; classtype:trojan-activity;sid:84712456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.168.0.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849355/; classtype:trojan-activity;sid:84712455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.42.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849354/; classtype:trojan-activity;sid:84712454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.101.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849353/; classtype:trojan-activity;sid:84712453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b534554c-b2e0-4a56-808c-ce67ce9fc6e9/google.cl"; depth:47; endswith; nocase; http.host; content:"containerizedplantnetwork.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849352/; classtype:trojan-activity;sid:84712452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849351/; classtype:trojan-activity;sid:84712451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.149.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849350/; classtype:trojan-activity;sid:84712450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f67f9750-2112-4f5b-9256-2fb061a9277b/google.cl"; depth:47; endswith; nocase; http.host; content:"floraanalyticsengine.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849349/; classtype:trojan-activity;sid:84712449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.205.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849348/; classtype:trojan-activity;sid:84712448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.170.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849347/; classtype:trojan-activity;sid:84712447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.157.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849346/; classtype:trojan-activity;sid:84712446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7b9570f9-d9cc-471b-9d8c-f385b355123a/google.cl"; depth:47; endswith; nocase; http.host; content:"meadowmonitoringplatform.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849345/; classtype:trojan-activity;sid:84712445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.159.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849344/; classtype:trojan-activity;sid:84712444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.63.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849343/; classtype:trojan-activity;sid:84712443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.205.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849342/; classtype:trojan-activity;sid:84712442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.68.160.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849341/; classtype:trojan-activity;sid:84712441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.254.245"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849340/; classtype:trojan-activity;sid:84712440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.254.245"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849339/; classtype:trojan-activity;sid:84712439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.21.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849338/; classtype:trojan-activity;sid:84712438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.170.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849337/; classtype:trojan-activity;sid:84712437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c57f7c-dcd4-4058-b88c-654819a34ef4/google.cl"; depth:47; endswith; nocase; http.host; content:"irrigationautomationhub.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849336/; classtype:trojan-activity;sid:84712436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.172.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849335/; classtype:trojan-activity;sid:84712435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=710960bf-19e3-4f4a-9473-5a563ddb6fef"; depth:47; endswith; nocase; http.host; content:"c2rdcpuv.runtime-sphere.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849334/; classtype:trojan-activity;sid:84712434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.194.151.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849333/; classtype:trojan-activity;sid:84712433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.23.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849332/; classtype:trojan-activity;sid:84712432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7b8b9930-7862-48e9-8210-75ad0f6ab291/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalworkflowcenter.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849331/; classtype:trojan-activity;sid:84712431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.21.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849330/; classtype:trojan-activity;sid:84712430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.194.151.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849329/; classtype:trojan-activity;sid:84712429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.68.160.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849328/; classtype:trojan-activity;sid:84712428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.100.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849327/; classtype:trojan-activity;sid:84712427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.230.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849326/; classtype:trojan-activity;sid:84712426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77f346b3-5103-4609-bdb5-2cbe9ec26f65/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedgrowthnetwork.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849325/; classtype:trojan-activity;sid:84712425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.207.128.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849324/; classtype:trojan-activity;sid:84712424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.220.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849323/; classtype:trojan-activity;sid:84712423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8480df5c5489df4a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849322/; classtype:trojan-activity;sid:84712422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.105.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849321/; classtype:trojan-activity;sid:84712421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/09a62705-f6fb-491b-9a0f-0992c7fe8e8a/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloracontrolsystem.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849320/; classtype:trojan-activity;sid:84712420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.166.2.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849319/; classtype:trojan-activity;sid:84712419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.169.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849318/; classtype:trojan-activity;sid:84712418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.91.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849317/; classtype:trojan-activity;sid:84712417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.121.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849316/; classtype:trojan-activity;sid:84712416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.122.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849315/; classtype:trojan-activity;sid:84712415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb173cbf-a417-4bb3-a8bb-90c095caa7a3/google.cl"; depth:47; endswith; nocase; http.host; content:"petalprocessingplatform.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849314/; classtype:trojan-activity;sid:84712414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849313/; classtype:trojan-activity;sid:84712413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"119.157.76.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849311/; classtype:trojan-activity;sid:84712411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/primemic_v2.10_setup.rar"; depth:25; endswith; nocase; http.host; content:"primemic.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849312/; classtype:trojan-activity;sid:84712412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"42.239.189.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849310/; classtype:trojan-activity;sid:84712410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vo2mqkiwwqfy5hvg06az.png"; depth:25; endswith; nocase; http.host; content:"crackedsoftware.doxbin.cy"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849309/; classtype:trojan-activity;sid:84712409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849295/; classtype:trojan-activity;sid:84712395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849296/; classtype:trojan-activity;sid:84712396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849297/; classtype:trojan-activity;sid:84712397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849298/; classtype:trojan-activity;sid:84712398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849299/; classtype:trojan-activity;sid:84712399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server"; depth:7; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849300/; classtype:trojan-activity;sid:84712400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849301/; classtype:trojan-activity;sid:84712401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849302/; classtype:trojan-activity;sid:84712402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849303/; classtype:trojan-activity;sid:84712403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849304/; classtype:trojan-activity;sid:84712404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849305/; classtype:trojan-activity;sid:84712405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849306/; classtype:trojan-activity;sid:84712406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849308/; classtype:trojan-activity;sid:84712408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849285/; classtype:trojan-activity;sid:84712385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849286/; classtype:trojan-activity;sid:84712386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849287/; classtype:trojan-activity;sid:84712387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849288/; classtype:trojan-activity;sid:84712388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849289/; classtype:trojan-activity;sid:84712389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849290/; classtype:trojan-activity;sid:84712390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849291/; classtype:trojan-activity;sid:84712391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849292/; classtype:trojan-activity;sid:84712392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849293/; classtype:trojan-activity;sid:84712393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849277/; classtype:trojan-activity;sid:84712377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849278/; classtype:trojan-activity;sid:84712378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849279/; classtype:trojan-activity;sid:84712379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atilabyte-a11y/atila_worm_2/raw/refs/heads/main/down_procwork.sh"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849280/; classtype:trojan-activity;sid:84712380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849281/; classtype:trojan-activity;sid:84712381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/n1i0yjjgq8go6ai51tncy/installer-acc-v2.3.1.exe|3f|rlkey=ykxuf1njlfzkib4e28dpk8yy3|7c|26|7c|st=ip51m235|7c|26|7c|dl=0"; depth:124; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849282/; classtype:trojan-activity;sid:84712382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849283/; classtype:trojan-activity;sid:84712383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849284/; classtype:trojan-activity;sid:84712384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849275/; classtype:trojan-activity;sid:84712375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"botnet.fizra.biz.id"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849276/; classtype:trojan-activity;sid:84712376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849271/; classtype:trojan-activity;sid:84712371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849272/; classtype:trojan-activity;sid:84712372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deploy-client-v2.sh"; depth:20; endswith; nocase; http.host; content:"64.7.199.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849273/; classtype:trojan-activity;sid:84712373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.199.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849274/; classtype:trojan-activity;sid:84712374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_5002ecd7b717fe68.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849268/; classtype:trojan-activity;sid:84712368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849269/; classtype:trojan-activity;sid:84712369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"hardenedpeanits.fyi"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849270/; classtype:trojan-activity;sid:84712370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set.zip"; depth:8; endswith; nocase; http.host; content:"167.88.167.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849266/; classtype:trojan-activity;sid:84712366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supercool.zip"; depth:14; endswith; nocase; http.host; content:"167.88.167.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849267/; classtype:trojan-activity;sid:84712367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.169.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849265/; classtype:trojan-activity;sid:84712365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.220.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849264/; classtype:trojan-activity;sid:84712364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm5"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849263/; classtype:trojan-activity;sid:84712363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.sh4"; depth:23; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849261/; classtype:trojan-activity;sid:84712361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86"; depth:23; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849262/; classtype:trojan-activity;sid:84712362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7909b3c-71ec-402a-a302-d1a1219bbcb2/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhouseresourceengine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849260/; classtype:trojan-activity;sid:84712360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.spc"; depth:23; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849259/; classtype:trojan-activity;sid:84712359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i686"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849249/; classtype:trojan-activity;sid:84712349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm6"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849250/; classtype:trojan-activity;sid:84712350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.ppc"; depth:23; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849251/; classtype:trojan-activity;sid:84712351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mips"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849252/; classtype:trojan-activity;sid:84712352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.mpsl"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849253/; classtype:trojan-activity;sid:84712353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm7"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849254/; classtype:trojan-activity;sid:84712354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arc"; depth:23; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849255/; classtype:trojan-activity;sid:84712355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.arm"; depth:23; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849256/; classtype:trojan-activity;sid:84712356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.m68k"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849257/; classtype:trojan-activity;sid:84712357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.x86_64"; depth:26; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849258/; classtype:trojan-activity;sid:84712358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windyloveyou/windy.i468"; depth:24; endswith; nocase; http.host; content:"82.223.44.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849248/; classtype:trojan-activity;sid:84712348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.50.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849247/; classtype:trojan-activity;sid:84712347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.252.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849246/; classtype:trojan-activity;sid:84712346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.166.2.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849245/; classtype:trojan-activity;sid:84712345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849244/; classtype:trojan-activity;sid:84712344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.12.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849243/; classtype:trojan-activity;sid:84712343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fc2eaa45-7fec-4923-aa7a-e70e45be15e4/google.cl"; depth:47; endswith; nocase; http.host; content:"primordial-soup-evolution.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849242/; classtype:trojan-activity;sid:84712342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.50.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849241/; classtype:trojan-activity;sid:84712341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.163.187.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849240/; classtype:trojan-activity;sid:84712340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.252.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849239/; classtype:trojan-activity;sid:84712339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=e3825dc8-6d8f-4801-a3e8-f58da175d997"; depth:47; endswith; nocase; http.host; content:"k9h20m23.observability-matrix.digital"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849238/; classtype:trojan-activity;sid:84712338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.252.199.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849237/; classtype:trojan-activity;sid:84712337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1fa4263-ad4d-4996-902e-9b346fa63d07/google.cl"; depth:47; endswith; nocase; http.host; content:"subdermal-biometric-chip.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849236/; classtype:trojan-activity;sid:84712336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.186.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849235/; classtype:trojan-activity;sid:84712335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.126.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849234/; classtype:trojan-activity;sid:84712334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849232/; classtype:trojan-activity;sid:84712332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.224.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849233/; classtype:trojan-activity;sid:84712333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.17.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849231/; classtype:trojan-activity;sid:84712331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a30f94b7-274c-4a43-a0d2-addcee28e4ad/google.cl"; depth:47; endswith; nocase; http.host; content:"renaissance-fresco-restoration.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849230/; classtype:trojan-activity;sid:84712330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.186.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849229/; classtype:trojan-activity;sid:84712329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.73.17.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849228/; classtype:trojan-activity;sid:84712328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.90.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849227/; classtype:trojan-activity;sid:84712327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.150.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849226/; classtype:trojan-activity;sid:84712326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849225/; classtype:trojan-activity;sid:84712325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.44.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849224/; classtype:trojan-activity;sid:84712324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.90.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849223/; classtype:trojan-activity;sid:84712323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3ac9ef89-73ed-4629-b18e-a1a56109df58/google.cl"; depth:47; endswith; nocase; http.host; content:"stratospheric-weather-balloon.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849222/; classtype:trojan-activity;sid:84712322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/159a828e-c534-4ba8-b296-a70d4e6d7c01/google.cl"; depth:47; endswith; nocase; http.host; content:"holographic-projection-grid.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849221/; classtype:trojan-activity;sid:84712321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849220/; classtype:trojan-activity;sid:84712320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aff414fe-4eaa-4e04-b7d0-3df9a4f98912/google.cl"; depth:47; endswith; nocase; http.host; content:"deep-sea-hydrothermal-vent.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849219/; classtype:trojan-activity;sid:84712319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.76.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849218/; classtype:trojan-activity;sid:84712318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.63.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849217/; classtype:trojan-activity;sid:84712317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849216/; classtype:trojan-activity;sid:84712316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.147.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849215/; classtype:trojan-activity;sid:84712315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c69f36a-ead8-4e1f-81b5-96aaa8e57519/google.cl"; depth:47; endswith; nocase; http.host; content:"gothic-cathedral-blueprint.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849214/; classtype:trojan-activity;sid:84712314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.25.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849213/; classtype:trojan-activity;sid:84712313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.3.9"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849212/; classtype:trojan-activity;sid:84712312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=c4528683-fa5b-4842-a3da-c2b69d56cc2e"; depth:47; endswith; nocase; http.host; content:"wlede4d3.network-harbor.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849211/; classtype:trojan-activity;sid:84712311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.63.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849210/; classtype:trojan-activity;sid:84712310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.224.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849209/; classtype:trojan-activity;sid:84712309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.12.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849208/; classtype:trojan-activity;sid:84712308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849207/; classtype:trojan-activity;sid:84712307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.12.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849206/; classtype:trojan-activity;sid:84712306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8790629d-d563-4917-87c0-4eae804e32e6/google.cl"; depth:47; endswith; nocase; http.host; content:"magnetic-levitation-train.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849205/; classtype:trojan-activity;sid:84712305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.147.22"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849204/; classtype:trojan-activity;sid:84712304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.25.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849203/; classtype:trojan-activity;sid:84712303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.33.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849202/; classtype:trojan-activity;sid:84712302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.3.9"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849201/; classtype:trojan-activity;sid:84712301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6a33b11-a1f8-4c43-8296-0569b7b5118b/google.cl"; depth:47; endswith; nocase; http.host; content:"cybernetic-prosthetic-lab.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849200/; classtype:trojan-activity;sid:84712300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849199/; classtype:trojan-activity;sid:84712299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.10.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849198/; classtype:trojan-activity;sid:84712298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849197/; classtype:trojan-activity;sid:84712297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.217.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849196/; classtype:trojan-activity;sid:84712296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e80cc5ae-8ac0-44dc-ac72-12224eedc7d8/google.cl"; depth:47; endswith; nocase; http.host; content:"subfossil-oak-chronology.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849195/; classtype:trojan-activity;sid:84712295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.217.37"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849194/; classtype:trojan-activity;sid:84712294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/84e13c57-44fb-4a10-b48d-e94f63c9fc0a/google.cl"; depth:47; endswith; nocase; http.host; content:"crispy-chicken-cutlets.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849193/; classtype:trojan-activity;sid:84712293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.157.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849192/; classtype:trojan-activity;sid:84712292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2b95c424-e0c9-4e39-b48f-9349e34d7dbc/google.cl"; depth:47; endswith; nocase; http.host; content:"orbital-docking-module.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849191/; classtype:trojan-activity;sid:84712291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.130.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849190/; classtype:trojan-activity;sid:84712290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.149.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849189/; classtype:trojan-activity;sid:84712289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12dbd72c-6389-4f77-a2cf-4434520a092b/google.cl"; depth:47; endswith; nocase; http.host; content:"bada-bing-sopranos-lounge.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849188/; classtype:trojan-activity;sid:84712288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=4a016df5-e91d-4acc-b2b0-5a7512712426"; depth:47; endswith; nocase; http.host; content:"2u5vvnoh.microservice-pulse.digital"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849187/; classtype:trojan-activity;sid:84712287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.239.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849186/; classtype:trojan-activity;sid:84712286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63ea9c83-3a5d-42b9-841c-8a48cadfd36b/google.cl"; depth:47; endswith; nocase; http.host; content:"audio-attenuator-schematic.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849185/; classtype:trojan-activity;sid:84712285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.32.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849184/; classtype:trojan-activity;sid:84712284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0642cead-0be5-4674-ab65-f2fb2c885641/google.cl"; depth:47; endswith; nocase; http.host; content:"sicilian-defense-theory.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849183/; classtype:trojan-activity;sid:84712283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849182/; classtype:trojan-activity;sid:84712282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.242.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849181/; classtype:trojan-activity;sid:84712281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.180.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849180/; classtype:trojan-activity;sid:84712280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/199b96b0-a0b7-47ca-a59c-5022741436a0/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalmonitoringengine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849179/; classtype:trojan-activity;sid:84712279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.32.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849178/; classtype:trojan-activity;sid:84712278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849177/; classtype:trojan-activity;sid:84712277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849176/; classtype:trojan-activity;sid:84712276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849175/; classtype:trojan-activity;sid:84712275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849174/; classtype:trojan-activity;sid:84712274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.242.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849173/; classtype:trojan-activity;sid:84712273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849172/; classtype:trojan-activity;sid:84712272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.180.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849171/; classtype:trojan-activity;sid:84712271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849169/; classtype:trojan-activity;sid:84712269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849170/; classtype:trojan-activity;sid:84712270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849168/; classtype:trojan-activity;sid:84712268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.55.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849167/; classtype:trojan-activity;sid:84712267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/04789575-1c3d-41d1-8852-d2213716c0fc/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedgardenresource.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849166/; classtype:trojan-activity;sid:84712266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849165/; classtype:trojan-activity;sid:84712265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849164/; classtype:trojan-activity;sid:84712264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849163/; classtype:trojan-activity;sid:84712263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dac078a0-0200-43a7-8246-a436feb9204e/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloraworkflowsystem.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849162/; classtype:trojan-activity;sid:84712262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.142.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849161/; classtype:trojan-activity;sid:84712261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.186.229.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849160/; classtype:trojan-activity;sid:84712260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1ea13f50-871b-4a86-a698-e258ec7bedc7/google.cl"; depth:47; endswith; nocase; http.host; content:"petaldistributionplatform.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849159/; classtype:trojan-activity;sid:84712259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=de2bc0b7-8ca4-4458-b702-78f4667e88f1"; depth:47; endswith; nocase; http.host; content:"0q9bvoqh.telemetry-vault.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849158/; classtype:trojan-activity;sid:84712258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849157/; classtype:trojan-activity;sid:84712257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849156/; classtype:trojan-activity;sid:84712256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.99.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849155/; classtype:trojan-activity;sid:84712255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.6.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849154/; classtype:trojan-activity;sid:84712254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/80913708-64ea-49a2-8fe9-3a0a5ae778dd/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhouseoperationscenter.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849153/; classtype:trojan-activity;sid:84712253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.77.12.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849152/; classtype:trojan-activity;sid:84712252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.186.229.112"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849151/; classtype:trojan-activity;sid:84712251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.77.12.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849150/; classtype:trojan-activity;sid:84712250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/952d956c-4c8b-4d29-88b9-cda2b45adca7/google.cl"; depth:47; endswith; nocase; http.host; content:"infra-blue-high-print.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849149/; classtype:trojan-activity;sid:84712249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.117.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849148/; classtype:trojan-activity;sid:84712248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.191.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849147/; classtype:trojan-activity;sid:84712247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.6.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849146/; classtype:trojan-activity;sid:84712246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849145/; classtype:trojan-activity;sid:84712245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.156.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849144/; classtype:trojan-activity;sid:84712244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849143/; classtype:trojan-activity;sid:84712243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a8f4d6a7-7828-4917-b0ec-bfa36f119121/google.cl"; depth:47; endswith; nocase; http.host; content:"serverless-mesh-core-yet-go.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849142/; classtype:trojan-activity;sid:84712242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.225.47.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_18; reference:url, urlhaus.abuse.ch/url/3849141/; classtype:trojan-activity;sid:84712241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.239.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849140/; classtype:trojan-activity;sid:84712240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.43.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849139/; classtype:trojan-activity;sid:84712239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.117.113"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849138/; classtype:trojan-activity;sid:84712238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3546dfae-737d-4b19-930f-3f22c7244178/google.cl"; depth:47; endswith; nocase; http.host; content:"kitdocs-openlow-observe-matrix.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849137/; classtype:trojan-activity;sid:84712237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.79.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849136/; classtype:trojan-activity;sid:84712236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.156.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849135/; classtype:trojan-activity;sid:84712235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7782139129/ifnofwg.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849134/; classtype:trojan-activity;sid:84712234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdf7bec4-c094-4013-8e10-ff4ab1563f17/google.cl"; depth:47; endswith; nocase; http.host; content:"ecosystemprocessingcenter.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849133/; classtype:trojan-activity;sid:84712233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849127/; classtype:trojan-activity;sid:84712227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849128/; classtype:trojan-activity;sid:84712228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849129/; classtype:trojan-activity;sid:84712229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849130/; classtype:trojan-activity;sid:84712230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849131/; classtype:trojan-activity;sid:84712231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849132/; classtype:trojan-activity;sid:84712232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"162.141.92.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849123/; classtype:trojan-activity;sid:84712223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"162.141.92.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849124/; classtype:trojan-activity;sid:84712224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"162.141.92.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849125/; classtype:trojan-activity;sid:84712225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"162.141.92.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849126/; classtype:trojan-activity;sid:84712226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849121/; classtype:trojan-activity;sid:84712221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"176.65.148.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849122/; classtype:trojan-activity;sid:84712222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"162.141.92.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849120/; classtype:trojan-activity;sid:84712220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=58dab6da-45dd-444a-a996-21ade890e7f7"; depth:47; endswith; nocase; http.host; content:"83j6hfza.runtime-forge.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849119/; classtype:trojan-activity;sid:84712219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849118/; classtype:trojan-activity;sid:84712218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.132.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849117/; classtype:trojan-activity;sid:84712217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33c21f39-26a8-468c-ada8-36f0761c1262/google.cl"; depth:47; endswith; nocase; http.host; content:"containerizedgardenmesh.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849116/; classtype:trojan-activity;sid:84712216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849115/; classtype:trojan-activity;sid:84712215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.249.199.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849114/; classtype:trojan-activity;sid:84712214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.130.235.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849113/; classtype:trojan-activity;sid:84712213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849112/; classtype:trojan-activity;sid:84712212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5128d9c-ca65-4e95-9344-f14f05a4b055/google.cl"; depth:47; endswith; nocase; http.host; content:"floraobservabilitysystem.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849111/; classtype:trojan-activity;sid:84712211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.132.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849110/; classtype:trojan-activity;sid:84712210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.46.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849109/; classtype:trojan-activity;sid:84712209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.130.235.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849108/; classtype:trojan-activity;sid:84712208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a64d71f-af32-4e6d-8974-95d57fea63d7/google.cl"; depth:47; endswith; nocase; http.host; content:"meadowautomationplatform.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849107/; classtype:trojan-activity;sid:84712207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.46.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849106/; classtype:trojan-activity;sid:84712206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8b169d12-9245-4c71-9457-efcc4e156a87/google.cl"; depth:47; endswith; nocase; http.host; content:"irrigationmanagementhub.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849105/; classtype:trojan-activity;sid:84712205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.210.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849104/; classtype:trojan-activity;sid:84712204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.167.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849103/; classtype:trojan-activity;sid:84712203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.236.65.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849102/; classtype:trojan-activity;sid:84712202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849101/; classtype:trojan-activity;sid:84712201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.210.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849100/; classtype:trojan-activity;sid:84712200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/061a9ca5-c91e-4c54-a3fc-9c61411fbe1b/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalmonitoringengine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849099/; classtype:trojan-activity;sid:84712199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"46.236.65.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849098/; classtype:trojan-activity;sid:84712198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.39.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849097/; classtype:trojan-activity;sid:84712197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/78de24bc-baf1-4323-aa39-9ba4fc593bb6/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedgardenresource.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849096/; classtype:trojan-activity;sid:84712196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.103.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849095/; classtype:trojan-activity;sid:84712195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bc34cff5-3fbc-48ca-8192-8761e9698261"; depth:47; endswith; nocase; http.host; content:"l8krrumc.cloud-sphere.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849094/; classtype:trojan-activity;sid:84712194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849093/; classtype:trojan-activity;sid:84712193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=4788cdb5-4476-4363-a775-6092dde7a91b"; depth:47; endswith; nocase; http.host; content:"tehpafro.script-horizon.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849092/; classtype:trojan-activity;sid:84712192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.56.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849091/; classtype:trojan-activity;sid:84712191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40c387b9-98a6-4b70-ad39-91997ddd6286/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloraworkflowsystem.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849090/; classtype:trojan-activity;sid:84712190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.15.90.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849089/; classtype:trojan-activity;sid:84712189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849088/; classtype:trojan-activity;sid:84712188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.202.39.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849087/; classtype:trojan-activity;sid:84712187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.80.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849086/; classtype:trojan-activity;sid:84712186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"72.255.18.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849084/; classtype:trojan-activity;sid:84712184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"72.255.3.73"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849085/; classtype:trojan-activity;sid:84712185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mercury.arm7"; depth:18; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849083/; classtype:trojan-activity;sid:84712183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849082/; classtype:trojan-activity;sid:84712182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.26.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849081/; classtype:trojan-activity;sid:84712181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"179.43.182.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849080/; classtype:trojan-activity;sid:84712180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/205c658f-b20f-41be-9633-0acf85ea959a/google.cl"; depth:47; endswith; nocase; http.host; content:"petaldistributionplatform.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849079/; classtype:trojan-activity;sid:84712179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.80.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849078/; classtype:trojan-activity;sid:84712178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71400c2e-7e9f-4c2a-b1ff-8df6438d6045/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhouseoperationscenter.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849077/; classtype:trojan-activity;sid:84712177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.230.26.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849076/; classtype:trojan-activity;sid:84712176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.205.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849075/; classtype:trojan-activity;sid:84712175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.205.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849074/; classtype:trojan-activity;sid:84712174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849073/; classtype:trojan-activity;sid:84712173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849072/; classtype:trojan-activity;sid:84712172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98b9fd94-4ced-4deb-9d7e-15687e7dc818/google.cl"; depth:47; endswith; nocase; http.host; content:"infra-blue-high-print.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849071/; classtype:trojan-activity;sid:84712171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.46.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849070/; classtype:trojan-activity;sid:84712170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/757fc5c6-546b-4b20-b58d-9d0e869da00e/google.cl"; depth:47; endswith; nocase; http.host; content:"serverless-mesh-core-yet-go.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849069/; classtype:trojan-activity;sid:84712169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.2"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849068/; classtype:trojan-activity;sid:84712168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849067/; classtype:trojan-activity;sid:84712167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.129.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849066/; classtype:trojan-activity;sid:84712166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.113.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849065/; classtype:trojan-activity;sid:84712165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.152.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849064/; classtype:trojan-activity;sid:84712164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849063/; classtype:trojan-activity;sid:84712163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=3e7e09af-d077-4473-930e-d6367837fd68"; depth:47; endswith; nocase; http.host; content:"xyv1jupy.container-vector.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849062/; classtype:trojan-activity;sid:84712162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.157.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849061/; classtype:trojan-activity;sid:84712161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"ostekstatmen.net"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849060/; classtype:trojan-activity;sid:84712160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"infoworkerone.org"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849059/; classtype:trojan-activity;sid:84712159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"mstopsai.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849057/; classtype:trojan-activity;sid:84712157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"monstersstat.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849058/; classtype:trojan-activity;sid:84712158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"masterklass.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849056/; classtype:trojan-activity;sid:84712156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"globalsstat.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849055/; classtype:trojan-activity;sid:84712155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"merkureenv.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849049/; classtype:trojan-activity;sid:84712149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"globalsstat.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849050/; classtype:trojan-activity;sid:84712150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"jobworkny.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849051/; classtype:trojan-activity;sid:84712151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"maxstatesus.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849052/; classtype:trojan-activity;sid:84712152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"infoworkerone.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849053/; classtype:trojan-activity;sid:84712153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracker.js"; depth:11; endswith; nocase; http.host; content:"sorrystartstat1.net"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849054/; classtype:trojan-activity;sid:84712154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849048/; classtype:trojan-activity;sid:84712148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849047/; classtype:trojan-activity;sid:84712147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.201.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849046/; classtype:trojan-activity;sid:84712146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.129.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849045/; classtype:trojan-activity;sid:84712145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.208.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849044/; classtype:trojan-activity;sid:84712144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.235.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849043/; classtype:trojan-activity;sid:84712143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.157.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849042/; classtype:trojan-activity;sid:84712142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.208.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849039/; classtype:trojan-activity;sid:84712139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.127.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849040/; classtype:trojan-activity;sid:84712140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.84.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849041/; classtype:trojan-activity;sid:84712141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.105.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849038/; classtype:trojan-activity;sid:84712138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.42.58.234"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849037/; classtype:trojan-activity;sid:84712137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.236.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849036/; classtype:trojan-activity;sid:84712136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f4d18c29-55a8-460b-8abf-2e4eef773ea8/google.ct"; depth:47; endswith; nocase; http.host; content:"vaultask-micro-service-pulse.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849035/; classtype:trojan-activity;sid:84712135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc64"; depth:10; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849034/; classtype:trojan-activity;sid:84712134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849023/; classtype:trojan-activity;sid:84712123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armhf"; depth:6; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849024/; classtype:trojan-activity;sid:84712124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849025/; classtype:trojan-activity;sid:84712125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849026/; classtype:trojan-activity;sid:84712126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849027/; classtype:trojan-activity;sid:84712127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849028/; classtype:trojan-activity;sid:84712128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849029/; classtype:trojan-activity;sid:84712129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849030/; classtype:trojan-activity;sid:84712130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849031/; classtype:trojan-activity;sid:84712131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849032/; classtype:trojan-activity;sid:84712132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849033/; classtype:trojan-activity;sid:84712133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"83.168.95.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849022/; classtype:trojan-activity;sid:84712122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.c"; depth:6; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849020/; classtype:trojan-activity;sid:84712120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.c"; depth:7; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849021/; classtype:trojan-activity;sid:84712121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.236.65.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849019/; classtype:trojan-activity;sid:84712119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1339d446-82df-4a27-a02a-59ddf231a3cc/google.ct"; depth:47; endswith; nocase; http.host; content:"cleanlay-fet-telemetry-vault.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849018/; classtype:trojan-activity;sid:84712118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.236.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849017/; classtype:trojan-activity;sid:84712117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849016/; classtype:trojan-activity;sid:84712116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.29.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849015/; classtype:trojan-activity;sid:84712115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5f3f32f5-5132-427a-a76b-dfb243c36b95/google.ct"; depth:47; endswith; nocase; http.host; content:"clamprob-folder-runtime-forge.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849014/; classtype:trojan-activity;sid:84712114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.85.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849013/; classtype:trojan-activity;sid:84712113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"24.35.228.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849012/; classtype:trojan-activity;sid:84712112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.36.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849011/; classtype:trojan-activity;sid:84712111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4d2e91ca-1c94-48f1-af66-20889dcb5626/google.ct"; depth:47; endswith; nocase; http.host; content:"aimgrub2-cloud-sphere-get.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849010/; classtype:trojan-activity;sid:84712110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.44.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849009/; classtype:trojan-activity;sid:84712109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.44.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849008/; classtype:trojan-activity;sid:84712108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.150.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849007/; classtype:trojan-activity;sid:84712107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.29.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849006/; classtype:trojan-activity;sid:84712106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=04a5ed38-c774-4926-94ad-75b693ad6146"; depth:47; endswith; nocase; http.host; content:"jcdlhks8.node-pulse.digital"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849005/; classtype:trojan-activity;sid:84712105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.189.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849004/; classtype:trojan-activity;sid:84712104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.36.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849003/; classtype:trojan-activity;sid:84712103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9d2df7c3-e5c3-4a37-9a99-db42971c667d/google.ct"; depth:47; endswith; nocase; http.host; content:"siteyet-script-horizon-go.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849002/; classtype:trojan-activity;sid:84712102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848999/; classtype:trojan-activity;sid:84712099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849000/; classtype:trojan-activity;sid:84712100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3849001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/586"; depth:4; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3849001/; classtype:trojan-activity;sid:84712101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848996/; classtype:trojan-activity;sid:84712096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848997/; classtype:trojan-activity;sid:84712097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/co"; depth:3; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848998/; classtype:trojan-activity;sid:84712098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848995/; classtype:trojan-activity;sid:84712095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc"; depth:3; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848988/; classtype:trojan-activity;sid:84712088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dss"; depth:4; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848989/; classtype:trojan-activity;sid:84712089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scar"; depth:5; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848990/; classtype:trojan-activity;sid:84712090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848991/; classtype:trojan-activity;sid:84712091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848992/; classtype:trojan-activity;sid:84712092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848993/; classtype:trojan-activity;sid:84712093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848994/; classtype:trojan-activity;sid:84712094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.150.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848986/; classtype:trojan-activity;sid:84712086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.67.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848987/; classtype:trojan-activity;sid:84712087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test_bot"; depth:9; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848985/; classtype:trojan-activity;sid:84712085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848984/; classtype:trojan-activity;sid:84712084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848983/; classtype:trojan-activity;sid:84712083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848980/; classtype:trojan-activity;sid:84712080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848981/; classtype:trojan-activity;sid:84712081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848982/; classtype:trojan-activity;sid:84712082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4a570a3e-0e5e-458c-8230-330f5e67bca8/google.ct"; depth:47; endswith; nocase; http.host; content:"open-low-container-vector.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848979/; classtype:trojan-activity;sid:84712079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848978/; classtype:trojan-activity;sid:84712078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848977/; classtype:trojan-activity;sid:84712077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848976/; classtype:trojan-activity;sid:84712076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848975/; classtype:trojan-activity;sid:84712075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848961/; classtype:trojan-activity;sid:84712061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848962/; classtype:trojan-activity;sid:84712062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848963/; classtype:trojan-activity;sid:84712063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848964/; classtype:trojan-activity;sid:84712064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848965/; classtype:trojan-activity;sid:84712065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848966/; classtype:trojan-activity;sid:84712066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848967/; classtype:trojan-activity;sid:84712067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848968/; classtype:trojan-activity;sid:84712068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armhf"; depth:6; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848969/; classtype:trojan-activity;sid:84712069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc64"; depth:10; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848970/; classtype:trojan-activity;sid:84712070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848971/; classtype:trojan-activity;sid:84712071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848972/; classtype:trojan-activity;sid:84712072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848973/; classtype:trojan-activity;sid:84712073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848974/; classtype:trojan-activity;sid:84712074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848955/; classtype:trojan-activity;sid:84712055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848956/; classtype:trojan-activity;sid:84712056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848957/; classtype:trojan-activity;sid:84712057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848958/; classtype:trojan-activity;sid:84712058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848959/; classtype:trojan-activity;sid:84712059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848960/; classtype:trojan-activity;sid:84712060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848953/; classtype:trojan-activity;sid:84712053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848954/; classtype:trojan-activity;sid:84712054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848950/; classtype:trojan-activity;sid:84712050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848951/; classtype:trojan-activity;sid:84712051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"toomanyways.duckdns.org"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848952/; classtype:trojan-activity;sid:84712052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848948/; classtype:trojan-activity;sid:84712048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848949/; classtype:trojan-activity;sid:84712049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848943/; classtype:trojan-activity;sid:84712043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848944/; classtype:trojan-activity;sid:84712044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848945/; classtype:trojan-activity;sid:84712045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848946/; classtype:trojan-activity;sid:84712046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848947/; classtype:trojan-activity;sid:84712047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.sh"; depth:12; endswith; nocase; http.host; content:"js.byxly.eu.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848942/; classtype:trojan-activity;sid:84712042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm61"; depth:6; endswith; nocase; http.host; content:"176.65.139.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848941/; classtype:trojan-activity;sid:84712041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848940/; classtype:trojan-activity;sid:84712040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.10.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848939/; classtype:trojan-activity;sid:84712039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/42865d26-f731-4430-bf5b-718c05f372f1/google.ct"; depth:47; endswith; nocase; http.host; content:"cntainrs-folders-giped-green-hub.garden"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848938/; classtype:trojan-activity;sid:84712038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.68.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848937/; classtype:trojan-activity;sid:84712037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848936/; classtype:trojan-activity;sid:84712036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848934/; classtype:trojan-activity;sid:84712034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.ppc"; depth:9; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848935/; classtype:trojan-activity;sid:84712035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848933/; classtype:trojan-activity;sid:84712033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.23.130.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848932/; classtype:trojan-activity;sid:84712032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86.exe"; depth:12; endswith; nocase; http.host; content:"192.109.200.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848930/; classtype:trojan-activity;sid:84712030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"192.109.200.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848931/; classtype:trojan-activity;sid:84712031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"192.109.200.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848927/; classtype:trojan-activity;sid:84712027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_ppc"; depth:11; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848928/; classtype:trojan-activity;sid:84712028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848929/; classtype:trojan-activity;sid:84712029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_mips"; depth:12; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848921/; classtype:trojan-activity;sid:84712021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_arm5"; depth:12; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848922/; classtype:trojan-activity;sid:84712022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"192.109.200.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848923/; classtype:trojan-activity;sid:84712023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"192.109.200.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848924/; classtype:trojan-activity;sid:84712024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_mpsl"; depth:12; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848925/; classtype:trojan-activity;sid:84712025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848926/; classtype:trojan-activity;sid:84712026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_arc"; depth:11; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848917/; classtype:trojan-activity;sid:84712017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"192.109.200.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848918/; classtype:trojan-activity;sid:84712018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848919/; classtype:trojan-activity;sid:84712019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_spc"; depth:11; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848920/; classtype:trojan-activity;sid:84712020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_arm7"; depth:12; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848916/; classtype:trojan-activity;sid:84712016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_arm"; depth:11; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848912/; classtype:trojan-activity;sid:84712012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848913/; classtype:trojan-activity;sid:84712013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.ppc"; depth:8; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848914/; classtype:trojan-activity;sid:84712014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.arm7"; depth:13; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848915/; classtype:trojan-activity;sid:84712015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848911/; classtype:trojan-activity;sid:84712011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.m68k"; depth:13; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848910/; classtype:trojan-activity;sid:84712010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.ppc"; depth:12; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848908/; classtype:trojan-activity;sid:84712008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_m68k"; depth:12; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848909/; classtype:trojan-activity;sid:84712009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.arm5"; depth:13; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848907/; classtype:trojan-activity;sid:84712007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.sh4"; depth:12; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848905/; classtype:trojan-activity;sid:84712005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_x86"; depth:11; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848906/; classtype:trojan-activity;sid:84712006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nohup.out"; depth:10; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848903/; classtype:trojan-activity;sid:84712003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.spc"; depth:12; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848904/; classtype:trojan-activity;sid:84712004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_sh4"; depth:11; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848896/; classtype:trojan-activity;sid:84711996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.mips"; depth:13; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848897/; classtype:trojan-activity;sid:84711997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_arm6"; depth:12; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848898/; classtype:trojan-activity;sid:84711998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.arm"; depth:12; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848899/; classtype:trojan-activity;sid:84711999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.arm6"; depth:13; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848900/; classtype:trojan-activity;sid:84712000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.mpsl"; depth:13; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848901/; classtype:trojan-activity;sid:84712001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.mpsl"; depth:9; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848902/; classtype:trojan-activity;sid:84712002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.x86"; depth:8; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848891/; classtype:trojan-activity;sid:84711991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.x86"; depth:12; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848892/; classtype:trojan-activity;sid:84711992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/botnet_x86_64"; depth:14; endswith; nocase; http.host; content:"43.251.116.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848893/; classtype:trojan-activity;sid:84711993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.s390"; depth:9; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848894/; classtype:trojan-activity;sid:84711994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuklear.x86_64"; depth:15; endswith; nocase; http.host; content:"183.239.235.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848895/; classtype:trojan-activity;sid:84711995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload"; depth:8; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848888/; classtype:trojan-activity;sid:84711988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848889/; classtype:trojan-activity;sid:84711989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apex.sh"; depth:8; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848890/; classtype:trojan-activity;sid:84711990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rename_bots.sh"; depth:15; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848883/; classtype:trojan-activity;sid:84711983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848884/; classtype:trojan-activity;sid:84711984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848885/; classtype:trojan-activity;sid:84711985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848886/; classtype:trojan-activity;sid:84711986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848887/; classtype:trojan-activity;sid:84711987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848882/; classtype:trojan-activity;sid:84711982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848881/; classtype:trojan-activity;sid:84711981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.arm5"; depth:9; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848873/; classtype:trojan-activity;sid:84711973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check_bots.sh"; depth:14; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848874/; classtype:trojan-activity;sid:84711974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.mps64"; depth:10; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848875/; classtype:trojan-activity;sid:84711975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.64"; depth:7; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848876/; classtype:trojan-activity;sid:84711976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.i386"; depth:9; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848877/; classtype:trojan-activity;sid:84711977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.arm7"; depth:9; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848878/; classtype:trojan-activity;sid:84711978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaf.mips"; depth:9; endswith; nocase; http.host; content:"138.68.76.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848879/; classtype:trojan-activity;sid:84711979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gutsyheartpeu/naturalvision/releases/download/1.2/furry.realms.1.0.0.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848880/; classtype:trojan-activity;sid:84711980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1wtzazrx6z1bilhfqfdwc4rqudlgopjzb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848872/; classtype:trojan-activity;sid:84711972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.70.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848871/; classtype:trojan-activity;sid:84711971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.70.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848870/; classtype:trojan-activity;sid:84711970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.10.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848868/; classtype:trojan-activity;sid:84711968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.242.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848869/; classtype:trojan-activity;sid:84711969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f47fb0eb-1f0b-4f6b-95ad-75f75d0b7293/google.ct"; depth:47; endswith; nocase; http.host; content:"flora-obsrvs-ability-todo.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848867/; classtype:trojan-activity;sid:84711967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848866/; classtype:trojan-activity;sid:84711966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/edac_polld"; depth:16; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848865/; classtype:trojan-activity;sid:84711965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/rcuop_0"; depth:13; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848863/; classtype:trojan-activity;sid:84711963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848864/; classtype:trojan-activity;sid:84711964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/kworker_u8"; depth:16; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848862/; classtype:trojan-activity;sid:84711962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848859/; classtype:trojan-activity;sid:84711959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/bioset0"; depth:13; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848860/; classtype:trojan-activity;sid:84711960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/cfg80211d"; depth:15; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848861/; classtype:trojan-activity;sid:84711961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848858/; classtype:trojan-activity;sid:84711958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.121.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848855/; classtype:trojan-activity;sid:84711955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/kblockd0"; depth:14; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848856/; classtype:trojan-activity;sid:84711956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848857/; classtype:trojan-activity;sid:84711957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/kswapd0"; depth:13; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848854/; classtype:trojan-activity;sid:84711954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848853/; classtype:trojan-activity;sid:84711953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mao.sh"; depth:7; endswith; nocase; http.host; content:"176.65.149.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848852/; classtype:trojan-activity;sid:84711952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.142.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848851/; classtype:trojan-activity;sid:84711951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848849/; classtype:trojan-activity;sid:84711949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.210.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848850/; classtype:trojan-activity;sid:84711950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848847/; classtype:trojan-activity;sid:84711947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/962a5552-864c-48e3-8937-0e85bc0b6b8a/google.ct"; depth:47; endswith; nocase; http.host; content:"load-meadows-analytics-cntr.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848848/; classtype:trojan-activity;sid:84711948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.94.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848846/; classtype:trojan-activity;sid:84711946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.255.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848845/; classtype:trojan-activity;sid:84711945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.242.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848844/; classtype:trojan-activity;sid:84711944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.210.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848843/; classtype:trojan-activity;sid:84711943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef0c03f7-864a-4267-a903-e64131626def/google.ct"; depth:47; endswith; nocase; http.host; content:"july-feded-plants-workflow.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848842/; classtype:trojan-activity;sid:84711942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.28.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848841/; classtype:trojan-activity;sid:84711941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=8e01f594-f394-45f4-ab25-be1ebdc99db6"; depth:47; endswith; nocase; http.host; content:"4j0v33ow.cyber-lattice.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848840/; classtype:trojan-activity;sid:84711940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.94.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848839/; classtype:trojan-activity;sid:84711939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"170.233.57.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848838/; classtype:trojan-activity;sid:84711938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848837/; classtype:trojan-activity;sid:84711937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.255.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848836/; classtype:trojan-activity;sid:84711936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.38.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848835/; classtype:trojan-activity;sid:84711935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.93.220"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848834/; classtype:trojan-activity;sid:84711934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/50c4af17-ac3b-4595-8473-5b6358d9d8b0/google.ct"; depth:47; endswith; nocase; http.host; content:"it-irrigatn-cntrl-network-go.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848833/; classtype:trojan-activity;sid:84711933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.47.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848832/; classtype:trojan-activity;sid:84711932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.167.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848831/; classtype:trojan-activity;sid:84711931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12e378c8-ae65-4523-ac4d-5047f2485eb1/google.ct"; depth:47; endswith; nocase; http.host; content:"antbots-uni-resou-plats.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848830/; classtype:trojan-activity;sid:84711930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.248.157.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848829/; classtype:trojan-activity;sid:84711929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.148.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848828/; classtype:trojan-activity;sid:84711928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848827/; classtype:trojan-activity;sid:84711927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848825/; classtype:trojan-activity;sid:84711925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.20.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848826/; classtype:trojan-activity;sid:84711926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.10.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848824/; classtype:trojan-activity;sid:84711924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.227.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848823/; classtype:trojan-activity;sid:84711923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57245a21-8d94-43bf-aa16-fcb66b322a1c/google.ct"; depth:47; endswith; nocase; http.host; content:"get-shell-gard-frame-work.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848822/; classtype:trojan-activity;sid:84711922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.169.166.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848821/; classtype:trojan-activity;sid:84711921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.107.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848820/; classtype:trojan-activity;sid:84711920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.148.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848819/; classtype:trojan-activity;sid:84711919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.20.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848818/; classtype:trojan-activity;sid:84711918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.227.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848817/; classtype:trojan-activity;sid:84711917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.210.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848816/; classtype:trojan-activity;sid:84711916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d6ce0e64-d74c-4fcf-976a-799cadc7963b/google.ct"; depth:47; endswith; nocase; http.host; content:"great-fauna-tcpipgay-go-system.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848815/; classtype:trojan-activity;sid:84711915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.93.220"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848814/; classtype:trojan-activity;sid:84711914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848813/; classtype:trojan-activity;sid:84711913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ab011f6-b93a-41e2-9575-1950f87feb78/google.ct"; depth:47; endswith; nocase; http.host; content:"docktan-flexo-avastpig-engine.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848811/; classtype:trojan-activity;sid:84711911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.23.91.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848812/; classtype:trojan-activity;sid:84711912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.69.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848810/; classtype:trojan-activity;sid:84711910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.210.194"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848809/; classtype:trojan-activity;sid:84711909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.177.28.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848808/; classtype:trojan-activity;sid:84711908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848807/; classtype:trojan-activity;sid:84711907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.84.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848806/; classtype:trojan-activity;sid:84711906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848805/; classtype:trojan-activity;sid:84711905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848798/; classtype:trojan-activity;sid:84711898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848799/; classtype:trojan-activity;sid:84711899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848800/; classtype:trojan-activity;sid:84711900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848801/; classtype:trojan-activity;sid:84711901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848802/; classtype:trojan-activity;sid:84711902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848803/; classtype:trojan-activity;sid:84711903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848804/; classtype:trojan-activity;sid:84711904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"142.248.80.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848797/; classtype:trojan-activity;sid:84711897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.204.196.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848796/; classtype:trojan-activity;sid:84711896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a4ee093e-4d2c-46b2-bcc4-07200a431043/google.ct"; depth:47; endswith; nocase; http.host; content:"glow-hub-herboron-sixoauth-work.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848795/; classtype:trojan-activity;sid:84711895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.24.209"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848794/; classtype:trojan-activity;sid:84711894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"101.53.233.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848793/; classtype:trojan-activity;sid:84711893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"176.226.230.116"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848792/; classtype:trojan-activity;sid:84711892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"121.176.14.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848791/; classtype:trojan-activity;sid:84711891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"121.176.14.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848789/; classtype:trojan-activity;sid:84711889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"121.176.14.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848790/; classtype:trojan-activity;sid:84711890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"121.176.14.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848787/; classtype:trojan-activity;sid:84711887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"121.176.14.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848788/; classtype:trojan-activity;sid:84711888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clean"; depth:6; endswith; nocase; http.host; content:"121.176.14.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848786/; classtype:trojan-activity;sid:84711886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"159.255.22.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848785/; classtype:trojan-activity;sid:84711885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=304dc7c8-f038-494d-b654-88fa37a8a0c6"; depth:47; endswith; nocase; http.host; content:"23dcbt0c.network-horizon.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848784/; classtype:trojan-activity;sid:84711884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jenkins"; depth:13; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848783/; classtype:trojan-activity;sid:84711883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.103.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848782/; classtype:trojan-activity;sid:84711882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.75.0"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848781/; classtype:trojan-activity;sid:84711881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6b919806-7463-4c2e-b63d-908b56813d79/google.ct"; depth:47; endswith; nocase; http.host; content:"container-folder-gized-greenhub.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848780/; classtype:trojan-activity;sid:84711880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848779/; classtype:trojan-activity;sid:84711879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gutsyheartpeu/davinci-vpn/releases/download/3.2/davinci.vpn.3.2.exe"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848778/; classtype:trojan-activity;sid:84711878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.103.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848777/; classtype:trojan-activity;sid:84711877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848776/; classtype:trojan-activity;sid:84711876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c78167f2-ae7f-452f-b61e-c9545f3a4358/google.ct"; depth:47; endswith; nocase; http.host; content:"flora-observe-ability-engine.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848775/; classtype:trojan-activity;sid:84711875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.36.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848774/; classtype:trojan-activity;sid:84711874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.57.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848773/; classtype:trojan-activity;sid:84711873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35da65eb-8288-4efc-a901-6782ed0509d2/google.ct"; depth:47; endswith; nocase; http.host; content:"coad-meadow-analytics-center.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848772/; classtype:trojan-activity;sid:84711872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.178.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848771/; classtype:trojan-activity;sid:84711871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.202.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848770/; classtype:trojan-activity;sid:84711870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.36.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848769/; classtype:trojan-activity;sid:84711869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.111.24"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848768/; classtype:trojan-activity;sid:84711868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/43e3e3f2-ea94-4f09-b71f-982faf95b5e8/google.ct"; depth:47; endswith; nocase; http.host; content:"june-fed-plant-workflow.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848767/; classtype:trojan-activity;sid:84711867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.90.116"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848766/; classtype:trojan-activity;sid:84711866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.57.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848765/; classtype:trojan-activity;sid:84711865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.181.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848764/; classtype:trojan-activity;sid:84711864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.168.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848763/; classtype:trojan-activity;sid:84711863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b185f44d-51ed-45d5-8c93-66edd616a4fe/google.ct"; depth:47; endswith; nocase; http.host; content:"it-irrigation-control-network.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848762/; classtype:trojan-activity;sid:84711862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.181.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848761/; classtype:trojan-activity;sid:84711861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.185.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848760/; classtype:trojan-activity;sid:84711860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.90.116"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848759/; classtype:trojan-activity;sid:84711859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.178.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848758/; classtype:trojan-activity;sid:84711858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.168.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848757/; classtype:trojan-activity;sid:84711857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dab42d4d-82a4-4d71-89e2-701284677dd3/google.ct"; depth:47; endswith; nocase; http.host; content:"bots-unical-resource-platform.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848756/; classtype:trojan-activity;sid:84711856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=18e43fcd-7888-4712-86d7-27df8740abc2"; depth:47; endswith; nocase; http.host; content:"4getd0km.script-matrix.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848755/; classtype:trojan-activity;sid:84711855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.14.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848754/; classtype:trojan-activity;sid:84711854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.147.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848753/; classtype:trojan-activity;sid:84711853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.221.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848752/; classtype:trojan-activity;sid:84711852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.216.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848751/; classtype:trojan-activity;sid:84711851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5df02ade-be96-4b58-a8fb-9728a09fe44e/google.ct"; depth:47; endswith; nocase; http.host; content:"shells-garden-framework.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848750/; classtype:trojan-activity;sid:84711850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.221.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848749/; classtype:trojan-activity;sid:84711849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.167.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848748/; classtype:trojan-activity;sid:84711848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.14.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848747/; classtype:trojan-activity;sid:84711847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.147.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848746/; classtype:trojan-activity;sid:84711846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56ac5a7d-4560-415b-be81-60f72310a6da/google.ct"; depth:47; endswith; nocase; http.host; content:"wild-flora-processing-go-system.garden"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848745/; classtype:trojan-activity;sid:84711845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.216.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848744/; classtype:trojan-activity;sid:84711844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.102.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848743/; classtype:trojan-activity;sid:84711843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.142.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848741/; classtype:trojan-activity;sid:84711841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.142.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848742/; classtype:trojan-activity;sid:84711842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a77b1c8-2189-45f4-90e9-d491c1bf0053/google.ct"; depth:47; endswith; nocase; http.host; content:"got-flexl-distrib-engine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848740/; classtype:trojan-activity;sid:84711840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848739/; classtype:trojan-activity;sid:84711839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848738/; classtype:trojan-activity;sid:84711838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848737/; classtype:trojan-activity;sid:84711837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f0a864a4-6104-48f1-8efb-a7ead220fbab/google.ct"; depth:47; endswith; nocase; http.host; content:"flow-hub-green-house-work.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848736/; classtype:trojan-activity;sid:84711836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.83.67"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848735/; classtype:trojan-activity;sid:84711835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/763888fa-4152-4ed7-ad5d-6446639d67b1/google.ct"; depth:47; endswith; nocase; http.host; content:"wildfloraprocessingsystem.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848734/; classtype:trojan-activity;sid:84711834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.18.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848733/; classtype:trojan-activity;sid:84711833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.76.136.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848732/; classtype:trojan-activity;sid:84711832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.20.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848731/; classtype:trojan-activity;sid:84711831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.17.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848729/; classtype:trojan-activity;sid:84711829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.218.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848730/; classtype:trojan-activity;sid:84711830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.38.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848728/; classtype:trojan-activity;sid:84711828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848727/; classtype:trojan-activity;sid:84711827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.102.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848726/; classtype:trojan-activity;sid:84711826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/80594af8-ed70-430d-8f54-e3f6cf888a03/google.ct"; depth:47; endswith; nocase; http.host; content:"petal-distribution-engine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848725/; classtype:trojan-activity;sid:84711825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=02d403b6-281a-4019-bb55-dcc49482e282"; depth:47; endswith; nocase; http.host; content:"2b7f1jfa.cloud-forge.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848724/; classtype:trojan-activity;sid:84711824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.18.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848723/; classtype:trojan-activity;sid:84711823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.17.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848722/; classtype:trojan-activity;sid:84711822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.20.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848721/; classtype:trojan-activity;sid:84711821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.137.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848720/; classtype:trojan-activity;sid:84711820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.38.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848719/; classtype:trojan-activity;sid:84711819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848718/; classtype:trojan-activity;sid:84711818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848717/; classtype:trojan-activity;sid:84711817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/659ff5a6-9d6d-4f6c-ba32-75f10cdef407/google.ct"; depth:47; endswith; nocase; http.host; content:"irrigation-control-network.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848716/; classtype:trojan-activity;sid:84711816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.56.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848715/; classtype:trojan-activity;sid:84711815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d281eb6c-934f-432e-9093-cca0631ee044/google.ct"; depth:47; endswith; nocase; http.host; content:"greenhouseworkflowhub.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848714/; classtype:trojan-activity;sid:84711814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848713/; classtype:trojan-activity;sid:84711813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.137.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848712/; classtype:trojan-activity;sid:84711812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.203.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848711/; classtype:trojan-activity;sid:84711811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.96.116"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848710/; classtype:trojan-activity;sid:84711810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848709/; classtype:trojan-activity;sid:84711809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848708/; classtype:trojan-activity;sid:84711808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1df0177d-28f4-4d6b-8853-b32b64c6dc59/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-garden-framework.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848707/; classtype:trojan-activity;sid:84711807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.147.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848706/; classtype:trojan-activity;sid:84711806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.5.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848705/; classtype:trojan-activity;sid:84711805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4b12b23c-f549-40fc-ad78-fb77a8253d9a/google.ct"; depth:47; endswith; nocase; http.host; content:"botanicalresourceplatform.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848704/; classtype:trojan-activity;sid:84711804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.147.238"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848703/; classtype:trojan-activity;sid:84711803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848702/; classtype:trojan-activity;sid:84711802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.87.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848701/; classtype:trojan-activity;sid:84711801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.33.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848700/; classtype:trojan-activity;sid:84711800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c61dcac6-41f2-4e86-bd4c-280e86e9ee3e/google.ct"; depth:47; endswith; nocase; http.host; content:"forgotten-civilization-myth.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848699/; classtype:trojan-activity;sid:84711799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848698/; classtype:trojan-activity;sid:84711798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848697/; classtype:trojan-activity;sid:84711797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848696/; classtype:trojan-activity;sid:84711796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm64"; depth:14; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848695/; classtype:trojan-activity;sid:84711795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848693/; classtype:trojan-activity;sid:84711793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848694/; classtype:trojan-activity;sid:84711794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848691/; classtype:trojan-activity;sid:84711791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848692/; classtype:trojan-activity;sid:84711792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848690/; classtype:trojan-activity;sid:84711790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miner.sh"; depth:9; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848688/; classtype:trojan-activity;sid:84711788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv71"; depth:7; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848689/; classtype:trojan-activity;sid:84711789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848687/; classtype:trojan-activity;sid:84711787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm64"; depth:14; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848678/; classtype:trojan-activity;sid:84711778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848679/; classtype:trojan-activity;sid:84711779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848680/; classtype:trojan-activity;sid:84711780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848681/; classtype:trojan-activity;sid:84711781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848682/; classtype:trojan-activity;sid:84711782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848683/; classtype:trojan-activity;sid:84711783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848684/; classtype:trojan-activity;sid:84711784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848685/; classtype:trojan-activity;sid:84711785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848686/; classtype:trojan-activity;sid:84711786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848677/; classtype:trojan-activity;sid:84711777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm"; depth:12; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848676/; classtype:trojan-activity;sid:84711776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848673/; classtype:trojan-activity;sid:84711773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848674/; classtype:trojan-activity;sid:84711774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848675/; classtype:trojan-activity;sid:84711775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848672/; classtype:trojan-activity;sid:84711772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848671/; classtype:trojan-activity;sid:84711771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0938e072-a68b-4956-809d-84159a094e12"; depth:47; endswith; nocase; http.host; content:"ba5ufc2h.logic-sphere.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848670/; classtype:trojan-activity;sid:84711770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miner.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848658/; classtype:trojan-activity;sid:84711758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848659/; classtype:trojan-activity;sid:84711759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v7.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848660/; classtype:trojan-activity;sid:84711760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v7.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848661/; classtype:trojan-activity;sid:84711761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.armel"; depth:8; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848662/; classtype:trojan-activity;sid:84711762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.mips64"; depth:9; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848663/; classtype:trojan-activity;sid:84711763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v6.x86_64"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848664/; classtype:trojan-activity;sid:84711764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848665/; classtype:trojan-activity;sid:84711765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.i386"; depth:7; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848666/; classtype:trojan-activity;sid:84711766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.sh4"; depth:6; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848667/; classtype:trojan-activity;sid:84711767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips64"; depth:7; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848668/; classtype:trojan-activity;sid:84711768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv71"; depth:7; endswith; nocase; http.host; content:"176.65.139.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848669/; classtype:trojan-activity;sid:84711769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v7.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848636/; classtype:trojan-activity;sid:84711736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848637/; classtype:trojan-activity;sid:84711737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.powerpc"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848638/; classtype:trojan-activity;sid:84711738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.sh4"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848639/; classtype:trojan-activity;sid:84711739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848640/; classtype:trojan-activity;sid:84711740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848641/; classtype:trojan-activity;sid:84711741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848642/; classtype:trojan-activity;sid:84711742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v7.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848643/; classtype:trojan-activity;sid:84711743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.armhf"; depth:13; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848644/; classtype:trojan-activity;sid:84711744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.arm64"; depth:8; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848645/; classtype:trojan-activity;sid:84711745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips64el"; depth:9; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848646/; classtype:trojan-activity;sid:84711746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.x86_64"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848647/; classtype:trojan-activity;sid:84711747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armel"; depth:6; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848648/; classtype:trojan-activity;sid:84711748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.armhf"; depth:8; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848649/; classtype:trojan-activity;sid:84711749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v8.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848650/; classtype:trojan-activity;sid:84711750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.powerpc"; depth:10; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848651/; classtype:trojan-activity;sid:84711751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v7.x86_64"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848652/; classtype:trojan-activity;sid:84711752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.aarch64"; depth:10; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848653/; classtype:trojan-activity;sid:84711753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.mips64el"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848654/; classtype:trojan-activity;sid:84711754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848655/; classtype:trojan-activity;sid:84711755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.i686"; depth:7; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848656/; classtype:trojan-activity;sid:84711756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.x86"; depth:6; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848657/; classtype:trojan-activity;sid:84711757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v3.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848608/; classtype:trojan-activity;sid:84711708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.mips"; depth:13; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848609/; classtype:trojan-activity;sid:84711709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.aarch64"; depth:16; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848610/; classtype:trojan-activity;sid:84711710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v9.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848611/; classtype:trojan-activity;sid:84711711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v6.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848612/; classtype:trojan-activity;sid:84711712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86"; depth:8; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848613/; classtype:trojan-activity;sid:84711713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v3.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848614/; classtype:trojan-activity;sid:84711714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v3.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848615/; classtype:trojan-activity;sid:84711715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v4.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848616/; classtype:trojan-activity;sid:84711716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v9.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848617/; classtype:trojan-activity;sid:84711717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v3.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848618/; classtype:trojan-activity;sid:84711718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v10.mipsel"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848619/; classtype:trojan-activity;sid:84711719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.x86_64"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848620/; classtype:trojan-activity;sid:84711720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v6.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848621/; classtype:trojan-activity;sid:84711721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.armhf"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848622/; classtype:trojan-activity;sid:84711722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.aarch64"; depth:16; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848623/; classtype:trojan-activity;sid:84711723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.x86_64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848624/; classtype:trojan-activity;sid:84711724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v9.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848625/; classtype:trojan-activity;sid:84711725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v6.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848626/; classtype:trojan-activity;sid:84711726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v5.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848627/; classtype:trojan-activity;sid:84711727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v5.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848628/; classtype:trojan-activity;sid:84711728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v6.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848629/; classtype:trojan-activity;sid:84711729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.powerpc"; depth:16; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848630/; classtype:trojan-activity;sid:84711730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.mips"; depth:13; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848631/; classtype:trojan-activity;sid:84711731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v5.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848632/; classtype:trojan-activity;sid:84711732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.powerpc"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848633/; classtype:trojan-activity;sid:84711733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v4.x86_64"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848634/; classtype:trojan-activity;sid:84711734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.sh4"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848635/; classtype:trojan-activity;sid:84711735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.mips"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848584/; classtype:trojan-activity;sid:84711684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v10.arm"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848585/; classtype:trojan-activity;sid:84711685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.sh4"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848586/; classtype:trojan-activity;sid:84711686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.sh4"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848587/; classtype:trojan-activity;sid:84711687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848588/; classtype:trojan-activity;sid:84711688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v4.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848589/; classtype:trojan-activity;sid:84711689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v4.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848590/; classtype:trojan-activity;sid:84711690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.arm"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848591/; classtype:trojan-activity;sid:84711691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.arm"; depth:12; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848592/; classtype:trojan-activity;sid:84711692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v9.arm"; depth:11; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848593/; classtype:trojan-activity;sid:84711693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848594/; classtype:trojan-activity;sid:84711694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v10.x86_64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848595/; classtype:trojan-activity;sid:84711695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.armhf"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848596/; classtype:trojan-activity;sid:84711696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.mipsel"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848597/; classtype:trojan-activity;sid:84711697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_amp.powerpc"; depth:16; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848598/; classtype:trojan-activity;sid:84711698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v4.mipsel"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848599/; classtype:trojan-activity;sid:84711699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v5.x86_64"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848600/; classtype:trojan-activity;sid:84711700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v10.mips"; depth:13; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848601/; classtype:trojan-activity;sid:84711701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v5.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848602/; classtype:trojan-activity;sid:84711702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v3.x86_64"; depth:14; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848603/; classtype:trojan-activity;sid:84711703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.mipsel"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848604/; classtype:trojan-activity;sid:84711704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.armhf"; depth:13; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848605/; classtype:trojan-activity;sid:84711705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_v2.aarch64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848606/; classtype:trojan-activity;sid:84711706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_new.x86_64"; depth:15; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848607/; classtype:trojan-activity;sid:84711707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"svosoldati.file-online.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848582/; classtype:trojan-activity;sid:84711682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"milan-hasbik.file-online.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848583/; classtype:trojan-activity;sid:84711683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"1sj4u9.file-online.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848581/; classtype:trojan-activity;sid:84711681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"0gtutd.yandex-file.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848580/; classtype:trojan-activity;sid:84711680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"5pt4yq.file-online.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848579/; classtype:trojan-activity;sid:84711679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"sir8uu.yandex-file.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848577/; classtype:trojan-activity;sid:84711677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/oixbhi9ex6rasydplm2su/5621390019_protected.exe|3f|rlkey=zgxdnsdy6p7bxstuasb3rcvkg|7c|26|7c|st=szs69fqf|7c|26|7c|dl=1"; depth:124; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848578/; classtype:trojan-activity;sid:84711678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.v10.aarch64"; depth:16; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848574/; classtype:trojan-activity;sid:84711674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armhf"; depth:10; endswith; nocase; http.host; content:"5.231.230.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848575/; classtype:trojan-activity;sid:84711675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8614c9a8cb905bb7.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848576/; classtype:trojan-activity;sid:84711676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/js/bin/xclient.exe"; depth:28; endswith; nocase; http.host; content:"motriztrading.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848573/; classtype:trojan-activity;sid:84711673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cqslt/server.exe"; depth:17; endswith; nocase; http.host; content:"temp.sh"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848572/; classtype:trojan-activity;sid:84711672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_cd8e69fee59d44f9.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848569/; classtype:trojan-activity;sid:84711669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ddceccb82c300862.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848570/; classtype:trojan-activity;sid:84711670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_9c4ae13fc1b5979b.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848571/; classtype:trojan-activity;sid:84711671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.php"; depth:13; endswith; nocase; http.host; content:"ggwpcheats.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848568/; classtype:trojan-activity;sid:84711668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/wxw0a123ip3m/mini-windows.exe"; depth:33; endswith; nocase; http.host; content:"tmpfiles.org"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848567/; classtype:trojan-activity;sid:84711667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8ee6cfb3c95ba9fd.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848565/; classtype:trojan-activity;sid:84711665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_f2b7e4245c71618a.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848566/; classtype:trojan-activity;sid:84711666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_ba112fd99234f3d0.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848559/; classtype:trojan-activity;sid:84711659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_bd1c30c061d58b61.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848560/; classtype:trojan-activity;sid:84711660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_274ff12d25b209ab.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848561/; classtype:trojan-activity;sid:84711661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_07270b461b09d259.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848562/; classtype:trojan-activity;sid:84711662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_adb3c6e8ffa836d9.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848563/; classtype:trojan-activity;sid:84711663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_023e3436c4c9b9f0.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848564/; classtype:trojan-activity;sid:84711664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.44.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848558/; classtype:trojan-activity;sid:84711658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848557/; classtype:trojan-activity;sid:84711657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.171.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848556/; classtype:trojan-activity;sid:84711656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61ba98a4-7af9-4c58-80ed-09b15b0e4233/google.ct"; depth:47; endswith; nocase; http.host; content:"perfect-lasagna-layer.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848555/; classtype:trojan-activity;sid:84711655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/hhtv1g1v0gej1jkilj9kk/app.exe|3f|rlkey=0crc8slz2xge7ad5kk5rarura|7c|26|7c|st=lor1yi1n|7c|26|7c|dl=1"; depth:107; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848554/; classtype:trojan-activity;sid:84711654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.171.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848553/; classtype:trojan-activity;sid:84711653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.43.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848552/; classtype:trojan-activity;sid:84711652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77f58155-46a3-4825-819f-3c98f05a7544/google.ct"; depth:47; endswith; nocase; http.host; content:"glacial-ice-core-sample.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848551/; classtype:trojan-activity;sid:84711651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.43.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848550/; classtype:trojan-activity;sid:84711650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/67616b8b-5a04-41bd-8641-1826b907c33e/google.ct"; depth:47; endswith; nocase; http.host; content:"steampunkaeronautics.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848549/; classtype:trojan-activity;sid:84711649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/windowsservice.exe"; depth:28; endswith; nocase; http.host; content:"141.164.63.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848548/; classtype:trojan-activity;sid:84711648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv7l"; depth:17; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848546/; classtype:trojan-activity;sid:84711646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv4l"; depth:17; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848547/; classtype:trojan-activity;sid:84711647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/client_pure.exe"; depth:25; endswith; nocase; http.host; content:"141.164.63.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848545/; classtype:trojan-activity;sid:84711645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.powerpc"; depth:18; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848541/; classtype:trojan-activity;sid:84711641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv5l"; depth:17; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848542/; classtype:trojan-activity;sid:84711642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.armv6l"; depth:17; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848543/; classtype:trojan-activity;sid:84711643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.x86_64"; depth:17; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848544/; classtype:trojan-activity;sid:84711644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.i686"; depth:15; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848533/; classtype:trojan-activity;sid:84711633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mipsel"; depth:17; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848534/; classtype:trojan-activity;sid:84711634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.mips"; depth:15; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848535/; classtype:trojan-activity;sid:84711635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"fatkow.file-online.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848536/; classtype:trojan-activity;sid:84711636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"xc88b0.file-online.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848537/; classtype:trojan-activity;sid:84711637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"epx5g5.file-online.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848538/; classtype:trojan-activity;sid:84711638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.i586"; depth:15; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848539/; classtype:trojan-activity;sid:84711639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/nova.sh4"; depth:14; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848540/; classtype:trojan-activity;sid:84711640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"svo-pois.file-online.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848532/; classtype:trojan-activity;sid:84711632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_c2678a9a1b213aef.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848527/; classtype:trojan-activity;sid:84711627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_9276eb0f57308d73.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848528/; classtype:trojan-activity;sid:84711628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_60ac81dcbb06b186.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848529/; classtype:trojan-activity;sid:84711629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"maxvideo.file-online.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848530/; classtype:trojan-activity;sid:84711630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nova.sh"; depth:8; endswith; nocase; http.host; content:"2.56.246.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848531/; classtype:trojan-activity;sid:84711631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/w5wmeltzsvpw/winspec.exe"; depth:28; endswith; nocase; http.host; content:"tmpfiles.org"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848526/; classtype:trojan-activity;sid:84711626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1776562136/svchost.exe"; depth:23; endswith; nocase; http.host; content:"2.26.122.15"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848525/; classtype:trojan-activity;sid:84711625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1445797339582431235/1504773199617982544/system32.exe|3f|ex=6a098640|7c|26|7c|is=6a0834c0|7c|26|7c|hm=07c4176594733262d2584b74b559d6b324d274bed937c7d40ea155136f74d39e|7c|26|7c|"; depth:188; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848524/; classtype:trojan-activity;sid:84711624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1445797339582431235/1504773199617982544/system32.exe|3f|ex=6a0834c0|7c|26|7c|is=6a06e340|7c|26|7c|hm=3670f8671808b14a7de590d651e3665166f99776ec939944b77c054ee0af7fc3|7c|26|7c|"; depth:188; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848523/; classtype:trojan-activity;sid:84711623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/ex1a1fllyh1s9btieeqn6/sq469eehw8ty.exe|3f|rlkey=igsxdnz60e4j9awr87sfdq6tf|7c|26|7c|st=ox0brfwh|7c|26|7c|dl=0https://www.dropbox.com/scl/fi/ex1a1fllyh1s9btieeqn6/sq469eehw8ty.exe|3f|rlkey=igsxdnz60e4j9awr87sfdq6tf|7c|26|7c|st=ox0brfwh|7c|26|7c|dl=1"; depth:255; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848520/; classtype:trojan-activity;sid:84711620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"77.91.96.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848521/; classtype:trojan-activity;sid:84711621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"dpsradars.shop"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848522/; classtype:trojan-activity;sid:84711622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_3c998b977b8a6715.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848510/; classtype:trojan-activity;sid:84711610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_84f8517db3ecabce.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848511/; classtype:trojan-activity;sid:84711611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_c4f1a8d3608fd717.cmd"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848512/; classtype:trojan-activity;sid:84711612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_58e75d774ea83f95.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848513/; classtype:trojan-activity;sid:84711613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_28e7b09ae7bba3f2.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848514/; classtype:trojan-activity;sid:84711614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/script.sh"; depth:10; endswith; nocase; http.host; content:"novacinder.digital"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848515/; classtype:trojan-activity;sid:84711615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1e6fc70654906fb5.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848516/; classtype:trojan-activity;sid:84711616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_27ccfff44d61983d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848517/; classtype:trojan-activity;sid:84711617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_8bdb712dca908d02.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848518/; classtype:trojan-activity;sid:84711618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e353c81a9a32e76e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848519/; classtype:trojan-activity;sid:84711619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.227.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848509/; classtype:trojan-activity;sid:84711609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.13.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848508/; classtype:trojan-activity;sid:84711608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/866fee0b-b1db-4cf0-9cee-5d6bf2c4565a/google.ct"; depth:47; endswith; nocase; http.host; content:"alchemical-formula-scroll.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848507/; classtype:trojan-activity;sid:84711607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.209.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848506/; classtype:trojan-activity;sid:84711606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.155.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848505/; classtype:trojan-activity;sid:84711605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.238.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848504/; classtype:trojan-activity;sid:84711604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bd70a08d-ceac-4d91-abbe-dffbdb33d2e3/google.ct"; depth:47; endswith; nocase; http.host; content:"cosmicmicrowavebackground.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848503/; classtype:trojan-activity;sid:84711603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.177.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848502/; classtype:trojan-activity;sid:84711602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.113.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848500/; classtype:trojan-activity;sid:84711600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.227.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848501/; classtype:trojan-activity;sid:84711601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.209.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848499/; classtype:trojan-activity;sid:84711599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.238.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848498/; classtype:trojan-activity;sid:84711598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.155.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848497/; classtype:trojan-activity;sid:84711597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.224.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848496/; classtype:trojan-activity;sid:84711596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/bolts"; depth:11; endswith; nocase; http.host; content:"31.58.226.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848495/; classtype:trojan-activity;sid:84711595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.127.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848494/; classtype:trojan-activity;sid:84711594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.177.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848493/; classtype:trojan-activity;sid:84711593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=12490a74-9264-4ea6-b8ec-2556f1e51192"; depth:47; endswith; nocase; http.host; content:"d1jtbg8r.node-matrix.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848492/; classtype:trojan-activity;sid:84711592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6be3e3b7-b67c-4b7b-8dcb-fc56b44796f0/google.ct"; depth:47; endswith; nocase; http.host; content:"vintage-blueprint-vault.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848491/; classtype:trojan-activity;sid:84711591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.224.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848490/; classtype:trojan-activity;sid:84711590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.155.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848489/; classtype:trojan-activity;sid:84711589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d270c3a-bb43-4073-bef7-3c7b0cfec449/google.ct"; depth:47; endswith; nocase; http.host; content:"abyssal-kraken-trench.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848488/; classtype:trojan-activity;sid:84711588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848487/; classtype:trojan-activity;sid:84711587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/poop"; depth:10; endswith; nocase; http.host; content:"31.58.226.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848486/; classtype:trojan-activity;sid:84711586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.12.229.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848485/; classtype:trojan-activity;sid:84711585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4171e19a-af47-45fb-ad00-7b2ee9cd5995/google.ct"; depth:47; endswith; nocase; http.host; content:"handmade-cheese-traveler.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848484/; classtype:trojan-activity;sid:84711584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jenkins"; depth:13; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848483/; classtype:trojan-activity;sid:84711583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.137.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848482/; classtype:trojan-activity;sid:84711582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.143.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848481/; classtype:trojan-activity;sid:84711581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.234.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848480/; classtype:trojan-activity;sid:84711580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5c8d04d-57a4-4d5f-abad-01692e983424/google.ct"; depth:47; endswith; nocase; http.host; content:"predator-hunting-chronicles.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848479/; classtype:trojan-activity;sid:84711579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.100.32.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848477/; classtype:trojan-activity;sid:84711577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.143.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848478/; classtype:trojan-activity;sid:84711578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/385d21df-cce5-47e2-9dd4-c0bb9ed6bc55/google.ct"; depth:47; endswith; nocase; http.host; content:"chronicle-archive-keeper.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848476/; classtype:trojan-activity;sid:84711576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.234.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848475/; classtype:trojan-activity;sid:84711575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.233.57.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848474/; classtype:trojan-activity;sid:84711574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848472/; classtype:trojan-activity;sid:84711572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.7.221"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848473/; classtype:trojan-activity;sid:84711573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/78ff4c08-3db8-4567-b0df-1ffa05092bbe/google.ct"; depth:47; endswith; nocase; http.host; content:"pixelartcanvas.garden"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848471/; classtype:trojan-activity;sid:84711571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848470/; classtype:trojan-activity;sid:84711570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.42.87"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848469/; classtype:trojan-activity;sid:84711569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.158.173.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848468/; classtype:trojan-activity;sid:84711568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=23ee1c81-a74d-4e7c-9128-6dc5fba8ec01"; depth:47; endswith; nocase; http.host; content:"jomn9u8k.cyber-relay.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848467/; classtype:trojan-activity;sid:84711567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a82a4b86-b55f-4157-b65d-fad577d31fea/google.ct"; depth:47; endswith; nocase; http.host; content:"suboceanic-trench-sonar.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848466/; classtype:trojan-activity;sid:84711566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848465/; classtype:trojan-activity;sid:84711565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.137.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848464/; classtype:trojan-activity;sid:84711564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"211.158.173.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848463/; classtype:trojan-activity;sid:84711563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848462/; classtype:trojan-activity;sid:84711562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.7.221"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848461/; classtype:trojan-activity;sid:84711561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cedeea1-8854-4539-af98-81e1310b6891/google.ct"; depth:47; endswith; nocase; http.host; content:"vintage-vinyl-restoration.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848460/; classtype:trojan-activity;sid:84711560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.137.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848459/; classtype:trojan-activity;sid:84711559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.97.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848458/; classtype:trojan-activity;sid:84711558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.197.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848457/; classtype:trojan-activity;sid:84711557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.10.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848456/; classtype:trojan-activity;sid:84711556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.26.243"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848455/; classtype:trojan-activity;sid:84711555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.197.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848454/; classtype:trojan-activity;sid:84711554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.237.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848452/; classtype:trojan-activity;sid:84711552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848453/; classtype:trojan-activity;sid:84711553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27815609-0ac5-4bcb-8ed3-b053ef4e81d0/google.ct"; depth:47; endswith; nocase; http.host; content:"volcanic-magma-chamber.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848451/; classtype:trojan-activity;sid:84711551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.249.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848450/; classtype:trojan-activity;sid:84711550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.177.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848449/; classtype:trojan-activity;sid:84711549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848448/; classtype:trojan-activity;sid:84711548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.76.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848447/; classtype:trojan-activity;sid:84711547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3a9625a5-2df3-430d-88ff-ff91f8ee844f/google.ct"; depth:47; endswith; nocase; http.host; content:"neoncyberpunkcity.garden"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848446/; classtype:trojan-activity;sid:84711546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848445/; classtype:trojan-activity;sid:84711545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.6.135"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848444/; classtype:trojan-activity;sid:84711544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848443/; classtype:trojan-activity;sid:84711543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848442/; classtype:trojan-activity;sid:84711542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.100.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848441/; classtype:trojan-activity;sid:84711541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/34701e8f-b8f0-4cce-b0cd-136c4553dbb8/google.ct"; depth:47; endswith; nocase; http.host; content:"abandoned-asylum-expedition.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848440/; classtype:trojan-activity;sid:84711540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.136.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848439/; classtype:trojan-activity;sid:84711539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.23.91.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848438/; classtype:trojan-activity;sid:84711538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.3.3.190"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848437/; classtype:trojan-activity;sid:84711537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.6.135"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848436/; classtype:trojan-activity;sid:84711536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848435/; classtype:trojan-activity;sid:84711535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bf1150a4-6883-4064-85d7-beb9d7e8b19d/google.ct"; depth:47; endswith; nocase; http.host; content:"deep-space-artificial-gravity.garden"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848434/; classtype:trojan-activity;sid:84711534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.136.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848433/; classtype:trojan-activity;sid:84711533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=daed12b8-ac34-434a-9729-ea53ca3fb3e8"; depth:47; endswith; nocase; http.host; content:"wkqsof7p.network-pulse.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848432/; classtype:trojan-activity;sid:84711532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28cbb4e8-3f91-4fd8-a73d-efb056fc39d4/google.ct"; depth:47; endswith; nocase; http.host; content:"retro-gaming-launcher.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848431/; classtype:trojan-activity;sid:84711531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.173.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848430/; classtype:trojan-activity;sid:84711530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.188.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848429/; classtype:trojan-activity;sid:84711529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.3.3.190"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848428/; classtype:trojan-activity;sid:84711528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.144.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848427/; classtype:trojan-activity;sid:84711527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.188.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848426/; classtype:trojan-activity;sid:84711526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f30eba81-4c5a-4080-a057-6df524e69f8c/google.ct"; depth:47; endswith; nocase; http.host; content:"ziti-multicooker-hacks.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848425/; classtype:trojan-activity;sid:84711525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.13.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848424/; classtype:trojan-activity;sid:84711524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.144.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848423/; classtype:trojan-activity;sid:84711523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fc4401cf-721d-4064-803f-cb53ae02e210/google.ct"; depth:47; endswith; nocase; http.host; content:"containerizedecosystem.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_17; reference:url, urlhaus.abuse.ch/url/3848422/; classtype:trojan-activity;sid:84711522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.173.223"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848421/; classtype:trojan-activity;sid:84711521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3eb70c47-dc57-4471-a7d7-a633ffdd0fe7/google.ct"; depth:47; endswith; nocase; http.host; content:"flora-processing-framework.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848420/; classtype:trojan-activity;sid:84711520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.45.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848419/; classtype:trojan-activity;sid:84711519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.201.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848418/; classtype:trojan-activity;sid:84711518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.45.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848417/; classtype:trojan-activity;sid:84711517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.155.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848416/; classtype:trojan-activity;sid:84711516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/993c80f8-6c83-4e31-ada5-a6a89e13b6ea/google.ct"; depth:47; endswith; nocase; http.host; content:"gardenworkflowcenter.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848415/; classtype:trojan-activity;sid:84711515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.42.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848414/; classtype:trojan-activity;sid:84711514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.67.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848413/; classtype:trojan-activity;sid:84711513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.67.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848412/; classtype:trojan-activity;sid:84711512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3f51be67-1f51-4b0b-8405-cc6b7f50b6da/google.ct"; depth:47; endswith; nocase; http.host; content:"federatedmeadowcluster.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848411/; classtype:trojan-activity;sid:84711511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.95.121.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848410/; classtype:trojan-activity;sid:84711510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.202.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848409/; classtype:trojan-activity;sid:84711509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848408/; classtype:trojan-activity;sid:84711508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=1cc82a74-f8b2-405b-b7ad-f3bb853d0aac"; depth:47; endswith; nocase; http.host; content:"mqo7n5b2.script-vault.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848407/; classtype:trojan-activity;sid:84711507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.43.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848406/; classtype:trojan-activity;sid:84711506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.42.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848405/; classtype:trojan-activity;sid:84711505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2a06764-1a51-4eac-8ab1-b88de57752d3/google.ct"; depth:47; endswith; nocase; http.host; content:"irrigation-resource-system.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848404/; classtype:trojan-activity;sid:84711504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.103.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848403/; classtype:trojan-activity;sid:84711503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.211.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848402/; classtype:trojan-activity;sid:84711502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.211.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848401/; classtype:trojan-activity;sid:84711501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f3f7345c-c44e-46f1-b59d-95b926b03af2/google.ct"; depth:47; endswith; nocase; http.host; content:"botanicalautomationengine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848400/; classtype:trojan-activity;sid:84711500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.125.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848399/; classtype:trojan-activity;sid:84711499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/963a5c48-2532-4622-b69d-620ac1f90f42/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-growth-network.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848398/; classtype:trojan-activity;sid:84711498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.75.147"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848397/; classtype:trojan-activity;sid:84711497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.125.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848396/; classtype:trojan-activity;sid:84711496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36ede77f-6234-4432-a37b-a83325c58119/google.ct"; depth:47; endswith; nocase; http.host; content:"wildflorainfrastructure.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848395/; classtype:trojan-activity;sid:84711495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.224.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848394/; classtype:trojan-activity;sid:84711494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.156.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848393/; classtype:trojan-activity;sid:84711493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.224.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848392/; classtype:trojan-activity;sid:84711492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.211.45.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848391/; classtype:trojan-activity;sid:84711491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.156.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848390/; classtype:trojan-activity;sid:84711490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.7"; depth:7; endswith; nocase; http.host; content:"110.37.70.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848389/; classtype:trojan-activity;sid:84711489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.75.147"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848388/; classtype:trojan-activity;sid:84711488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.35.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848387/; classtype:trojan-activity;sid:84711487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2ee8199-efb0-4c21-b476-7667e664c1b6/google.ct"; depth:47; endswith; nocase; http.host; content:"petal-routing-platform.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848386/; classtype:trojan-activity;sid:84711486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.35.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848385/; classtype:trojan-activity;sid:84711485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.44.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848384/; classtype:trojan-activity;sid:84711484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/genius"; depth:7; endswith; nocase; http.host; content:"147.45.45.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848383/; classtype:trojan-activity;sid:84711483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0c77df4c-23a1-44bf-ac0f-30286427263b/google.ct"; depth:47; endswith; nocase; http.host; content:"greenhouseoperationshub.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848382/; classtype:trojan-activity;sid:84711482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/wtw2egtgc2ik/winspec.exe"; depth:28; endswith; nocase; http.host; content:"tmpfiles.org"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848381/; classtype:trojan-activity;sid:84711481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=140964fe-33a1-45d5-91ea-7eae12e66dd5"; depth:47; endswith; nocase; http.host; content:"wwk6os4i.cloud-atlas.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848380/; classtype:trojan-activity;sid:84711480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.44.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848378/; classtype:trojan-activity;sid:84711478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.109.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848379/; classtype:trojan-activity;sid:84711479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.45.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848377/; classtype:trojan-activity;sid:84711477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848376/; classtype:trojan-activity;sid:84711476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=1a725314-04b7-4251-9050-91a11efae75a"; depth:47; endswith; nocase; http.host; content:"dehjcpyw.byte-forge.digital"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848375/; classtype:trojan-activity;sid:84711475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/283a609e-b6e0-458f-8a2d-8113fe6e139b/google.ct"; depth:47; endswith; nocase; http.host; content:"linguistic-puzzle-solver.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848374/; classtype:trojan-activity;sid:84711474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yo3u"; depth:5; endswith; nocase; http.host; content:"personal-store.netlify.app"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848373/; classtype:trojan-activity;sid:84711473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file_bgeu/document.pdf.lnk"; depth:27; endswith; nocase; http.host; content:"107.189.25.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848370/; classtype:trojan-activity;sid:84711470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file_bgeu/document.pdf.lnk"; depth:27; endswith; nocase; http.host; content:"cloudfilenow.online"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848371/; classtype:trojan-activity;sid:84711471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file_bgeu/document.pdf.lnk"; depth:27; endswith; nocase; http.host; content:"synctimenow.org"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848372/; classtype:trojan-activity;sid:84711472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/ms/update/officefonts.dll"; depth:33; endswith; nocase; http.host; content:"microwaved.info"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848369/; classtype:trojan-activity;sid:84711469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/final.lnk"; depth:10; endswith; nocase; http.host; content:"5.252.177.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848368/; classtype:trojan-activity;sid:84711468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/final.lnk"; depth:10; endswith; nocase; http.host; content:"microwaved.info"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848367/; classtype:trojan-activity;sid:84711467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/ms/update/officefonts.dll"; depth:33; endswith; nocase; http.host; content:"5.252.177.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848362/; classtype:trojan-activity;sid:84711462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/officefonts.dll"; depth:16; endswith; nocase; http.host; content:"5.252.177.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848363/; classtype:trojan-activity;sid:84711463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/ms/update/sr.lnk"; depth:24; endswith; nocase; http.host; content:"5.252.177.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848364/; classtype:trojan-activity;sid:84711464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/officefonts.dll"; depth:16; endswith; nocase; http.host; content:"microwaved.info"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848365/; classtype:trojan-activity;sid:84711465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/ms/update/sr.lnk"; depth:24; endswith; nocase; http.host; content:"microwaved.info"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848366/; classtype:trojan-activity;sid:84711466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.js"; depth:7; endswith; nocase; http.host; content:"87.120.107.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848361/; classtype:trojan-activity;sid:84711461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fie.hta"; depth:8; endswith; nocase; http.host; content:"87.120.107.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848360/; classtype:trojan-activity;sid:84711460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.89.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848359/; classtype:trojan-activity;sid:84711459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848356/; classtype:trojan-activity;sid:84711456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.185.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848357/; classtype:trojan-activity;sid:84711457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl.sh"; depth:8; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848358/; classtype:trojan-activity;sid:84711458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.pdf"; depth:15; endswith; nocase; http.host; content:"stage1-orschellx.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848354/; classtype:trojan-activity;sid:84711454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/running.ocx"; depth:18; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848355/; classtype:trojan-activity;sid:84711455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.js"; depth:7; endswith; nocase; http.host; content:"guildy.top"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848352/; classtype:trojan-activity;sid:84711452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fie.hta"; depth:8; endswith; nocase; http.host; content:"guildy.top"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848353/; classtype:trojan-activity;sid:84711453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.pdf"; depth:15; endswith; nocase; http.host; content:"45.155.68.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848350/; classtype:trojan-activity;sid:84711450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.pdf"; depth:15; endswith; nocase; http.host; content:"dev1-trucksdirectuk.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848351/; classtype:trojan-activity;sid:84711451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/technical_specifications.pdf.lnk"; depth:39; endswith; nocase; http.host; content:"stage1-orschellx.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848346/; classtype:trojan-activity;sid:84711446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/technical_specifications.pdf.lnk"; depth:39; endswith; nocase; http.host; content:"45.155.68.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848347/; classtype:trojan-activity;sid:84711447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/technical_specifications.pdf.lnk"; depth:39; endswith; nocase; http.host; content:"dev1-trucksdirectuk.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848348/; classtype:trojan-activity;sid:84711448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/832cb6af-b07c-4e38-bd4b-30d60fd00224/google.ct"; depth:47; endswith; nocase; http.host; content:"ancient-parchment-archive.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848349/; classtype:trojan-activity;sid:84711449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_05_11.lnk"; depth:32; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848344/; classtype:trojan-activity;sid:84711444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_12_5.lnk"; depth:31; endswith; nocase; http.host; content:"65.20.98.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848345/; classtype:trojan-activity;sid:84711445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_12_5.lnk"; depth:31; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848342/; classtype:trojan-activity;sid:84711442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_12_5.lnk"; depth:31; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848343/; classtype:trojan-activity;sid:84711443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/koki.ocx"; depth:15; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848337/; classtype:trojan-activity;sid:84711437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomer.ocx"; depth:18; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848338/; classtype:trojan-activity;sid:84711438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848339/; classtype:trojan-activity;sid:84711439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/runner.ocx"; depth:17; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848340/; classtype:trojan-activity;sid:84711440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848341/; classtype:trojan-activity;sid:84711441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomer.ocx"; depth:18; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848336/; classtype:trojan-activity;sid:84711436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/running.ocx"; depth:18; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848335/; classtype:trojan-activity;sid:84711435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/koki.ocx"; depth:15; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848334/; classtype:trojan-activity;sid:84711434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/agent.ocx"; depth:16; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848332/; classtype:trojan-activity;sid:84711432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"65.20.98.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848333/; classtype:trojan-activity;sid:84711433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/koki.ocx"; depth:15; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848331/; classtype:trojan-activity;sid:84711431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomer.ocx"; depth:18; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848330/; classtype:trojan-activity;sid:84711430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848328/; classtype:trojan-activity;sid:84711428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomer.ocx"; depth:18; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848329/; classtype:trojan-activity;sid:84711429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848327/; classtype:trojan-activity;sid:84711427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/runner.ocx"; depth:17; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848326/; classtype:trojan-activity;sid:84711426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_12_5.lnk"; depth:31; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848325/; classtype:trojan-activity;sid:84711425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_05_11.lnk"; depth:32; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848324/; classtype:trojan-activity;sid:84711424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848323/; classtype:trojan-activity;sid:84711423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848321/; classtype:trojan-activity;sid:84711421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_04_20.lnk"; depth:32; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848322/; classtype:trojan-activity;sid:84711422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/koki.ocx"; depth:15; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848318/; classtype:trojan-activity;sid:84711418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848319/; classtype:trojan-activity;sid:84711419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/koki.ocx"; depth:15; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848320/; classtype:trojan-activity;sid:84711420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_04_20.lnk"; depth:32; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848317/; classtype:trojan-activity;sid:84711417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_05_11.lnk"; depth:32; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848316/; classtype:trojan-activity;sid:84711416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/updater.ocx"; depth:18; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848315/; classtype:trojan-activity;sid:84711415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_05_11.lnk"; depth:32; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848313/; classtype:trojan-activity;sid:84711413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_12_5.lnk"; depth:31; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848314/; classtype:trojan-activity;sid:84711414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848312/; classtype:trojan-activity;sid:84711412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_05_11.lnk"; depth:32; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848311/; classtype:trojan-activity;sid:84711411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/chromelevator.ocx"; depth:24; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848310/; classtype:trojan-activity;sid:84711410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848309/; classtype:trojan-activity;sid:84711409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomer.ocx"; depth:18; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848307/; classtype:trojan-activity;sid:84711407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomctl.ocx"; depth:19; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848308/; classtype:trojan-activity;sid:84711408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/running.ocx"; depth:18; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848305/; classtype:trojan-activity;sid:84711405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscomer.ocx"; depth:18; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848306/; classtype:trojan-activity;sid:84711406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/chromelevator.ocx"; depth:24; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848303/; classtype:trojan-activity;sid:84711403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/running.ocx"; depth:18; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848304/; classtype:trojan-activity;sid:84711404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/running.ocx"; depth:18; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848301/; classtype:trojan-activity;sid:84711401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/chromelevator.ocx"; depth:24; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848302/; classtype:trojan-activity;sid:84711402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_04_20.lnk"; depth:32; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848300/; classtype:trojan-activity;sid:84711400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848297/; classtype:trojan-activity;sid:84711397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/running.ocx"; depth:18; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848298/; classtype:trojan-activity;sid:84711398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848299/; classtype:trojan-activity;sid:84711399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/runner.ocx"; depth:17; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848294/; classtype:trojan-activity;sid:84711394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/agent.ocx"; depth:16; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848295/; classtype:trojan-activity;sid:84711395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/runner.ocx"; depth:17; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848296/; classtype:trojan-activity;sid:84711396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/runner.ocx"; depth:17; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848291/; classtype:trojan-activity;sid:84711391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/agent.ocx"; depth:16; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848292/; classtype:trojan-activity;sid:84711392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/runner.ocx"; depth:17; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848293/; classtype:trojan-activity;sid:84711393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/agent.ocx"; depth:16; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848289/; classtype:trojan-activity;sid:84711389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/agent.ocx"; depth:16; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848290/; classtype:trojan-activity;sid:84711390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/agent.ocx"; depth:16; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848286/; classtype:trojan-activity;sid:84711386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/updater.ocx"; depth:18; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848287/; classtype:trojan-activity;sid:84711387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/koki.ocx"; depth:15; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848288/; classtype:trojan-activity;sid:84711388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.exe"; depth:16; endswith; nocase; http.host; content:"65.20.98.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848283/; classtype:trojan-activity;sid:84711383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/updater.ocx"; depth:18; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848284/; classtype:trojan-activity;sid:84711384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/updater.ocx"; depth:18; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848285/; classtype:trojan-activity;sid:84711385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/updater.ocx"; depth:18; endswith; nocase; http.host; content:"paysolutions.ink"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848282/; classtype:trojan-activity;sid:84711382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/updater.ocx"; depth:18; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848281/; classtype:trojan-activity;sid:84711381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848280/; classtype:trojan-activity;sid:84711380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/chromelevator.ocx"; depth:24; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848279/; classtype:trojan-activity;sid:84711379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/chromelevator.ocx"; depth:24; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848278/; classtype:trojan-activity;sid:84711378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/chromelevator.ocx"; depth:24; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848277/; classtype:trojan-activity;sid:84711377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848276/; classtype:trojan-activity;sid:84711376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_12_5.lnk"; depth:31; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848275/; classtype:trojan-activity;sid:84711375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848274/; classtype:trojan-activity;sid:84711374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_04_20.lnk"; depth:32; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848273/; classtype:trojan-activity;sid:84711373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"aurekh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848271/; classtype:trojan-activity;sid:84711371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"screenly.cam"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848272/; classtype:trojan-activity;sid:84711372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/mscom.ocx"; depth:16; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848270/; classtype:trojan-activity;sid:84711370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_12_5.lnk"; depth:31; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848269/; classtype:trojan-activity;sid:84711369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_04_20.lnk"; depth:32; endswith; nocase; http.host; content:"ahdaratlegalservices.com"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848267/; classtype:trojan-activity;sid:84711367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_04_20.lnk"; depth:32; endswith; nocase; http.host; content:"xtrafftrck.net"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848268/; classtype:trojan-activity;sid:84711368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/712419111124.ocx"; depth:23; endswith; nocase; http.host; content:"65.20.98.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848266/; classtype:trojan-activity;sid:84711366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cloud/screenshot_2026_05_11.lnk"; depth:32; endswith; nocase; http.host; content:"70.34.205.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848265/; classtype:trojan-activity;sid:84711365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.89.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848264/; classtype:trojan-activity;sid:84711364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.msi"; depth:15; endswith; nocase; http.host; content:"87.120.219.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848263/; classtype:trojan-activity;sid:84711363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.msi"; depth:15; endswith; nocase; http.host; content:"stg1-swaggrhockey.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848260/; classtype:trojan-activity;sid:84711360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/candidates-guide.pdf.lnk"; depth:31; endswith; nocase; http.host; content:"slotmy-send.tech"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848261/; classtype:trojan-activity;sid:84711361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/candidates-guide.pdf.lnk"; depth:31; endswith; nocase; http.host; content:"3bra.solonettochka.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848262/; classtype:trojan-activity;sid:84711362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/candidates-guide.pdf.lnk"; depth:31; endswith; nocase; http.host; content:"dev1-revitavive.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848254/; classtype:trojan-activity;sid:84711354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/candidates-guide.pdf.lnk"; depth:31; endswith; nocase; http.host; content:"stg1-swaggrhockey.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848255/; classtype:trojan-activity;sid:84711355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.msi"; depth:15; endswith; nocase; http.host; content:"slotmy-send.tech"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848256/; classtype:trojan-activity;sid:84711356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/candidates-guide.pdf.lnk"; depth:31; endswith; nocase; http.host; content:"87.120.219.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848257/; classtype:trojan-activity;sid:84711357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.msi"; depth:15; endswith; nocase; http.host; content:"3bra.solonettochka.ru"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848258/; classtype:trojan-activity;sid:84711358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/setup.msi"; depth:15; endswith; nocase; http.host; content:"dev1-revitavive.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848259/; classtype:trojan-activity;sid:84711359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.187.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848253/; classtype:trojan-activity;sid:84711353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/678678b2-11f2-4c2b-b83c-8aa490cf1b38/google.ct"; depth:47; endswith; nocase; http.host; content:"meteorite-crater-safari.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848252/; classtype:trojan-activity;sid:84711352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_softfloat"; depth:23; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848251/; classtype:trojan-activity;sid:84711351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.203.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848250/; classtype:trojan-activity;sid:84711350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.202.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848249/; classtype:trojan-activity;sid:84711349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df32a9c4-683e-4cb0-9eac-f16baca0ccbf/google.ct"; depth:47; endswith; nocase; http.host; content:"space-debris-trajectory.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848248/; classtype:trojan-activity;sid:84711348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_cvtres.txt"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848247/; classtype:trojan-activity;sid:84711347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848233/; classtype:trojan-activity;sid:84711333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848234/; classtype:trojan-activity;sid:84711334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848235/; classtype:trojan-activity;sid:84711335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848236/; classtype:trojan-activity;sid:84711336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cmd1.txt"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848237/; classtype:trojan-activity;sid:84711337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv4eb"; depth:17; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848238/; classtype:trojan-activity;sid:84711338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848239/; classtype:trojan-activity;sid:84711339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848240/; classtype:trojan-activity;sid:84711340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848241/; classtype:trojan-activity;sid:84711341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848242/; classtype:trojan-activity;sid:84711342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.powerpc"; depth:17; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848243/; classtype:trojan-activity;sid:84711343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.mips"; depth:14; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848244/; classtype:trojan-activity;sid:84711344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848245/; classtype:trojan-activity;sid:84711345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/tumfuf.txt"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848246/; classtype:trojan-activity;sid:84711346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bins.sh"; depth:18; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848224/; classtype:trojan-activity;sid:84711324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.powerpc"; depth:22; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848225/; classtype:trojan-activity;sid:84711325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cmd.txt"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848226/; classtype:trojan-activity;sid:84711326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.i686"; depth:19; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848227/; classtype:trojan-activity;sid:84711327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.i486"; depth:14; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848228/; classtype:trojan-activity;sid:84711328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848229/; classtype:trojan-activity;sid:84711329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.i586"; depth:14; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848230/; classtype:trojan-activity;sid:84711330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/repe04yt-group/repe04yt-project/-/raw/main/cryp2_cvtres.txt|3f|ref_type=heads"; depth:78; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848231/; classtype:trojan-activity;sid:84711331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_addinprocess32.txt"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848232/; classtype:trojan-activity;sid:84711332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.armv71"; depth:21; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848214/; classtype:trojan-activity;sid:84711314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.armv4eb"; depth:22; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848215/; classtype:trojan-activity;sid:84711315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848216/; classtype:trojan-activity;sid:84711316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_regasm.txt"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848217/; classtype:trojan-activity;sid:84711317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848218/; classtype:trojan-activity;sid:84711318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848219/; classtype:trojan-activity;sid:84711319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848220/; classtype:trojan-activity;sid:84711320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848221/; classtype:trojan-activity;sid:84711321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips"; depth:11; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848222/; classtype:trojan-activity;sid:84711322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.mips64"; depth:16; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848223/; classtype:trojan-activity;sid:84711323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848205/; classtype:trojan-activity;sid:84711305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848206/; classtype:trojan-activity;sid:84711306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848207/; classtype:trojan-activity;sid:84711307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848208/; classtype:trojan-activity;sid:84711308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.m68k"; depth:14; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848209/; classtype:trojan-activity;sid:84711309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_regsvcs.txt"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848210/; classtype:trojan-activity;sid:84711310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848211/; classtype:trojan-activity;sid:84711311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.x86_64"; depth:21; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848212/; classtype:trojan-activity;sid:84711312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848213/; classtype:trojan-activity;sid:84711313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv71"; depth:16; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848202/; classtype:trojan-activity;sid:84711302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sostener.vbs"; depth:13; endswith; nocase; http.host; content:"178.16.54.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848203/; classtype:trojan-activity;sid:84711303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv41"; depth:16; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848204/; classtype:trojan-activity;sid:84711304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_installutil.txt"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848192/; classtype:trojan-activity;sid:84711292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_aspnet_compiler.txt"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848193/; classtype:trojan-activity;sid:84711293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.i686"; depth:14; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848194/; classtype:trojan-activity;sid:84711294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2.txt"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848195/; classtype:trojan-activity;sid:84711295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.armv4tl"; depth:22; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848196/; classtype:trojan-activity;sid:84711296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.i586"; depth:19; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848197/; classtype:trojan-activity;sid:84711297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_msbuild.txt"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848198/; classtype:trojan-activity;sid:84711298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_applaunch.txt"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848199/; classtype:trojan-activity;sid:84711299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins.sh"; depth:13; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848200/; classtype:trojan-activity;sid:84711300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/respalditoxd122/cmd/raw/refs/heads/main/cryp2_jsc.txt"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848201/; classtype:trojan-activity;sid:84711301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.m68k"; depth:19; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848188/; classtype:trojan-activity;sid:84711288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel"; depth:13; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848189/; classtype:trojan-activity;sid:84711289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andre.vbs"; depth:10; endswith; nocase; http.host; content:"178.16.54.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848190/; classtype:trojan-activity;sid:84711290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.armv61"; depth:21; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848191/; classtype:trojan-activity;sid:84711291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv61"; depth:16; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848185/; classtype:trojan-activity;sid:84711285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.mips64"; depth:21; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848186/; classtype:trojan-activity;sid:84711286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.sh4"; depth:13; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848187/; classtype:trojan-activity;sid:84711287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.armv41"; depth:21; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848171/; classtype:trojan-activity;sid:84711271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.mipsel"; depth:21; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848172/; classtype:trojan-activity;sid:84711272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.i486"; depth:19; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848173/; classtype:trojan-activity;sid:84711273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv4tl"; depth:17; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848174/; classtype:trojan-activity;sid:84711274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.x86_64"; depth:16; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848175/; classtype:trojan-activity;sid:84711275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm6"; depth:11; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848176/; classtype:trojan-activity;sid:84711276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_aarch64"; depth:14; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848177/; classtype:trojan-activity;sid:84711277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_386"; depth:10; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848178/; classtype:trojan-activity;sid:84711278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.armv51"; depth:21; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848179/; classtype:trojan-activity;sid:84711279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.sh"; depth:12; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848180/; classtype:trojan-activity;sid:84711280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv51"; depth:16; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848181/; classtype:trojan-activity;sid:84711281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848182/; classtype:trojan-activity;sid:84711282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"217.209.144.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848183/; classtype:trojan-activity;sid:84711283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.mips"; depth:19; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848184/; classtype:trojan-activity;sid:84711284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins/bin.sh4"; depth:18; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848170/; classtype:trojan-activity;sid:84711270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_ppc64el"; depth:19; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848158/; classtype:trojan-activity;sid:84711258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips_hardfloat"; depth:26; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848159/; classtype:trojan-activity;sid:84711259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848160/; classtype:trojan-activity;sid:84711260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_ppc64"; depth:17; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848161/; classtype:trojan-activity;sid:84711261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_softfloat"; depth:21; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848162/; classtype:trojan-activity;sid:84711262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848163/; classtype:trojan-activity;sid:84711263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_386"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848164/; classtype:trojan-activity;sid:84711264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_arm5"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848165/; classtype:trojan-activity;sid:84711265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848166/; classtype:trojan-activity;sid:84711266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848167/; classtype:trojan-activity;sid:84711267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848168/; classtype:trojan-activity;sid:84711268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_aarch64"; depth:14; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848169/; classtype:trojan-activity;sid:84711269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64el"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848156/; classtype:trojan-activity;sid:84711256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_aarch64"; depth:19; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848157/; classtype:trojan-activity;sid:84711257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_amd64"; depth:17; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848155/; classtype:trojan-activity;sid:84711255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mipsel_softfloat"; depth:28; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848154/; classtype:trojan-activity;sid:84711254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips64"; depth:18; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848152/; classtype:trojan-activity;sid:84711252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips64el"; depth:20; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848153/; classtype:trojan-activity;sid:84711253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_hardfloat"; depth:21; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848148/; classtype:trojan-activity;sid:84711248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mipsel_hardfloat"; depth:28; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848149/; classtype:trojan-activity;sid:84711249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips_softfloat"; depth:26; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848150/; classtype:trojan-activity;sid:84711250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_hardfloat"; depth:23; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848151/; classtype:trojan-activity;sid:84711251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_arm7"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848146/; classtype:trojan-activity;sid:84711246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_arm6"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848147/; classtype:trojan-activity;sid:84711247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm6"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848145/; classtype:trojan-activity;sid:84711245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_386"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848144/; classtype:trojan-activity;sid:84711244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848143/; classtype:trojan-activity;sid:84711243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848139/; classtype:trojan-activity;sid:84711239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm4"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848140/; classtype:trojan-activity;sid:84711240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848141/; classtype:trojan-activity;sid:84711241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848142/; classtype:trojan-activity;sid:84711242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm6"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848138/; classtype:trojan-activity;sid:84711238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.spc"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848135/; classtype:trojan-activity;sid:84711235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.x86"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848136/; classtype:trojan-activity;sid:84711236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm6"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848137/; classtype:trojan-activity;sid:84711237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kla.sh"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848132/; classtype:trojan-activity;sid:84711232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kla.sh"; depth:7; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848133/; classtype:trojan-activity;sid:84711233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w.sh"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848134/; classtype:trojan-activity;sid:84711234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.mpsl"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848125/; classtype:trojan-activity;sid:84711225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.apk"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848126/; classtype:trojan-activity;sid:84711226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848127/; classtype:trojan-activity;sid:84711227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.i486"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848128/; classtype:trojan-activity;sid:84711228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.apk"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848129/; classtype:trojan-activity;sid:84711229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm7"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848130/; classtype:trojan-activity;sid:84711230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.m68k"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848131/; classtype:trojan-activity;sid:84711231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848122/; classtype:trojan-activity;sid:84711222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848123/; classtype:trojan-activity;sid:84711223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux.sh"; depth:9; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848124/; classtype:trojan-activity;sid:84711224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.ppc440"; depth:18; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848119/; classtype:trojan-activity;sid:84711219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.dbg"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848120/; classtype:trojan-activity;sid:84711220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848121/; classtype:trojan-activity;sid:84711221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.i686"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848117/; classtype:trojan-activity;sid:84711217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ak.sh"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848118/; classtype:trojan-activity;sid:84711218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848115/; classtype:trojan-activity;sid:84711215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm5"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848116/; classtype:trojan-activity;sid:84711216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_ak.sh"; depth:17; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848108/; classtype:trojan-activity;sid:84711208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.sh4"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848109/; classtype:trojan-activity;sid:84711209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848110/; classtype:trojan-activity;sid:84711210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.ppc"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848111/; classtype:trojan-activity;sid:84711211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv4l"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848112/; classtype:trojan-activity;sid:84711212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848113/; classtype:trojan-activity;sid:84711213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848114/; classtype:trojan-activity;sid:84711214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848098/; classtype:trojan-activity;sid:84711198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv5l"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848099/; classtype:trojan-activity;sid:84711199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848100/; classtype:trojan-activity;sid:84711200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848101/; classtype:trojan-activity;sid:84711201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848102/; classtype:trojan-activity;sid:84711202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848103/; classtype:trojan-activity;sid:84711203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arc"; depth:15; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848104/; classtype:trojan-activity;sid:84711204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arc"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848105/; classtype:trojan-activity;sid:84711205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848106/; classtype:trojan-activity;sid:84711206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv6l"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848107/; classtype:trojan-activity;sid:84711207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv7l"; depth:12; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848095/; classtype:trojan-activity;sid:84711195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848096/; classtype:trojan-activity;sid:84711196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.mips"; depth:16; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848097/; classtype:trojan-activity;sid:84711197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848093/; classtype:trojan-activity;sid:84711193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.dbg"; depth:10; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848094/; classtype:trojan-activity;sid:84711194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64el"; depth:14; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848092/; classtype:trojan-activity;sid:84711192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh"; depth:13; endswith; nocase; http.host; content:"de.cloud.dxang.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848091/; classtype:trojan-activity;sid:84711191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.187.52"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848090/; classtype:trojan-activity;sid:84711190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polld"; depth:16; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848087/; classtype:trojan-activity;sid:84711187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scsi_tmf_0"; depth:16; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848088/; classtype:trojan-activity;sid:84711188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xfsaild_sda"; depth:17; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848089/; classtype:trojan-activity;sid:84711189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848081/; classtype:trojan-activity;sid:84711181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848082/; classtype:trojan-activity;sid:84711182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848083/; classtype:trojan-activity;sid:84711183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848084/; classtype:trojan-activity;sid:84711184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848085/; classtype:trojan-activity;sid:84711185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848086/; classtype:trojan-activity;sid:84711186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848079/; classtype:trojan-activity;sid:84711179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848080/; classtype:trojan-activity;sid:84711180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848076/; classtype:trojan-activity;sid:84711176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848077/; classtype:trojan-activity;sid:84711177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848078/; classtype:trojan-activity;sid:84711178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/loader.sh"; depth:15; endswith; nocase; http.host; content:"45.202.241.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848075/; classtype:trojan-activity;sid:84711175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848074/; classtype:trojan-activity;sid:84711174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848072/; classtype:trojan-activity;sid:84711172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848073/; classtype:trojan-activity;sid:84711173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xfsaild_sda"; depth:17; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848063/; classtype:trojan-activity;sid:84711163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848064/; classtype:trojan-activity;sid:84711164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848065/; classtype:trojan-activity;sid:84711165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848066/; classtype:trojan-activity;sid:84711166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848067/; classtype:trojan-activity;sid:84711167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848068/; classtype:trojan-activity;sid:84711168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848069/; classtype:trojan-activity;sid:84711169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scsi_tmf_0"; depth:16; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848070/; classtype:trojan-activity;sid:84711170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848071/; classtype:trojan-activity;sid:84711171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polld"; depth:16; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848062/; classtype:trojan-activity;sid:84711162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848061/; classtype:trojan-activity;sid:84711161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848054/; classtype:trojan-activity;sid:84711154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.arm5"; depth:10; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848055/; classtype:trojan-activity;sid:84711155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.x86"; depth:9; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848056/; classtype:trojan-activity;sid:84711156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.mips"; depth:10; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848057/; classtype:trojan-activity;sid:84711157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.arm6"; depth:10; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848058/; classtype:trojan-activity;sid:84711158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848059/; classtype:trojan-activity;sid:84711159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.sh"; depth:8; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848060/; classtype:trojan-activity;sid:84711160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848053/; classtype:trojan-activity;sid:84711153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.mpsl"; depth:10; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848051/; classtype:trojan-activity;sid:84711151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.sparc"; depth:11; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848052/; classtype:trojan-activity;sid:84711152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skid.arm4"; depth:10; endswith; nocase; http.host; content:"94.26.106.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848044/; classtype:trojan-activity;sid:84711144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/room.x64"; depth:14; endswith; nocase; http.host; content:"45.153.34.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848045/; classtype:trojan-activity;sid:84711145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/room.mips"; depth:15; endswith; nocase; http.host; content:"45.153.34.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848046/; classtype:trojan-activity;sid:84711146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/room.armv7"; depth:16; endswith; nocase; http.host; content:"45.153.34.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848047/; classtype:trojan-activity;sid:84711147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/room.x86"; depth:14; endswith; nocase; http.host; content:"45.153.34.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848048/; classtype:trojan-activity;sid:84711148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/room_bot"; depth:9; endswith; nocase; http.host; content:"45.153.34.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848049/; classtype:trojan-activity;sid:84711149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.sh"; depth:10; endswith; nocase; http.host; content:"45.153.34.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848050/; classtype:trojan-activity;sid:84711150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848036/; classtype:trojan-activity;sid:84711136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.98.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848037/; classtype:trojan-activity;sid:84711137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848038/; classtype:trojan-activity;sid:84711138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scsi_tmf_0"; depth:16; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848039/; classtype:trojan-activity;sid:84711139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848040/; classtype:trojan-activity;sid:84711140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848041/; classtype:trojan-activity;sid:84711141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848042/; classtype:trojan-activity;sid:84711142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848043/; classtype:trojan-activity;sid:84711143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polld"; depth:16; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848031/; classtype:trojan-activity;sid:84711131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848032/; classtype:trojan-activity;sid:84711132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848033/; classtype:trojan-activity;sid:84711133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848034/; classtype:trojan-activity;sid:84711134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xfsaild_sda"; depth:17; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848035/; classtype:trojan-activity;sid:84711135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848030/; classtype:trojan-activity;sid:84711130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"173.208.51.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848029/; classtype:trojan-activity;sid:84711129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_x86"; depth:13; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848028/; classtype:trojan-activity;sid:84711128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_x86_64"; depth:16; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848024/; classtype:trojan-activity;sid:84711124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_powerpc"; depth:17; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848025/; classtype:trojan-activity;sid:84711125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mipsel"; depth:16; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848026/; classtype:trojan-activity;sid:84711126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mips"; depth:14; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848027/; classtype:trojan-activity;sid:84711127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_arm7"; depth:14; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848021/; classtype:trojan-activity;sid:84711121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_sh4"; depth:13; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848022/; classtype:trojan-activity;sid:84711122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_arm"; depth:13; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848023/; classtype:trojan-activity;sid:84711123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_m68k"; depth:14; endswith; nocase; http.host; content:"parasjha.info"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848020/; classtype:trojan-activity;sid:84711120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848018/; classtype:trojan-activity;sid:84711118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848019/; classtype:trojan-activity;sid:84711119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848017/; classtype:trojan-activity;sid:84711117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848016/; classtype:trojan-activity;sid:84711116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848014/; classtype:trojan-activity;sid:84711114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848015/; classtype:trojan-activity;sid:84711115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848011/; classtype:trojan-activity;sid:84711111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848012/; classtype:trojan-activity;sid:84711112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848013/; classtype:trojan-activity;sid:84711113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armhf"; depth:6; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848009/; classtype:trojan-activity;sid:84711109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc64"; depth:10; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848010/; classtype:trojan-activity;sid:84711110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"r34fa352.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848008/; classtype:trojan-activity;sid:84711108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848006/; classtype:trojan-activity;sid:84711106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848007/; classtype:trojan-activity;sid:84711107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848004/; classtype:trojan-activity;sid:84711104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848005/; classtype:trojan-activity;sid:84711105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847998/; classtype:trojan-activity;sid:84711098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847999/; classtype:trojan-activity;sid:84711099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848000/; classtype:trojan-activity;sid:84711100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848001/; classtype:trojan-activity;sid:84711101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc64"; depth:10; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848002/; classtype:trojan-activity;sid:84711102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3848003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armhf"; depth:6; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3848003/; classtype:trojan-activity;sid:84711103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847997/; classtype:trojan-activity;sid:84711097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"coolcams.duckdns.org"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847996/; classtype:trojan-activity;sid:84711096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.42.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847995/; classtype:trojan-activity;sid:84711095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847975/; classtype:trojan-activity;sid:84711075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x86"; depth:10; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847976/; classtype:trojan-activity;sid:84711076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm_universal"; depth:20; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847977/; classtype:trojan-activity;sid:84711077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mpsl"; depth:11; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847978/; classtype:trojan-activity;sid:84711078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.m68k"; depth:11; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847979/; classtype:trojan-activity;sid:84711079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.ppc"; depth:10; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847980/; classtype:trojan-activity;sid:84711080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.sh4"; depth:10; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847981/; classtype:trojan-activity;sid:84711081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.spc"; depth:10; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847982/; classtype:trojan-activity;sid:84711082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm"; depth:10; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847983/; classtype:trojan-activity;sid:84711083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm7"; depth:11; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847984/; classtype:trojan-activity;sid:84711084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847985/; classtype:trojan-activity;sid:84711085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightclouden.mpsl"; depth:18; endswith; nocase; http.host; content:"45.74.244.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847986/; classtype:trojan-activity;sid:84711086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm5n"; depth:12; endswith; nocase; http.host; content:"5.231.248.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847987/; classtype:trojan-activity;sid:84711087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightclouden.mpsl"; depth:18; endswith; nocase; http.host; content:"go.cmplistsonline.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847988/; classtype:trojan-activity;sid:84711088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"45.74.244.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847989/; classtype:trojan-activity;sid:84711089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightclouden.x86"; depth:17; endswith; nocase; http.host; content:"45.74.244.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847990/; classtype:trojan-activity;sid:84711090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightclouden.mips"; depth:18; endswith; nocase; http.host; content:"45.74.244.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847991/; classtype:trojan-activity;sid:84711091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"go.cmplistsonline.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847992/; classtype:trojan-activity;sid:84711092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightclouden.x86"; depth:17; endswith; nocase; http.host; content:"go.cmplistsonline.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847993/; classtype:trojan-activity;sid:84711093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lightclouden.mips"; depth:18; endswith; nocase; http.host; content:"go.cmplistsonline.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847994/; classtype:trojan-activity;sid:84711094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3fa6d4a0-54ff-42df-a74c-371b45a4ddf5/google.ct"; depth:47; endswith; nocase; http.host; content:"crypticdialect.garden"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847974/; classtype:trojan-activity;sid:84711074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7048186296/dicjfqt.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847972/; classtype:trojan-activity;sid:84711072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/mol/random.exe"; depth:21; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847973/; classtype:trojan-activity;sid:84711073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.164.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847971/; classtype:trojan-activity;sid:84711071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.151.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847970/; classtype:trojan-activity;sid:84711070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847969/; classtype:trojan-activity;sid:84711069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bd33af05-7dbb-4e3e-afad-6a0b2872177c/google.ct"; depth:47; endswith; nocase; http.host; content:"urban-graffiti-crew.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847968/; classtype:trojan-activity;sid:84711068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847967/; classtype:trojan-activity;sid:84711067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.9.43"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847966/; classtype:trojan-activity;sid:84711066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=ffde8c91-ceed-427f-bcb0-fd476fb905ef"; depth:47; endswith; nocase; http.host; content:"k2bs9h2k.proxy-horizon.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847965/; classtype:trojan-activity;sid:84711065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.155.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847964/; classtype:trojan-activity;sid:84711064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.164.205"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847962/; classtype:trojan-activity;sid:84711062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.202.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847963/; classtype:trojan-activity;sid:84711063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15d69e05-8c58-40fc-a876-6466dd197a62/google.ct"; depth:47; endswith; nocase; http.host; content:"containerizedplantmesh.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847961/; classtype:trojan-activity;sid:84711061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.98.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847960/; classtype:trojan-activity;sid:84711060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.49.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847959/; classtype:trojan-activity;sid:84711059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.155.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847958/; classtype:trojan-activity;sid:84711058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca2b3a34-e3eb-4101-9b45-77579341b4df/google.ct"; depth:47; endswith; nocase; http.host; content:"flora-monitoring-core.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847957/; classtype:trojan-activity;sid:84711057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847956/; classtype:trojan-activity;sid:84711056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9ecd427d-26f4-4ded-ac8b-0dbf057a0564/google.ct"; depth:47; endswith; nocase; http.host; content:"meadowworkflowplatform.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847955/; classtype:trojan-activity;sid:84711055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.208.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847954/; classtype:trojan-activity;sid:84711054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.148.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847953/; classtype:trojan-activity;sid:84711053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d68e06db-f257-419a-ac77-66f68c686f93/google.ct"; depth:47; endswith; nocase; http.host; content:"federatedgardencluster.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847952/; classtype:trojan-activity;sid:84711052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847951/; classtype:trojan-activity;sid:84711051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"98.252.87.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847950/; classtype:trojan-activity;sid:84711050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/436171c4-0354-49a8-99d2-dbda3d16b96c/google.ct"; depth:47; endswith; nocase; http.host; content:"irrigation-management-system.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847949/; classtype:trojan-activity;sid:84711049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.59.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847948/; classtype:trojan-activity;sid:84711048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847947/; classtype:trojan-activity;sid:84711047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8d74d874-5b10-4762-b606-283978d3bf3e/google.ct"; depth:47; endswith; nocase; http.host; content:"botanicalprocessingengine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847946/; classtype:trojan-activity;sid:84711046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847945/; classtype:trojan-activity;sid:84711045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.dll"; depth:6; endswith; nocase; http.host; content:"27.124.17.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847944/; classtype:trojan-activity;sid:84711044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847939/; classtype:trojan-activity;sid:84711039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847940/; classtype:trojan-activity;sid:84711040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847941/; classtype:trojan-activity;sid:84711041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847942/; classtype:trojan-activity;sid:84711042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847943/; classtype:trojan-activity;sid:84711043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847938/; classtype:trojan-activity;sid:84711038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847937/; classtype:trojan-activity;sid:84711037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb8ipc.sh"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847935/; classtype:trojan-activity;sid:84711035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847936/; classtype:trojan-activity;sid:84711036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.dll"; depth:6; endswith; nocase; http.host; content:"27.124.17.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847934/; classtype:trojan-activity;sid:84711034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847932/; classtype:trojan-activity;sid:84711032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847933/; classtype:trojan-activity;sid:84711033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847928/; classtype:trojan-activity;sid:84711028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847929/; classtype:trojan-activity;sid:84711029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847930/; classtype:trojan-activity;sid:84711030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847931/; classtype:trojan-activity;sid:84711031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847926/; classtype:trojan-activity;sid:84711026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847927/; classtype:trojan-activity;sid:84711027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847925/; classtype:trojan-activity;sid:84711025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hb8ipc.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847924/; classtype:trojan-activity;sid:84711024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a378e22b-2a49-4bb9-b54a-b4190c4edaa7/google.ct"; depth:47; endswith; nocase; http.host; content:"botanicalprocessingengine.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847923/; classtype:trojan-activity;sid:84711023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/anti-malware.sh"; depth:21; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847922/; classtype:trojan-activity;sid:84711022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847921/; classtype:trojan-activity;sid:84711021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847915/; classtype:trojan-activity;sid:84711015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847916/; classtype:trojan-activity;sid:84711016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847917/; classtype:trojan-activity;sid:84711017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847918/; classtype:trojan-activity;sid:84711018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847919/; classtype:trojan-activity;sid:84711019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847920/; classtype:trojan-activity;sid:84711020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847911/; classtype:trojan-activity;sid:84711011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm4"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847912/; classtype:trojan-activity;sid:84711012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847913/; classtype:trojan-activity;sid:84711013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc440"; depth:12; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847914/; classtype:trojan-activity;sid:84711014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847910/; classtype:trojan-activity;sid:84711010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arc700"; depth:12; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847908/; classtype:trojan-activity;sid:84711008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm64"; depth:11; endswith; nocase; http.host; content:"69sexy.duckdns.org"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847909/; classtype:trojan-activity;sid:84711009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=a0a67edc-7d02-4b05-9720-695e3e783102"; depth:47; endswith; nocase; http.host; content:"2ol471ks.kernel-lattice.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847907/; classtype:trojan-activity;sid:84711007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847906/; classtype:trojan-activity;sid:84711006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.49.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847905/; classtype:trojan-activity;sid:84711005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ciabins.sh"; depth:11; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847904/; classtype:trojan-activity;sid:84711004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.m68k"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847899/; classtype:trojan-activity;sid:84710999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.mipsel"; depth:11; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847900/; classtype:trojan-activity;sid:84711000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.sparc"; depth:10; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847901/; classtype:trojan-activity;sid:84711001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.i486"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847902/; classtype:trojan-activity;sid:84711002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.arc"; depth:8; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847903/; classtype:trojan-activity;sid:84711003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.aarch64"; depth:12; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847888/; classtype:trojan-activity;sid:84710988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.x86_64"; depth:11; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847889/; classtype:trojan-activity;sid:84710989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.armv5l"; depth:11; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847890/; classtype:trojan-activity;sid:84710990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.armv6l"; depth:11; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847891/; classtype:trojan-activity;sid:84710991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.sh4"; depth:8; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847892/; classtype:trojan-activity;sid:84710992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.powerpc"; depth:12; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847893/; classtype:trojan-activity;sid:84710993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.armv7l"; depth:11; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847894/; classtype:trojan-activity;sid:84710994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.armv4l"; depth:11; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847895/; classtype:trojan-activity;sid:84710995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.mipsrouter"; depth:15; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847896/; classtype:trojan-activity;sid:84710996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rct888.sh"; depth:10; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847897/; classtype:trojan-activity;sid:84710997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uwu.mips"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847898/; classtype:trojan-activity;sid:84710998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/anti-malware.sh"; depth:21; endswith; nocase; http.host; content:"176.65.139.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847887/; classtype:trojan-activity;sid:84710987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_native"; depth:11; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847886/; classtype:trojan-activity;sid:84710986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mipsel"; depth:11; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847872/; classtype:trojan-activity;sid:84710972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_armv7"; depth:10; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847873/; classtype:trojan-activity;sid:84710973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847874/; classtype:trojan-activity;sid:84710974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_powerpc64"; depth:14; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847875/; classtype:trojan-activity;sid:84710975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_riscv64"; depth:12; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847876/; classtype:trojan-activity;sid:84710976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_armv5tel"; depth:13; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847877/; classtype:trojan-activity;sid:84710977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mips"; depth:9; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847878/; classtype:trojan-activity;sid:84710978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_sh4"; depth:8; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847879/; classtype:trojan-activity;sid:84710979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_mips64"; depth:11; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847880/; classtype:trojan-activity;sid:84710980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_aarch64"; depth:12; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847881/; classtype:trojan-activity;sid:84710981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_powerpc"; depth:12; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847882/; classtype:trojan-activity;sid:84710982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_sparc64"; depth:12; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847883/; classtype:trojan-activity;sid:84710983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bott"; depth:5; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847884/; classtype:trojan-activity;sid:84710984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot"; depth:4; endswith; nocase; http.host; content:"85.11.167.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847885/; classtype:trojan-activity;sid:84710985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mips"; depth:14; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847871/; classtype:trojan-activity;sid:84710971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mipsel"; depth:16; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847852/; classtype:trojan-activity;sid:84710952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_powerpc"; depth:17; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847853/; classtype:trojan-activity;sid:84710953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_sh4"; depth:13; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847854/; classtype:trojan-activity;sid:84710954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_powerpc"; depth:17; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847855/; classtype:trojan-activity;sid:84710955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mips"; depth:14; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847856/; classtype:trojan-activity;sid:84710956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_arm"; depth:13; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847857/; classtype:trojan-activity;sid:84710957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_x86"; depth:13; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847858/; classtype:trojan-activity;sid:84710958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_arm7"; depth:14; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847859/; classtype:trojan-activity;sid:84710959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/biiin"; depth:6; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847860/; classtype:trojan-activity;sid:84710960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_arm"; depth:13; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847861/; classtype:trojan-activity;sid:84710961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_arm7"; depth:14; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847862/; classtype:trojan-activity;sid:84710962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/biiin"; depth:6; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847863/; classtype:trojan-activity;sid:84710963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_x86_64"; depth:16; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847864/; classtype:trojan-activity;sid:84710964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_sh4"; depth:13; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847865/; classtype:trojan-activity;sid:84710965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_mipsel"; depth:16; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847866/; classtype:trojan-activity;sid:84710966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_m68k"; depth:14; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847867/; classtype:trojan-activity;sid:84710967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_x86"; depth:13; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847868/; classtype:trojan-activity;sid:84710968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_x86_64"; depth:16; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847869/; classtype:trojan-activity;sid:84710969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot_m68k"; depth:14; endswith; nocase; http.host; content:"64.89.163.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847870/; classtype:trojan-activity;sid:84710970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847850/; classtype:trojan-activity;sid:84710950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.59.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847851/; classtype:trojan-activity;sid:84710951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ec5977c8-6922-4675-9655-a60918f01623/google.cl"; depth:47; endswith; nocase; http.host; content:"bloommonitoringengine.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847849/; classtype:trojan-activity;sid:84710949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/60fc3bf4-547b-47bb-93bf-35bcc776b01b/google.cl"; depth:47; endswith; nocase; http.host; content:"gardeninfrastructurelab.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847848/; classtype:trojan-activity;sid:84710948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847847/; classtype:trojan-activity;sid:84710947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847840/; classtype:trojan-activity;sid:84710940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847841/; classtype:trojan-activity;sid:84710941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847842/; classtype:trojan-activity;sid:84710942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm64"; depth:14; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847843/; classtype:trojan-activity;sid:84710943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847844/; classtype:trojan-activity;sid:84710944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847845/; classtype:trojan-activity;sid:84710945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847846/; classtype:trojan-activity;sid:84710946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847838/; classtype:trojan-activity;sid:84710938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.3.107.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847839/; classtype:trojan-activity;sid:84710939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847836/; classtype:trojan-activity;sid:84710936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847837/; classtype:trojan-activity;sid:84710937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"153.75.248.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847835/; classtype:trojan-activity;sid:84710935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847834/; classtype:trojan-activity;sid:84710934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.236.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847833/; classtype:trojan-activity;sid:84710933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847832/; classtype:trojan-activity;sid:84710932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.195.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847831/; classtype:trojan-activity;sid:84710931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/75aa3eb1-b155-444d-b5c4-d470f2b0c78e/google.cl"; depth:47; endswith; nocase; http.host; content:"asynchronouswatering-system.garden"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847830/; classtype:trojan-activity;sid:84710930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"176.65.132.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847826/; classtype:trojan-activity;sid:84710926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diddy64"; depth:8; endswith; nocase; http.host; content:"176.65.132.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847827/; classtype:trojan-activity;sid:84710927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diddy67"; depth:8; endswith; nocase; http.host; content:"176.65.132.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847828/; classtype:trojan-activity;sid:84710928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/diddy7"; depth:7; endswith; nocase; http.host; content:"176.65.132.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847829/; classtype:trojan-activity;sid:84710929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.167.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847825/; classtype:trojan-activity;sid:84710925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.79.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847824/; classtype:trojan-activity;sid:84710924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7f3960db-f6a5-4cc9-8b4a-6480a32bee30/google.cl"; depth:47; endswith; nocase; http.host; content:"ecosystemmanagementhub.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847823/; classtype:trojan-activity;sid:84710923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847822/; classtype:trojan-activity;sid:84710922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.159.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847821/; classtype:trojan-activity;sid:84710921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.195.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847820/; classtype:trojan-activity;sid:84710920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847819/; classtype:trojan-activity;sid:84710919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.141.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847818/; classtype:trojan-activity;sid:84710918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847817/; classtype:trojan-activity;sid:84710917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.113.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847816/; classtype:trojan-activity;sid:84710916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.202.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847815/; classtype:trojan-activity;sid:84710915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/52657977-f247-401f-be5a-57293be9ee6c/google.cl"; depth:47; endswith; nocase; http.host; content:"flora-observability-core.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847814/; classtype:trojan-activity;sid:84710914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.166.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847813/; classtype:trojan-activity;sid:84710913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.159.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847812/; classtype:trojan-activity;sid:84710912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.79.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847811/; classtype:trojan-activity;sid:84710911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.240.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847810/; classtype:trojan-activity;sid:84710910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=512ee820-596f-42da-b520-18215c55d79f"; depth:47; endswith; nocase; http.host; content:"3w32k3ih.signal-harbor.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847809/; classtype:trojan-activity;sid:84710909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.141.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847808/; classtype:trojan-activity;sid:84710908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.113.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847807/; classtype:trojan-activity;sid:84710907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fern_bot"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847805/; classtype:trojan-activity;sid:84710905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spread_fern.sh"; depth:15; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847806/; classtype:trojan-activity;sid:84710906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fern_bot.c"; depth:11; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847797/; classtype:trojan-activity;sid:84710897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mass_deploy.sh"; depth:15; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847798/; classtype:trojan-activity;sid:84710898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fern.b64"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847799/; classtype:trojan-activity;sid:84710899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fern_server.c"; depth:14; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847800/; classtype:trojan-activity;sid:84710900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mass_fingerprint.sh"; depth:20; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847801/; classtype:trojan-activity;sid:84710901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fern_arm64"; depth:11; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847802/; classtype:trojan-activity;sid:84710902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fern_final_arm"; depth:15; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847803/; classtype:trojan-activity;sid:84710903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fern_arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847804/; classtype:trojan-activity;sid:84710904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/2047668550/lfkmypa.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847796/; classtype:trojan-activity;sid:84710896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f2670c83-6691-485c-823d-bcc616e1e44a/google.cl"; depth:47; endswith; nocase; http.host; content:"meadowprocessingcenter.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847795/; classtype:trojan-activity;sid:84710895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.166.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847794/; classtype:trojan-activity;sid:84710894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.223.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847793/; classtype:trojan-activity;sid:84710893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r_linux_amd64"; depth:14; endswith; nocase; http.host; content:"45.82.254.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847792/; classtype:trojan-activity;sid:84710892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.ppc-11"; depth:13; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847791/; classtype:trojan-activity;sid:84710891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm6-11"; depth:14; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847790/; classtype:trojan-activity;sid:84710890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.mips-11"; depth:14; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847784/; classtype:trojan-activity;sid:84710884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.mpsl-11"; depth:14; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847785/; classtype:trojan-activity;sid:84710885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.x86_64-11"; depth:16; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847786/; classtype:trojan-activity;sid:84710886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm5-11"; depth:14; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847787/; classtype:trojan-activity;sid:84710887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.x86-11"; depth:13; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847788/; classtype:trojan-activity;sid:84710888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.sh4-11"; depth:13; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847789/; classtype:trojan-activity;sid:84710889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r_patched"; depth:10; endswith; nocase; http.host; content:"45.82.254.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847781/; classtype:trojan-activity;sid:84710881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/r_agent"; depth:18; endswith; nocase; http.host; content:"45.82.254.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847782/; classtype:trojan-activity;sid:84710882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r_windows_amd64.exe"; depth:20; endswith; nocase; http.host; content:"45.82.254.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847783/; classtype:trojan-activity;sid:84710883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r_8888"; depth:7; endswith; nocase; http.host; content:"45.82.254.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847780/; classtype:trojan-activity;sid:84710880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm7-11"; depth:14; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847779/; classtype:trojan-activity;sid:84710879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm-11"; depth:13; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847776/; classtype:trojan-activity;sid:84710876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.148.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847777/; classtype:trojan-activity;sid:84710877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; endswith; nocase; http.host; content:"cdn-assets.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847778/; classtype:trojan-activity;sid:84710878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.106.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847775/; classtype:trojan-activity;sid:84710875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847774/; classtype:trojan-activity;sid:84710874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d0063698-b81f-4a71-8b1e-d3563345ab78/google.cl"; depth:47; endswith; nocase; http.host; content:"federatedplantcluster.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847773/; classtype:trojan-activity;sid:84710873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.44.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847772/; classtype:trojan-activity;sid:84710872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847771/; classtype:trojan-activity;sid:84710871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.106.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847770/; classtype:trojan-activity;sid:84710870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.232.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847769/; classtype:trojan-activity;sid:84710869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.232.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847768/; classtype:trojan-activity;sid:84710868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"153.101.9.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847767/; classtype:trojan-activity;sid:84710867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.201.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847766/; classtype:trojan-activity;sid:84710866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ea2ee8a-5804-4fc2-a00c-e5b5960a84c0/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalresourceengine.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847765/; classtype:trojan-activity;sid:84710865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.55.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847764/; classtype:trojan-activity;sid:84710864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.28.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847763/; classtype:trojan-activity;sid:84710863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847762/; classtype:trojan-activity;sid:84710862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"153.101.9.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847761/; classtype:trojan-activity;sid:84710861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847760/; classtype:trojan-activity;sid:84710860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.97.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847759/; classtype:trojan-activity;sid:84710859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.28.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847758/; classtype:trojan-activity;sid:84710858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6fe1707e-a98f-4f73-8157-3b6a892fb21c/google.cl"; depth:47; endswith; nocase; http.host; content:"wildfloragrowthsystem.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847757/; classtype:trojan-activity;sid:84710857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847756/; classtype:trojan-activity;sid:84710856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.197.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847755/; classtype:trojan-activity;sid:84710855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847754/; classtype:trojan-activity;sid:84710854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/424566da-9c73-4fe2-9deb-537180c772b9/google.cl"; depth:47; endswith; nocase; http.host; content:"petal-distribution-hub.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847752/; classtype:trojan-activity;sid:84710852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.244.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847753/; classtype:trojan-activity;sid:84710853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.156.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847751/; classtype:trojan-activity;sid:84710851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=e5b5d710-e0a2-473c-b3ad-74fc210ff8f0"; depth:47; endswith; nocase; http.host; content:"fkpsfevx.culling-posture-schnitzel.digital"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847750/; classtype:trojan-activity;sid:84710850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.151.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847749/; classtype:trojan-activity;sid:84710849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.156.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847748/; classtype:trojan-activity;sid:84710848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.244.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847747/; classtype:trojan-activity;sid:84710847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.233.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847746/; classtype:trojan-activity;sid:84710846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.166.248.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847745/; classtype:trojan-activity;sid:84710845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.166.248.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847743/; classtype:trojan-activity;sid:84710843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2f57743e-2f2d-4e69-af96-71aab39ac85d/google.cl"; depth:47; endswith; nocase; http.host; content:"serverless-print-control-plane.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847744/; classtype:trojan-activity;sid:84710844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/7m0g9inf47"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847738/; classtype:trojan-activity;sid:84710838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/8260f4p5nk"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847739/; classtype:trojan-activity;sid:84710839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/9rkb4qtpm3"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847740/; classtype:trojan-activity;sid:84710840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/b7hovpz6ti"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847741/; classtype:trojan-activity;sid:84710841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847742/; classtype:trojan-activity;sid:84710842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/qfighdyhbm"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847736/; classtype:trojan-activity;sid:84710836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/f1yu71wyjd"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847737/; classtype:trojan-activity;sid:84710837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/lhyrtqlndq"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847731/; classtype:trojan-activity;sid:84710831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/ezidr3y5ct"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847732/; classtype:trojan-activity;sid:84710832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/zkrbtwag7o"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847733/; classtype:trojan-activity;sid:84710833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/wpd1a29m25"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847734/; classtype:trojan-activity;sid:84710834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/xcjygk37yu"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847735/; classtype:trojan-activity;sid:84710835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/4jiz0v4h1r"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847729/; classtype:trojan-activity;sid:84710829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/84aghucl1g"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847730/; classtype:trojan-activity;sid:84710830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/mn42gxnolr"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847725/; classtype:trojan-activity;sid:84710825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/3aoq8phdv9"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847726/; classtype:trojan-activity;sid:84710826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/jc6g6x1vph"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847727/; classtype:trojan-activity;sid:84710827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/4vxlsuz00c"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847728/; classtype:trojan-activity;sid:84710828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/ksoilti7oi"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847724/; classtype:trojan-activity;sid:84710824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"122.139.49.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847723/; classtype:trojan-activity;sid:84710823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.229.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847722/; classtype:trojan-activity;sid:84710822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.148.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847721/; classtype:trojan-activity;sid:84710821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.233.127"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847720/; classtype:trojan-activity;sid:84710820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5d7760c5-e25a-4ae3-858a-d8e49411f7bc/google.cl"; depth:47; endswith; nocase; http.host; content:"core-ost-node-system.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847719/; classtype:trojan-activity;sid:84710819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.237.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847718/; classtype:trojan-activity;sid:84710818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.110.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847717/; classtype:trojan-activity;sid:84710817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.110.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847716/; classtype:trojan-activity;sid:84710816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.148.189"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847715/; classtype:trojan-activity;sid:84710815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.107.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847714/; classtype:trojan-activity;sid:84710814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e800c768-ead3-4b48-9568-5eba86cccafb/google.cl"; depth:47; endswith; nocase; http.host; content:"runtime-core-fabric-get.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847713/; classtype:trojan-activity;sid:84710813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.237.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847712/; classtype:trojan-activity;sid:84710812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847711/; classtype:trojan-activity;sid:84710811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.189.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847710/; classtype:trojan-activity;sid:84710810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/034bb288-66b3-4e1e-b8e6-247b202f7a5e/google.cl"; depth:47; endswith; nocase; http.host; content:"mixed-on-storage-layer.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847709/; classtype:trojan-activity;sid:84710809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.253.80.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847708/; classtype:trojan-activity;sid:84710808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.235.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847707/; classtype:trojan-activity;sid:84710807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847706/; classtype:trojan-activity;sid:84710806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847705/; classtype:trojan-activity;sid:84710805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847704/; classtype:trojan-activity;sid:84710804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847699/; classtype:trojan-activity;sid:84710799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847700/; classtype:trojan-activity;sid:84710800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847701/; classtype:trojan-activity;sid:84710801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847702/; classtype:trojan-activity;sid:84710802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"162.141.92.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847703/; classtype:trojan-activity;sid:84710803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=24a59e3b-0e28-4ea4-9199-e892fb187e87"; depth:47; endswith; nocase; http.host; content:"m1ub6qaj.kabardinskymonasticismradicalism.digital"; depth:49; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847698/; classtype:trojan-activity;sid:84710798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.233.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847697/; classtype:trojan-activity;sid:84710797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fe8f272e-cc4b-493f-b640-24d14c041fde/google.cl"; depth:47; endswith; nocase; http.host; content:"virtual-gate-way.garden"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847696/; classtype:trojan-activity;sid:84710796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.235.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847695/; classtype:trojan-activity;sid:84710795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.238.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847693/; classtype:trojan-activity;sid:84710793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.76.136.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847694/; classtype:trojan-activity;sid:84710794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.94.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847692/; classtype:trojan-activity;sid:84710792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847691/; classtype:trojan-activity;sid:84710791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.233.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847690/; classtype:trojan-activity;sid:84710790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/616930ac-cf7d-4536-936d-70aebd411a68/google.cl"; depth:47; endswith; nocase; http.host; content:"telemetry-folder-stream-core.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847689/; classtype:trojan-activity;sid:84710789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.94.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847688/; classtype:trojan-activity;sid:84710788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.148.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847687/; classtype:trojan-activity;sid:84710787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847686/; classtype:trojan-activity;sid:84710786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.36.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847685/; classtype:trojan-activity;sid:84710785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isass.exe"; depth:10; endswith; nocase; http.host; content:"134.122.189.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847684/; classtype:trojan-activity;sid:84710784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isass.exe"; depth:10; endswith; nocase; http.host; content:"134.122.189.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847682/; classtype:trojan-activity;sid:84710782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isass.exe"; depth:10; endswith; nocase; http.host; content:"134.122.189.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847683/; classtype:trojan-activity;sid:84710783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.36.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847681/; classtype:trojan-activity;sid:84710781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f3c6c3f5-169c-4097-a716-caab93df632d/google.cl"; depth:47; endswith; nocase; http.host; content:"edge-network-on-hub.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847680/; classtype:trojan-activity;sid:84710780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.6.144"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847679/; classtype:trojan-activity;sid:84710779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.239.95"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847678/; classtype:trojan-activity;sid:84710778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847668/; classtype:trojan-activity;sid:84710768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847669/; classtype:trojan-activity;sid:84710769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847670/; classtype:trojan-activity;sid:84710770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847671/; classtype:trojan-activity;sid:84710771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847672/; classtype:trojan-activity;sid:84710772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847673/; classtype:trojan-activity;sid:84710773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847674/; classtype:trojan-activity;sid:84710774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847675/; classtype:trojan-activity;sid:84710775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847676/; classtype:trojan-activity;sid:84710776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847677/; classtype:trojan-activity;sid:84710777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847655/; classtype:trojan-activity;sid:84710755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847656/; classtype:trojan-activity;sid:84710756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847657/; classtype:trojan-activity;sid:84710757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847658/; classtype:trojan-activity;sid:84710758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.215"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847659/; classtype:trojan-activity;sid:84710759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.215"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847660/; classtype:trojan-activity;sid:84710760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847661/; classtype:trojan-activity;sid:84710761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847662/; classtype:trojan-activity;sid:84710762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847663/; classtype:trojan-activity;sid:84710763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847664/; classtype:trojan-activity;sid:84710764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847665/; classtype:trojan-activity;sid:84710765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847666/; classtype:trojan-activity;sid:84710766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847667/; classtype:trojan-activity;sid:84710767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.6.144"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847654/; classtype:trojan-activity;sid:84710754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_43dfe5f77a960846.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847653/; classtype:trojan-activity;sid:84710753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56d3354c-1a93-4bf8-8f54-a718c4ef9cb3/google.cl"; depth:47; endswith; nocase; http.host; content:"micro-service-cluster.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847652/; classtype:trojan-activity;sid:84710752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.250.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847651/; classtype:trojan-activity;sid:84710751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.188.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847650/; classtype:trojan-activity;sid:84710750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/16f30028-c656-4d04-91b3-6e7723ad5aac/google.cl"; depth:47; endswith; nocase; http.host; content:"packet-relay-engine.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847649/; classtype:trojan-activity;sid:84710749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.87.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847648/; classtype:trojan-activity;sid:84710748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/237062a7-4770-471f-b121-06d88fac2d96/google.cl"; depth:47; endswith; nocase; http.host; content:"packet-relay-engine.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847647/; classtype:trojan-activity;sid:84710747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.235.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847646/; classtype:trojan-activity;sid:84710746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=aaaac13d-05c3-454a-a72a-e2c34dd6cf43"; depth:47; endswith; nocase; http.host; content:"m8to2gkj.hundred-years-old.digital"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847645/; classtype:trojan-activity;sid:84710745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.36.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847644/; classtype:trojan-activity;sid:84710744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847641/; classtype:trojan-activity;sid:84710741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847642/; classtype:trojan-activity;sid:84710742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.198.224.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847643/; classtype:trojan-activity;sid:84710743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"23.148.146.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847640/; classtype:trojan-activity;sid:84710740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"23.148.146.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847639/; classtype:trojan-activity;sid:84710739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.cs"; depth:11; endswith; nocase; http.host; content:"178.16.53.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847638/; classtype:trojan-activity;sid:84710738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847637/; classtype:trojan-activity;sid:84710737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.188.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847636/; classtype:trojan-activity;sid:84710736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.47.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847635/; classtype:trojan-activity;sid:84710735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4cb01a99-4047-421b-a596-ef2a92f6f925/google.cl"; depth:47; endswith; nocase; http.host; content:"cloud-infrastructure.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847634/; classtype:trojan-activity;sid:84710734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.86.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847633/; classtype:trojan-activity;sid:84710733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2f0257f7-13c7-402d-8f59-9a99bf869542/google.cl"; depth:47; endswith; nocase; http.host; content:"get-on-processing-engine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847632/; classtype:trojan-activity;sid:84710732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.242.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847631/; classtype:trojan-activity;sid:84710731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.86.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847630/; classtype:trojan-activity;sid:84710730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.47.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847629/; classtype:trojan-activity;sid:84710729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847628/; classtype:trojan-activity;sid:84710728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.118.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847627/; classtype:trojan-activity;sid:84710727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.168.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847626/; classtype:trojan-activity;sid:84710726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.182.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847625/; classtype:trojan-activity;sid:84710725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/95ad08fe-2123-44c9-b065-d8e9879a2527/google.cl"; depth:47; endswith; nocase; http.host; content:"federated-grow-install-framework.garden"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847624/; classtype:trojan-activity;sid:84710724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.239.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847623/; classtype:trojan-activity;sid:84710723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847622/; classtype:trojan-activity;sid:84710722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.168.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847621/; classtype:trojan-activity;sid:84710721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.89.53.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847620/; classtype:trojan-activity;sid:84710720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.15.126.107"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847618/; classtype:trojan-activity;sid:84710718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.89.53.89"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847619/; classtype:trojan-activity;sid:84710719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.122.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847617/; classtype:trojan-activity;sid:84710717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.224.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847616/; classtype:trojan-activity;sid:84710716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.exe"; depth:11; endswith; nocase; http.host; content:"178.16.53.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847615/; classtype:trojan-activity;sid:84710715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4159f41d-c37f-487a-b866-a688ccee2272/google.cl"; depth:47; endswith; nocase; http.host; content:"folder-management-core.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847614/; classtype:trojan-activity;sid:84710714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.ps1"; depth:11; endswith; nocase; http.host; content:"178.16.53.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847611/; classtype:trojan-activity;sid:84710711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baal_encrypted.zip"; depth:19; endswith; nocase; http.host; content:"178.16.53.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847612/; classtype:trojan-activity;sid:84710712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baallast.zip"; depth:13; endswith; nocase; http.host; content:"178.16.53.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847613/; classtype:trojan-activity;sid:84710713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.182.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847610/; classtype:trojan-activity;sid:84710710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847609/; classtype:trojan-activity;sid:84710709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.215.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847608/; classtype:trojan-activity;sid:84710708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847607/; classtype:trojan-activity;sid:84710707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e99cca83-82c4-4db5-9649-b8d060e25abe/google.cl"; depth:47; endswith; nocase; http.host; content:"micro-fan-obs-plan.garden"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847606/; classtype:trojan-activity;sid:84710706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.122.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847605/; classtype:trojan-activity;sid:84710705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847604/; classtype:trojan-activity;sid:84710704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.239.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847603/; classtype:trojan-activity;sid:84710703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=1a92cf19-9810-475f-94f3-10f6b3e33bfd"; depth:47; endswith; nocase; http.host; content:"9yqks5fo.downplaying-sevenleague.digital"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847602/; classtype:trojan-activity;sid:84710702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6c92e176-5808-4b4f-9a53-360594bcc9ab/google.cl"; depth:47; endswith; nocase; http.host; content:"distrib-ost-penal-network.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847601/; classtype:trojan-activity;sid:84710701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.215.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847600/; classtype:trojan-activity;sid:84710700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847599/; classtype:trojan-activity;sid:84710699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847598/; classtype:trojan-activity;sid:84710698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fa840059-3192-4bfb-9c30-d037f336b27d/google.cl"; depth:47; endswith; nocase; http.host; content:"path-green-second-hub.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847597/; classtype:trojan-activity;sid:84710697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.238.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847596/; classtype:trojan-activity;sid:84710696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847595/; classtype:trojan-activity;sid:84710695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.214.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847594/; classtype:trojan-activity;sid:84710694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847593/; classtype:trojan-activity;sid:84710693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c11d3a77-2d81-4942-bdc0-7b4aa9b7620a/google.cl"; depth:47; endswith; nocase; http.host; content:"wild-folder-routing-path.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847592/; classtype:trojan-activity;sid:84710692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.238.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847591/; classtype:trojan-activity;sid:84710691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a7eb78fc-74c9-4abb-8e39-374c40cc2749/google.cl"; depth:47; endswith; nocase; http.host; content:"botan-it-getwork-flow.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847590/; classtype:trojan-activity;sid:84710690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.253.159.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847589/; classtype:trojan-activity;sid:84710689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.239.117.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847588/; classtype:trojan-activity;sid:84710688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.16.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847587/; classtype:trojan-activity;sid:84710687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2a7c59cc-0cd2-4ff6-ae49-d85b0b7cec9a/google.cl"; depth:47; endswith; nocase; http.host; content:"floriculture-mastery.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847586/; classtype:trojan-activity;sid:84710686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.253.159.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847585/; classtype:trojan-activity;sid:84710685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.16.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847584/; classtype:trojan-activity;sid:84710684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.87.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847583/; classtype:trojan-activity;sid:84710683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.2.25"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847582/; classtype:trojan-activity;sid:84710682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.239.117.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847581/; classtype:trojan-activity;sid:84710681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b946787d-7743-4a40-a98a-91bd2929d327/google.cl"; depth:47; endswith; nocase; http.host; content:"urban-botany-station.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847580/; classtype:trojan-activity;sid:84710680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.87.166"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847579/; classtype:trojan-activity;sid:84710679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bf12e268-157f-4797-8afa-1e9a30001c28/google.cl"; depth:47; endswith; nocase; http.host; content:"backyard-harvest-planner.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847578/; classtype:trojan-activity;sid:84710678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.250.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847577/; classtype:trojan-activity;sid:84710677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=f197ba83-0519-4c12-b5ad-8df436aa4d4e"; depth:47; endswith; nocase; http.host; content:"x0o600dr.clamshellkarakulchaalumina.digital"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847576/; classtype:trojan-activity;sid:84710676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.238.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847575/; classtype:trojan-activity;sid:84710675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.92.69"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847574/; classtype:trojan-activity;sid:84710674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.124.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847573/; classtype:trojan-activity;sid:84710673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847572/; classtype:trojan-activity;sid:84710672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.124.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847571/; classtype:trojan-activity;sid:84710671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.215.249.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847570/; classtype:trojan-activity;sid:84710670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.194.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847569/; classtype:trojan-activity;sid:84710669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.176.116.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847568/; classtype:trojan-activity;sid:84710668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/429e5532-8c10-4da4-9aee-c2eec2d23872/google.cl"; depth:47; endswith; nocase; http.host; content:"backyard-harvest-planner.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847567/; classtype:trojan-activity;sid:84710667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.189.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847566/; classtype:trojan-activity;sid:84710666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.194.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847565/; classtype:trojan-activity;sid:84710665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.189.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847564/; classtype:trojan-activity;sid:84710664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aa85d475-72f2-4c64-9cab-57a7c8a4d3be/google.cl"; depth:47; endswith; nocase; http.host; content:"evergreentimberland.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847563/; classtype:trojan-activity;sid:84710663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/97fd81ca-c9d8-4cf0-9efc-9eed59062bd4/google.cl"; depth:47; endswith; nocase; http.host; content:"backyard-harvest-planner.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847562/; classtype:trojan-activity;sid:84710662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=fda22a14-9425-42c7-9148-fd96f0b48f9c"; depth:47; endswith; nocase; http.host; content:"7uopofgy.steel-evar-yes-valence.digital"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847561/; classtype:trojan-activity;sid:84710661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a901e700-1b04-4503-80f0-5fe9a8be5043/google.cl"; depth:47; endswith; nocase; http.host; content:"floriculture-mastery.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847560/; classtype:trojan-activity;sid:84710660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.28.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847558/; classtype:trojan-activity;sid:84710658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.36.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847559/; classtype:trojan-activity;sid:84710659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.133.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847557/; classtype:trojan-activity;sid:84710657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8e8886f4-b375-4200-b706-eb380ebd0c17/google.cl"; depth:47; endswith; nocase; http.host; content:"root-system-irrigation.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847556/; classtype:trojan-activity;sid:84710656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.28.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847555/; classtype:trojan-activity;sid:84710655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6350135267/bkjdilp.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847554/; classtype:trojan-activity;sid:84710654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847553/; classtype:trojan-activity;sid:84710653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7e6f5da-e3e7-42a2-bcb6-c4952ac48511/google.cl"; depth:47; endswith; nocase; http.host; content:"herbal-extract-processing.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847552/; classtype:trojan-activity;sid:84710652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.133.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847551/; classtype:trojan-activity;sid:84710651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.4.247"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847550/; classtype:trojan-activity;sid:84710650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847549/; classtype:trojan-activity;sid:84710649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bcb4b20-d690-4b96-a6b6-86c319891dbe/google.cl"; depth:47; endswith; nocase; http.host; content:"natureoasisdesign.garden"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847548/; classtype:trojan-activity;sid:84710648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.67.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847547/; classtype:trojan-activity;sid:84710647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847546/; classtype:trojan-activity;sid:84710646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a692b68-a93e-458e-a034-14d848813d91/google.cl"; depth:47; endswith; nocase; http.host; content:"automated-sprout-labs.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847545/; classtype:trojan-activity;sid:84710645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bf6dc6b0-6316-4b67-b154-ca62d7502392/google.cl"; depth:47; endswith; nocase; http.host; content:"automated-sprout-labs.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847544/; classtype:trojan-activity;sid:84710644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.67.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847543/; classtype:trojan-activity;sid:84710643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847542/; classtype:trojan-activity;sid:84710642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847541/; classtype:trojan-activity;sid:84710641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/w4wlaekqjkj3/corvus.exe"; depth:27; endswith; nocase; http.host; content:"tmpfiles.org"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847540/; classtype:trojan-activity;sid:84710640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4675675f-7f76-4d52-bd90-ec60844f092d/google.cl"; depth:47; endswith; nocase; http.host; content:"bio-soil-nutrients.garden"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847539/; classtype:trojan-activity;sid:84710639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.5.105"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847538/; classtype:trojan-activity;sid:84710638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.80.188"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847537/; classtype:trojan-activity;sid:84710637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1f141521-6828-40fa-9293-c17ae2bdc86b/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhouse-climate-control-sys.garden"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847536/; classtype:trojan-activity;sid:84710636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.26.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847535/; classtype:trojan-activity;sid:84710635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=8827a465-006d-4d43-b4de-60180d6240dd"; depth:47; endswith; nocase; http.host; content:"55n7r46d.bibliosmirk.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847534/; classtype:trojan-activity;sid:84710634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.1.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847533/; classtype:trojan-activity;sid:84710633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.55.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847532/; classtype:trojan-activity;sid:84710632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4930701-431d-4f95-893a-a4deda7efdbd/google.cl"; depth:47; endswith; nocase; http.host; content:"vertical-eco-farming.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847531/; classtype:trojan-activity;sid:84710631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.70.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847530/; classtype:trojan-activity;sid:84710630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/24fd9bd4-4632-4816-ac98-69b9d2bb7ce9/google.cl"; depth:47; endswith; nocase; http.host; content:"edge-bloom-platform.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_16; reference:url, urlhaus.abuse.ch/url/3847529/; classtype:trojan-activity;sid:84710629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_028b96fee351a313.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847528/; classtype:trojan-activity;sid:84710628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.146.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847527/; classtype:trojan-activity;sid:84710627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/108f5d12-33bd-4fe5-8c43-4685a2ed8617/google.cl"; depth:47; endswith; nocase; http.host; content:"telemetrygardenmesh.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847526/; classtype:trojan-activity;sid:84710626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.146.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847525/; classtype:trojan-activity;sid:84710625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0c661191-9757-41de-b8db-5ec70b6e9434"; depth:47; endswith; nocase; http.host; content:"hxuznl6x.biennial-polovauniverse.digital"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847524/; classtype:trojan-activity;sid:84710624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847523/; classtype:trojan-activity;sid:84710623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847522/; classtype:trojan-activity;sid:84710622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/487f7201-44ff-412a-b505-3527dc6b6e1e/google.cl"; depth:47; endswith; nocase; http.host; content:"meadow-processing-engine.garden"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847521/; classtype:trojan-activity;sid:84710621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.114.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847520/; classtype:trojan-activity;sid:84710620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b1587680-6d53-4d69-9907-0a63f6987506/google.cl"; depth:47; endswith; nocase; http.host; content:"federatedgrowframework.garden"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847519/; classtype:trojan-activity;sid:84710619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.217.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847518/; classtype:trojan-activity;sid:84710618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.114.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847517/; classtype:trojan-activity;sid:84710617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40b7982b-1d14-4d95-aa8c-9ddf0d61e150/google.cl"; depth:47; endswith; nocase; http.host; content:"irrigation-management-core.garden"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847516/; classtype:trojan-activity;sid:84710616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.217.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847515/; classtype:trojan-activity;sid:84710615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847514/; classtype:trojan-activity;sid:84710614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/843a7f5a-4ae5-493c-9aa8-c71fea851a57/google.cl"; depth:47; endswith; nocase; http.host; content:"microfloraobservatory.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847513/; classtype:trojan-activity;sid:84710613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6627179a-c181-435c-90f1-0c3f0053e353/google.cl"; depth:47; endswith; nocase; http.host; content:"distributed-petal-network.garden"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847512/; classtype:trojan-activity;sid:84710612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847511/; classtype:trojan-activity;sid:84710611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.108.87.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847510/; classtype:trojan-activity;sid:84710610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.230.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847509/; classtype:trojan-activity;sid:84710609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.197.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847508/; classtype:trojan-activity;sid:84710608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.255.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847507/; classtype:trojan-activity;sid:84710607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.47.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847506/; classtype:trojan-activity;sid:84710606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6077499728/xttmslk.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847505/; classtype:trojan-activity;sid:84710605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847504/; classtype:trojan-activity;sid:84710604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.249.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847503/; classtype:trojan-activity;sid:84710603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/52d28ce8-a9eb-467c-be16-3e6ff541ad51/google.cl"; depth:47; endswith; nocase; http.host; content:"greenhousecontrolhub.garden"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847502/; classtype:trojan-activity;sid:84710602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.72.230"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847501/; classtype:trojan-activity;sid:84710601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.108.87.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847500/; classtype:trojan-activity;sid:84710600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.255.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847499/; classtype:trojan-activity;sid:84710599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.92.78"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847498/; classtype:trojan-activity;sid:84710598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.230.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847497/; classtype:trojan-activity;sid:84710597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0d970525-7a0f-4fc7-a26f-b345c1def880"; depth:47; endswith; nocase; http.host; content:"ysuz4thn.bellow-norushka-pianissimo.digital"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847496/; classtype:trojan-activity;sid:84710596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1939e121-f35c-42df-8d42-2d48c74a1f9b/google.cl"; depth:47; endswith; nocase; http.host; content:"wildflower-routing-path.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847495/; classtype:trojan-activity;sid:84710595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.249.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847494/; classtype:trojan-activity;sid:84710594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847493/; classtype:trojan-activity;sid:84710593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.159.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847492/; classtype:trojan-activity;sid:84710592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.159.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847491/; classtype:trojan-activity;sid:84710591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e0587229-9369-4c97-8567-6162aeb858d9/google.cl"; depth:47; endswith; nocase; http.host; content:"botanicalworkflow.garden"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847490/; classtype:trojan-activity;sid:84710590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.72.230"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847489/; classtype:trojan-activity;sid:84710589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.215.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847488/; classtype:trojan-activity;sid:84710588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.43.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847487/; classtype:trojan-activity;sid:84710587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.110.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847486/; classtype:trojan-activity;sid:84710586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.88.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847485/; classtype:trojan-activity;sid:84710585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.98.97.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847484/; classtype:trojan-activity;sid:84710584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.123.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847483/; classtype:trojan-activity;sid:84710583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.165.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847482/; classtype:trojan-activity;sid:84710582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.197.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847481/; classtype:trojan-activity;sid:84710581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.147.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847480/; classtype:trojan-activity;sid:84710580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.117.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847479/; classtype:trojan-activity;sid:84710579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.161.160.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847478/; classtype:trojan-activity;sid:84710578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847477/; classtype:trojan-activity;sid:84710577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.165.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847476/; classtype:trojan-activity;sid:84710576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.162.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847475/; classtype:trojan-activity;sid:84710575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.186.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847474/; classtype:trojan-activity;sid:84710574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=a9de9e46-8f62-4200-8230-d2f575c4403f"; depth:47; endswith; nocase; http.host; content:"aqge8umy.khudrukrantingmanic.digital"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847473/; classtype:trojan-activity;sid:84710573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9bbd2386-075f-43e7-a66d-bafc45da64ef/google.cl"; depth:47; endswith; nocase; http.host; content:"wildflower-path-mapping.garden"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847472/; classtype:trojan-activity;sid:84710572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.186.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847471/; classtype:trojan-activity;sid:84710571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.206.170.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847470/; classtype:trojan-activity;sid:84710570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a6a54ed-f8ce-42c5-932e-a2f0fcaf358e/google.cl"; depth:47; endswith; nocase; http.host; content:"flora-security-base.garden"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847469/; classtype:trojan-activity;sid:84710569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.12.144.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847467/; classtype:trojan-activity;sid:84710567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.12.144.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847468/; classtype:trojan-activity;sid:84710568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.206.170.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847466/; classtype:trojan-activity;sid:84710566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11acaa4a-2b88-418b-b652-63b84ab3eb57/google.cl"; depth:47; endswith; nocase; http.host; content:"hydropower-irrigation.garden"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847465/; classtype:trojan-activity;sid:84710565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.138.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847464/; classtype:trojan-activity;sid:84710564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.12.111.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847463/; classtype:trojan-activity;sid:84710563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.12.111.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847462/; classtype:trojan-activity;sid:84710562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.154.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847461/; classtype:trojan-activity;sid:84710561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.148.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847460/; classtype:trojan-activity;sid:84710560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d6d385d3-406c-4a23-be31-4e83fcee4bb9/google.cl"; depth:47; endswith; nocase; http.host; content:"master-planting-logic-manual.garden"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847459/; classtype:trojan-activity;sid:84710559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8439fed1-f99d-411e-9487-86c81b5ca334/google.cl"; depth:47; endswith; nocase; http.host; content:"sinkingyourself.courses"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847458/; classtype:trojan-activity;sid:84710558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df12f25a-4180-4b52-8777-0cc74f20b13f/google.cl"; depth:47; endswith; nocase; http.host; content:"sinkingyourself.courses"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847457/; classtype:trojan-activity;sid:84710557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.148.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847456/; classtype:trojan-activity;sid:84710556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.154.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847455/; classtype:trojan-activity;sid:84710555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/be76711e-070a-40b5-8822-006143210ecb/google.cl"; depth:47; endswith; nocase; http.host; content:"dedicatetake-outpure.courses"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847454/; classtype:trojan-activity;sid:84710554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.60.191.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847453/; classtype:trojan-activity;sid:84710553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=91c6f7f5-937a-4089-bbcc-0b039e42f673"; depth:47; endswith; nocase; http.host; content:"clwoce8k.runtime-atlas.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847452/; classtype:trojan-activity;sid:84710552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=fa716cd3-f3ca-47ea-aa7d-e16dd1a9ad17"; depth:47; endswith; nocase; http.host; content:"juw0th09.runtime-atlas.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847451/; classtype:trojan-activity;sid:84710551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/be5db3ee-e7dc-4b76-9e3d-3b063fc30991/google.cl"; depth:47; endswith; nocase; http.host; content:"bottom-less-waiter-natural.courses"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847450/; classtype:trojan-activity;sid:84710550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0d60933f-a1d2-4d88-8145-7fa5a1091ba9/google.ct"; depth:47; endswith; nocase; http.host; content:"donutinsulinphilosophy.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847449/; classtype:trojan-activity;sid:84710549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm5-11"; depth:14; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847446/; classtype:trojan-activity;sid:84710546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm6-11"; depth:14; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847447/; classtype:trojan-activity;sid:84710547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.x86_64-11"; depth:16; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847448/; classtype:trojan-activity;sid:84710548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847445/; classtype:trojan-activity;sid:84710545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm-11"; depth:13; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847438/; classtype:trojan-activity;sid:84710538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.mpsl-11"; depth:14; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847439/; classtype:trojan-activity;sid:84710539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.x86-11"; depth:13; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847440/; classtype:trojan-activity;sid:84710540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.mips-11"; depth:14; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847441/; classtype:trojan-activity;sid:84710541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.arm7-11"; depth:14; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847442/; classtype:trojan-activity;sid:84710542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.ppc-11"; depth:13; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847443/; classtype:trojan-activity;sid:84710543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxy.sh4-11"; depth:13; endswith; nocase; http.host; content:"176.65.139.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847444/; classtype:trojan-activity;sid:84710544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbc13333-5067-40fa-8730-e7d23d77f6fb/google.ct"; depth:47; endswith; nocase; http.host; content:"proxy-matrix-kernel-on.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847437/; classtype:trojan-activity;sid:84710537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.117.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847436/; classtype:trojan-activity;sid:84710536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aee02a21-aeac-4525-9a9e-7cc8375ade21/google.ct"; depth:47; endswith; nocase; http.host; content:"culling-posture-on-folder.courses"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847435/; classtype:trojan-activity;sid:84710535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.177.251.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847434/; classtype:trojan-activity;sid:84710534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.126.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847432/; classtype:trojan-activity;sid:84710532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.31.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847433/; classtype:trojan-activity;sid:84710533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.224.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847431/; classtype:trojan-activity;sid:84710531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.224.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847430/; classtype:trojan-activity;sid:84710530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.95.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847429/; classtype:trojan-activity;sid:84710529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"162.141.92.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847428/; classtype:trojan-activity;sid:84710528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847425/; classtype:trojan-activity;sid:84710525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847426/; classtype:trojan-activity;sid:84710526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847427/; classtype:trojan-activity;sid:84710527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"162.141.92.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847424/; classtype:trojan-activity;sid:84710524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.126.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847423/; classtype:trojan-activity;sid:84710523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51b2c158-5b76-48ec-9553-250484733d60/google.ct"; depth:47; endswith; nocase; http.host; content:"down-playing-folder-seven-ue.courses"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847422/; classtype:trojan-activity;sid:84710522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.16.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847421/; classtype:trojan-activity;sid:84710521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.117.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847420/; classtype:trojan-activity;sid:84710520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.226.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847419/; classtype:trojan-activity;sid:84710519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.45.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847418/; classtype:trojan-activity;sid:84710518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.57.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847417/; classtype:trojan-activity;sid:84710517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21c380fc-d305-43ea-bfea-9907356ea85e/google.ct"; depth:47; endswith; nocase; http.host; content:"steel-glok-yes-valence.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847415/; classtype:trojan-activity;sid:84710515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.16.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847416/; classtype:trojan-activity;sid:84710516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847413/; classtype:trojan-activity;sid:84710513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.53.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847414/; classtype:trojan-activity;sid:84710514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv4l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847412/; classtype:trojan-activity;sid:84710512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv6l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847406/; classtype:trojan-activity;sid:84710506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.sparc"; depth:20; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847407/; classtype:trojan-activity;sid:84710507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv5l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847408/; classtype:trojan-activity;sid:84710508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.arc"; depth:18; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847409/; classtype:trojan-activity;sid:84710509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.armv7l"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847410/; classtype:trojan-activity;sid:84710510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.i586"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847411/; classtype:trojan-activity;sid:84710511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.sh4"; depth:18; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847401/; classtype:trojan-activity;sid:84710501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.powerpc"; depth:22; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847402/; classtype:trojan-activity;sid:84710502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.mipsel"; depth:21; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847403/; classtype:trojan-activity;sid:84710503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.mips"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847404/; classtype:trojan-activity;sid:84710504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/bin.m68k"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847405/; classtype:trojan-activity;sid:84710505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6c30840a-96be-4de0-ab56-885512b6a791/google.ct"; depth:47; endswith; nocase; http.host; content:"neural-atlas-code-flat.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847400/; classtype:trojan-activity;sid:84710500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.53.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847399/; classtype:trojan-activity;sid:84710499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.57.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847398/; classtype:trojan-activity;sid:84710498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.45.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847397/; classtype:trojan-activity;sid:84710497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847396/; classtype:trojan-activity;sid:84710496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=ee2154dc-b6bf-487f-8721-b9935aae0be8"; depth:47; endswith; nocase; http.host; content:"cjjt9vzq.icewounded.digital"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847395/; classtype:trojan-activity;sid:84710495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.69.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847394/; classtype:trojan-activity;sid:84710494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e449cdb3-6091-44e7-a934-34ba9765dd19/google.ct"; depth:47; endswith; nocase; http.host; content:"get-folder-runtime-harbor.courses"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847393/; classtype:trojan-activity;sid:84710493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.spc"; depth:22; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847392/; classtype:trojan-activity;sid:84710492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i468"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847391/; classtype:trojan-activity;sid:84710491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i686"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847390/; classtype:trojan-activity;sid:84710490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/trans.sh"; depth:19; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847389/; classtype:trojan-activity;sid:84710489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.168.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847388/; classtype:trojan-activity;sid:84710488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.56.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847387/; classtype:trojan-activity;sid:84710487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.103.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847386/; classtype:trojan-activity;sid:84710486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbot.arm6"; depth:10; endswith; nocase; http.host; content:"31.56.209.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847385/; classtype:trojan-activity;sid:84710485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.80.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847384/; classtype:trojan-activity;sid:84710484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbot.x86"; depth:9; endswith; nocase; http.host; content:"31.56.209.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847379/; classtype:trojan-activity;sid:84710479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbot.arm4"; depth:10; endswith; nocase; http.host; content:"31.56.209.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847380/; classtype:trojan-activity;sid:84710480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbot.arm5"; depth:10; endswith; nocase; http.host; content:"31.56.209.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847381/; classtype:trojan-activity;sid:84710481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbot.mips"; depth:10; endswith; nocase; http.host; content:"31.56.209.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847382/; classtype:trojan-activity;sid:84710482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gbot.mpsl"; depth:10; endswith; nocase; http.host; content:"31.56.209.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847383/; classtype:trojan-activity;sid:84710483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xz.sh"; depth:6; endswith; nocase; http.host; content:"31.56.209.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847378/; classtype:trojan-activity;sid:84710478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4f6077ba-ff95-4178-950c-b572836dbad0/google.ct"; depth:47; endswith; nocase; http.host; content:"signal-late-it-folder.courses"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847377/; classtype:trojan-activity;sid:84710477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.69.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847376/; classtype:trojan-activity;sid:84710476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.103.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847375/; classtype:trojan-activity;sid:84710475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.71.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847374/; classtype:trojan-activity;sid:84710474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df90e108-b307-4766-8809-48822812d734/google.ct"; depth:47; endswith; nocase; http.host; content:"byte-horizon-get-hash.courses"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847373/; classtype:trojan-activity;sid:84710473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.122.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847372/; classtype:trojan-activity;sid:84710472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.252.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847371/; classtype:trojan-activity;sid:84710471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c352daa7-9e4e-4364-ad54-895ed35f9349/google.ct"; depth:47; endswith; nocase; http.host; content:"virtual-pipeline-ten-it.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847370/; classtype:trojan-activity;sid:84710470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06vffr"; depth:7; endswith; nocase; http.host; content:"185.186.244.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847369/; classtype:trojan-activity;sid:84710469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.88.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847368/; classtype:trojan-activity;sid:84710468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.139.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847367/; classtype:trojan-activity;sid:84710467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.122.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847366/; classtype:trojan-activity;sid:84710466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/68/simplecreationsforme.hta"; depth:28; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847365/; classtype:trojan-activity;sid:84710465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_182414.png"; depth:15; endswith; nocase; http.host; content:"raptore.yzz.me"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847364/; classtype:trojan-activity;sid:84710464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/fxetk.exe"; depth:29; endswith; nocase; http.host; content:"fiinterchillers.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847363/; classtype:trojan-activity;sid:84710463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/dlqdq.exe"; depth:29; endswith; nocase; http.host; content:"fiinterchillers.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847362/; classtype:trojan-activity;sid:84710462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ww26a.exe"; depth:10; endswith; nocase; http.host; content:"144.31.191.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847361/; classtype:trojan-activity;sid:84710461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.252.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847360/; classtype:trojan-activity;sid:84710460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/84538c33-f20a-46fa-ae13-a19324269d76/google.ct"; depth:47; endswith; nocase; http.host; content:"quantum-forge-nat.courses"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847359/; classtype:trojan-activity;sid:84710459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/out.txt"; depth:10; endswith; nocase; http.host; content:"94.154.32.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847358/; classtype:trojan-activity;sid:84710458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"144.172.117.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847344/; classtype:trojan-activity;sid:84710444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p-p.c-.crouvieum"; depth:17; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847345/; classtype:trojan-activity;sid:84710445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-3.2-.crouvieum"; depth:17; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847346/; classtype:trojan-activity;sid:84710446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-7.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847347/; classtype:trojan-activity;sid:84710447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-p.s-l.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847348/; classtype:trojan-activity;sid:84710448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-4.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847349/; classtype:trojan-activity;sid:84710449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x-8.6-.crouvieum"; depth:17; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847350/; classtype:trojan-activity;sid:84710450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-6.8-k.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847351/; classtype:trojan-activity;sid:84710451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-5.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847352/; classtype:trojan-activity;sid:84710452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s-h.4-.crouvieum"; depth:17; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847353/; classtype:trojan-activity;sid:84710453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m-i.p-s.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847354/; classtype:trojan-activity;sid:84710454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"77.90.51.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847355/; classtype:trojan-activity;sid:84710455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-r.m-6.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847356/; classtype:trojan-activity;sid:84710456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-5.8-6.crouvieum"; depth:18; endswith; nocase; http.host; content:"45.156.87.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847357/; classtype:trojan-activity;sid:84710457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.x/sys_users"; depth:13; endswith; nocase; http.host; content:"13.71.2.244"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847341/; classtype:trojan-activity;sid:84710441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"whbackend.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847342/; classtype:trojan-activity;sid:84710442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.x/.sys/sys_users"; depth:18; endswith; nocase; http.host; content:"177.22.88.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847343/; classtype:trojan-activity;sid:84710443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_b584670f7ec2f317.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847340/; classtype:trojan-activity;sid:84710440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file123"; depth:8; endswith; nocase; http.host; content:"vanta.st"; depth:8; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847339/; classtype:trojan-activity;sid:84710439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/b8nd1tij"; depth:14; endswith; nocase; http.host; content:"mega.nz"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847337/; classtype:trojan-activity;sid:84710437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/631858/download"; depth:18; endswith; nocase; http.host; content:"download-api-endpoint.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847338/; classtype:trojan-activity;sid:84710438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_a543261976c5065f.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847333/; classtype:trojan-activity;sid:84710433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_1092293e5c2c1443.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847334/; classtype:trojan-activity;sid:84710434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"hexvm.cloud"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847335/; classtype:trojan-activity;sid:84710435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemctl/adb.sh"; depth:17; endswith; nocase; http.host; content:"46.8.78.55"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847336/; classtype:trojan-activity;sid:84710436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/stim.arm7"; depth:15; endswith; nocase; http.host; content:"144.172.117.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847330/; classtype:trojan-activity;sid:84710430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm.nexus"; depth:15; endswith; nocase; http.host; content:"144.172.117.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847331/; classtype:trojan-activity;sid:84710431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64.nexus"; depth:18; endswith; nocase; http.host; content:"144.172.117.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847332/; classtype:trojan-activity;sid:84710432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"whbackend.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847326/; classtype:trojan-activity;sid:84710426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"whbackend.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847327/; classtype:trojan-activity;sid:84710427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"whbackend.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847328/; classtype:trojan-activity;sid:84710428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"whbackend.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847329/; classtype:trojan-activity;sid:84710429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"whbackend.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847325/; classtype:trojan-activity;sid:84710425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/client.exe"; depth:15; endswith; nocase; http.host; content:"sterlingreservewealth.info"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847323/; classtype:trojan-activity;sid:84710423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/pjibf.exe"; depth:20; endswith; nocase; http.host; content:"whbackend.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847324/; classtype:trojan-activity;sid:84710424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xqvma/5621390019_protected.exe"; depth:31; endswith; nocase; http.host; content:"temp.sh"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847322/; classtype:trojan-activity;sid:84710422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/631858"; depth:9; endswith; nocase; http.host; content:"endpoint-api-node.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847321/; classtype:trojan-activity;sid:84710421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.101.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847319/; classtype:trojan-activity;sid:84710419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.php|3f|slug=wondersharefilmore"; depth:40; endswith; nocase; http.host; content:"toolkeep.org"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847320/; classtype:trojan-activity;sid:84710420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.exe"; depth:10; endswith; nocase; http.host; content:"144.31.134.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847318/; classtype:trojan-activity;sid:84710418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/ogvy7w0udb1atkkvc7vd8/build.msi|3f|rlkey=k4vj7yhqvy1u5y1rp56kdectf|7c|26|7c|st=y0x3rw4l|7c|26|7c|dl=1"; depth:109; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847317/; classtype:trojan-activity;sid:84710417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.247.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847316/; classtype:trojan-activity;sid:84710416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.139.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847315/; classtype:trojan-activity;sid:84710415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dd9bda68-7894-4ee9-977c-e5fb21c95b38/google.ct"; depth:47; endswith; nocase; http.host; content:"diphtongspecialchess.courses"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847314/; classtype:trojan-activity;sid:84710414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.96.93.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847313/; classtype:trojan-activity;sid:84710413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.212.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847312/; classtype:trojan-activity;sid:84710412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"103.113.70.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847311/; classtype:trojan-activity;sid:84710411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"103.113.70.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847309/; classtype:trojan-activity;sid:84710409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"103.113.70.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847310/; classtype:trojan-activity;sid:84710410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"103.113.70.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847307/; classtype:trojan-activity;sid:84710407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"103.113.70.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847308/; classtype:trojan-activity;sid:84710408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.168.121"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847306/; classtype:trojan-activity;sid:84710406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.212.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847305/; classtype:trojan-activity;sid:84710405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=6f9e7e9a-ce06-48a8-bcad-aa6c985de92c"; depth:47; endswith; nocase; http.host; content:"9yg7582w.packet-lattice.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847304/; classtype:trojan-activity;sid:84710404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847303/; classtype:trojan-activity;sid:84710403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.206.85.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847302/; classtype:trojan-activity;sid:84710402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/44ee5dd0-cd5b-4706-baab-744f11481d47/google.ct"; depth:47; endswith; nocase; http.host; content:"hold-holdskopetztakenaback.courses"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847301/; classtype:trojan-activity;sid:84710401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f933ae6c-0b5c-4098-81ea-fceefcbdbf2a/google.ct"; depth:47; endswith; nocase; http.host; content:"eh-masled.courses"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847300/; classtype:trojan-activity;sid:84710400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.60.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847299/; classtype:trojan-activity;sid:84710399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.60.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847298/; classtype:trojan-activity;sid:84710398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847297/; classtype:trojan-activity;sid:84710397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2019e0a6-8ae4-495f-90ab-cb3d888f1369/google.ct"; depth:47; endswith; nocase; http.host; content:"hold-holdskopetztakenaback.courses"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847296/; classtype:trojan-activity;sid:84710396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.80.188"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847295/; classtype:trojan-activity;sid:84710395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847294/; classtype:trojan-activity;sid:84710394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847293/; classtype:trojan-activity;sid:84710393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.80.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847292/; classtype:trojan-activity;sid:84710392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8ab05d4b-08d8-41d4-925e-37f856bcdc23/google.ct"; depth:47; endswith; nocase; http.host; content:"diphtongspecialchess.courses"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847291/; classtype:trojan-activity;sid:84710391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.115.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847290/; classtype:trojan-activity;sid:84710390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847289/; classtype:trojan-activity;sid:84710389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847288/; classtype:trojan-activity;sid:84710388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.115.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847281/; classtype:trojan-activity;sid:84710381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847282/; classtype:trojan-activity;sid:84710382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847283/; classtype:trojan-activity;sid:84710383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847284/; classtype:trojan-activity;sid:84710384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847285/; classtype:trojan-activity;sid:84710385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847286/; classtype:trojan-activity;sid:84710386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847287/; classtype:trojan-activity;sid:84710387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847278/; classtype:trojan-activity;sid:84710378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847279/; classtype:trojan-activity;sid:84710379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847280/; classtype:trojan-activity;sid:84710380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847275/; classtype:trojan-activity;sid:84710375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847276/; classtype:trojan-activity;sid:84710376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlr.mpsl"; depth:9; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847277/; classtype:trojan-activity;sid:84710377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847273/; classtype:trojan-activity;sid:84710373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847274/; classtype:trojan-activity;sid:84710374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847271/; classtype:trojan-activity;sid:84710371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"104.251.180.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847272/; classtype:trojan-activity;sid:84710372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"209.99.187.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847270/; classtype:trojan-activity;sid:84710370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"209.99.189.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847269/; classtype:trojan-activity;sid:84710369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"209.99.187.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847266/; classtype:trojan-activity;sid:84710366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"209.99.189.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847267/; classtype:trojan-activity;sid:84710367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"209.99.188.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847268/; classtype:trojan-activity;sid:84710368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"209.99.185.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847265/; classtype:trojan-activity;sid:84710365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6c69e57-3651-4850-91fb-dd52a48f84df/google.ct"; depth:47; endswith; nocase; http.host; content:"flatten-goinghavethis-weight-lifting.courses"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847264/; classtype:trojan-activity;sid:84710364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.115.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847263/; classtype:trojan-activity;sid:84710363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.80.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847262/; classtype:trojan-activity;sid:84710362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847261/; classtype:trojan-activity;sid:84710361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847259/; classtype:trojan-activity;sid:84710359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847260/; classtype:trojan-activity;sid:84710360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847254/; classtype:trojan-activity;sid:84710354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847255/; classtype:trojan-activity;sid:84710355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847256/; classtype:trojan-activity;sid:84710356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847257/; classtype:trojan-activity;sid:84710357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847258/; classtype:trojan-activity;sid:84710358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"45.202.247.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847253/; classtype:trojan-activity;sid:84710353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847252/; classtype:trojan-activity;sid:84710352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.245.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847251/; classtype:trojan-activity;sid:84710351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=3b901fbc-d20d-48a5-b75f-a775dd7201fe"; depth:47; endswith; nocase; http.host; content:"vsif6dio.animalspintroll-xerography.digital"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847250/; classtype:trojan-activity;sid:84710350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.245.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847249/; classtype:trojan-activity;sid:84710349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4c2d6b8d-8ce8-4063-b767-4722b27cb7c9/google.ct"; depth:47; endswith; nocase; http.host; content:"madrigalscythianphenologist.courses"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847248/; classtype:trojan-activity;sid:84710348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.215.207.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847247/; classtype:trojan-activity;sid:84710347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.101.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847246/; classtype:trojan-activity;sid:84710346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.42.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847245/; classtype:trojan-activity;sid:84710345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.189.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847244/; classtype:trojan-activity;sid:84710344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.101.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847243/; classtype:trojan-activity;sid:84710343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847242/; classtype:trojan-activity;sid:84710342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a87982c8-b7e5-4323-8793-3b7232b68d90/google.ct"; depth:47; endswith; nocase; http.host; content:"focus-mutovka-transfer-able.courses"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847241/; classtype:trojan-activity;sid:84710341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.189.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847240/; classtype:trojan-activity;sid:84710340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2b63824a-aa6e-4e6f-bf26-cd1020f677b2/google.ct"; depth:47; endswith; nocase; http.host; content:"bargecontradictionexcrement.courses"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847239/; classtype:trojan-activity;sid:84710339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.217.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847238/; classtype:trojan-activity;sid:84710338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847235/; classtype:trojan-activity;sid:84710335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847236/; classtype:trojan-activity;sid:84710336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847237/; classtype:trojan-activity;sid:84710337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.92.78"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847234/; classtype:trojan-activity;sid:84710334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847233/; classtype:trojan-activity;sid:84710333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847232/; classtype:trojan-activity;sid:84710332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"193.32.162.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847231/; classtype:trojan-activity;sid:84710331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.221.222.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847230/; classtype:trojan-activity;sid:84710330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.217.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847229/; classtype:trojan-activity;sid:84710329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/948d1452-0df6-4327-a801-5e906b407c64/google.ct"; depth:47; endswith; nocase; http.host; content:"bushrosvalni.courses"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847228/; classtype:trojan-activity;sid:84710328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.119.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847227/; classtype:trojan-activity;sid:84710327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.60.179"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847226/; classtype:trojan-activity;sid:84710326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.245.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847225/; classtype:trojan-activity;sid:84710325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0085c648-3ab0-4c14-8cdc-ca79cba7700a/google.ct"; depth:47; endswith; nocase; http.host; content:"correction-pancake-seissy.courses"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847224/; classtype:trojan-activity;sid:84710324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.247.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847223/; classtype:trojan-activity;sid:84710323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.126.195"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847221/; classtype:trojan-activity;sid:84710321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.113.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847222/; classtype:trojan-activity;sid:84710322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.54.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847220/; classtype:trojan-activity;sid:84710320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fa3e1607-0054-417a-810c-92c18b6adf97/google.ct"; depth:47; endswith; nocase; http.host; content:"kilowattssnualinoculation.courses"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847219/; classtype:trojan-activity;sid:84710319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.113.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847218/; classtype:trojan-activity;sid:84710318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.54.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847217/; classtype:trojan-activity;sid:84710317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b08131e8-81fe-4987-b38f-7f93448d3ad9"; depth:47; endswith; nocase; http.host; content:"39tc4pze.stack-forge.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847216/; classtype:trojan-activity;sid:84710316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bfb3fa12-6cb4-4231-a84f-bf2b230424a0/google.ct"; depth:47; endswith; nocase; http.host; content:"containerizedworkflowengine.courses"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847215/; classtype:trojan-activity;sid:84710315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.3.142"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847214/; classtype:trojan-activity;sid:84710314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.201.226.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847213/; classtype:trojan-activity;sid:84710313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4477be58-0733-4d52-b75e-689bed4eae93/google.ct"; depth:47; endswith; nocase; http.host; content:"serverlesscontrolplane.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847212/; classtype:trojan-activity;sid:84710312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.103.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847211/; classtype:trojan-activity;sid:84710311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.193.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847210/; classtype:trojan-activity;sid:84710310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"41.201.226.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847209/; classtype:trojan-activity;sid:84710309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6b6af1ba-fb94-4c7f-91a5-50b3df54adeb/google.ct"; depth:47; endswith; nocase; http.host; content:"observability-hub-system.courses"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847208/; classtype:trojan-activity;sid:84710308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.193.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847207/; classtype:trojan-activity;sid:84710307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.35.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847206/; classtype:trojan-activity;sid:84710306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.112.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847205/; classtype:trojan-activity;sid:84710305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.107.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847204/; classtype:trojan-activity;sid:84710304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.250.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847203/; classtype:trojan-activity;sid:84710303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.35.222"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847202/; classtype:trojan-activity;sid:84710302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.77.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847201/; classtype:trojan-activity;sid:84710301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.35.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847200/; classtype:trojan-activity;sid:84710300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.127.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847199/; classtype:trojan-activity;sid:84710299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.196.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847198/; classtype:trojan-activity;sid:84710298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.60.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847197/; classtype:trojan-activity;sid:84710297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.6.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847196/; classtype:trojan-activity;sid:84710296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.90.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847195/; classtype:trojan-activity;sid:84710295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.96.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847194/; classtype:trojan-activity;sid:84710294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=d85b5929-9adf-44bd-b902-a65df8ae910e"; depth:47; endswith; nocase; http.host; content:"11udvmp9.polestennisplayer.digital"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847193/; classtype:trojan-activity;sid:84710293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.54.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847192/; classtype:trojan-activity;sid:84710292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.127.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847191/; classtype:trojan-activity;sid:84710291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.66.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847190/; classtype:trojan-activity;sid:84710290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd6dc4f6-5587-4f7e-a0f5-c64cc53bce63/google.cl"; depth:47; endswith; nocase; http.host; content:"distributed-storage-layer.courses"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847189/; classtype:trojan-activity;sid:84710289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.123.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847188/; classtype:trojan-activity;sid:84710288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.35.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847187/; classtype:trojan-activity;sid:84710287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.66.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847186/; classtype:trojan-activity;sid:84710286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.148.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847185/; classtype:trojan-activity;sid:84710285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/168b7f1a-7d08-44ab-a87d-04550606da15/google.cl"; depth:47; endswith; nocase; http.host; content:"packetlattice.courses"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847184/; classtype:trojan-activity;sid:84710284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.206.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847183/; classtype:trojan-activity;sid:84710283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8b534b3-fd84-4963-b207-093acf846a50/google.cl"; depth:47; endswith; nocase; http.host; content:"virtualgateway.courses"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847182/; classtype:trojan-activity;sid:84710282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.51.40"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847181/; classtype:trojan-activity;sid:84710281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.119.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847180/; classtype:trojan-activity;sid:84710280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.4.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847179/; classtype:trojan-activity;sid:84710279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.75.34"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847178/; classtype:trojan-activity;sid:84710278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.173.158.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847177/; classtype:trojan-activity;sid:84710277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.226.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847176/; classtype:trojan-activity;sid:84710276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.206.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847175/; classtype:trojan-activity;sid:84710275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847174/; classtype:trojan-activity;sid:84710274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.79.117"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847173/; classtype:trojan-activity;sid:84710273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f0de198d-9673-49a1-b937-51831832595f/google.cl"; depth:47; endswith; nocase; http.host; content:"distributed-event-processing-lab.courses"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847172/; classtype:trojan-activity;sid:84710272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847171/; classtype:trojan-activity;sid:84710271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.4.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847170/; classtype:trojan-activity;sid:84710270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847169/; classtype:trojan-activity;sid:84710269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.105.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847168/; classtype:trojan-activity;sid:84710268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ccc3178-5691-42aa-98da-da5f5873bc64/google.cl"; depth:47; endswith; nocase; http.host; content:"telemetry-stream-core.courses"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847167/; classtype:trojan-activity;sid:84710267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b19b1646-6c25-4808-b039-beeb548c070b"; depth:47; endswith; nocase; http.host; content:"cggirdg7.neural-routing.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847166/; classtype:trojan-activity;sid:84710266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.105.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847165/; classtype:trojan-activity;sid:84710265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d3418e9-6c4e-4abb-aaa2-d7e98e6a1bf7/google.cl"; depth:47; endswith; nocase; http.host; content:"cloud-sync.courses"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847164/; classtype:trojan-activity;sid:84710264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.234.9.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847163/; classtype:trojan-activity;sid:84710263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3ee5338-0320-4acd-8885-4825d1f483b3/google.cl"; depth:47; endswith; nocase; http.host; content:"edge-network-hub.courses"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847162/; classtype:trojan-activity;sid:84710262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dos.py"; depth:7; endswith; nocase; http.host; content:"107.182.128.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847161/; classtype:trojan-activity;sid:84710261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=273a526b-985a-4bfc-9ca2-f0cd19351757"; depth:47; endswith; nocase; http.host; content:"49h06cy9.pashtuns-study-rose-hip.digital"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847160/; classtype:trojan-activity;sid:84710260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.122.227.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847159/; classtype:trojan-activity;sid:84710259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c7004ae-5b57-4c34-b69f-b89ea7bedad7/google.cl"; depth:47; endswith; nocase; http.host; content:"stackforgeacademy.courses"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847158/; classtype:trojan-activity;sid:84710258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.226.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847157/; classtype:trojan-activity;sid:84710257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.92.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847156/; classtype:trojan-activity;sid:84710256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.137.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847154/; classtype:trojan-activity;sid:84710254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.234.9.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847155/; classtype:trojan-activity;sid:84710255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.226.213.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847152/; classtype:trojan-activity;sid:84710252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.236.172.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847153/; classtype:trojan-activity;sid:84710253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.63.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847151/; classtype:trojan-activity;sid:84710251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.71.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847150/; classtype:trojan-activity;sid:84710250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.29.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847149/; classtype:trojan-activity;sid:84710249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.114.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847143/; classtype:trojan-activity;sid:84710243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.37.3"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847144/; classtype:trojan-activity;sid:84710244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.206.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847145/; classtype:trojan-activity;sid:84710245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.93.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847146/; classtype:trojan-activity;sid:84710246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.177.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847147/; classtype:trojan-activity;sid:84710247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.177.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847148/; classtype:trojan-activity;sid:84710248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.35.176"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847140/; classtype:trojan-activity;sid:84710240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.6.219"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847141/; classtype:trojan-activity;sid:84710241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.208.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847142/; classtype:trojan-activity;sid:84710242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.1.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847139/; classtype:trojan-activity;sid:84710239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.235.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847134/; classtype:trojan-activity;sid:84710234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.214.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847135/; classtype:trojan-activity;sid:84710235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.171.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847136/; classtype:trojan-activity;sid:84710236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.157.125.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847137/; classtype:trojan-activity;sid:84710237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.44.144.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847138/; classtype:trojan-activity;sid:84710238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.235.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847133/; classtype:trojan-activity;sid:84710233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.214.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847126/; classtype:trojan-activity;sid:84710226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.137.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847127/; classtype:trojan-activity;sid:84710227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.102.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847128/; classtype:trojan-activity;sid:84710228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.162.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847129/; classtype:trojan-activity;sid:84710229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.245.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847130/; classtype:trojan-activity;sid:84710230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.196.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847131/; classtype:trojan-activity;sid:84710231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.171.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847132/; classtype:trojan-activity;sid:84710232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.35.176"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847120/; classtype:trojan-activity;sid:84710220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.114.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847121/; classtype:trojan-activity;sid:84710221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.225.169.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847122/; classtype:trojan-activity;sid:84710222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"138.204.196.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847123/; classtype:trojan-activity;sid:84710223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.95.246.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847124/; classtype:trojan-activity;sid:84710224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.1.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847125/; classtype:trojan-activity;sid:84710225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.222.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847118/; classtype:trojan-activity;sid:84710218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.88.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847119/; classtype:trojan-activity;sid:84710219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.251.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847117/; classtype:trojan-activity;sid:84710217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.31.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847116/; classtype:trojan-activity;sid:84710216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8629a111-b9c8-420b-bd13-72d741ebee2d/google.cl"; depth:47; endswith; nocase; http.host; content:"microservicecluster.courses"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847115/; classtype:trojan-activity;sid:84710215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847114/; classtype:trojan-activity;sid:84710214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.214.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847113/; classtype:trojan-activity;sid:84710213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.226.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847112/; classtype:trojan-activity;sid:84710212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.70.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847111/; classtype:trojan-activity;sid:84710211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b93e10cb-26ea-4f03-b3d3-4b859b3e02a1/google.cl"; depth:47; endswith; nocase; http.host; content:"neural-routing-fabric.courses"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847110/; classtype:trojan-activity;sid:84710210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.59.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847109/; classtype:trojan-activity;sid:84710209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.59.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847108/; classtype:trojan-activity;sid:84710208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.43.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847107/; classtype:trojan-activity;sid:84710207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e0d45b33-d679-49cb-bb09-cdb8deb90b47/google.cl"; depth:47; endswith; nocase; http.host; content:"packet-relay-engine.courses"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847106/; classtype:trojan-activity;sid:84710206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.124.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847105/; classtype:trojan-activity;sid:84710205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847104/; classtype:trojan-activity;sid:84710204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.226.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847102/; classtype:trojan-activity;sid:84710202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.43.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847103/; classtype:trojan-activity;sid:84710203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.169.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847101/; classtype:trojan-activity;sid:84710201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847100/; classtype:trojan-activity;sid:84710200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.254.100.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847099/; classtype:trojan-activity;sid:84710199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.241.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847098/; classtype:trojan-activity;sid:84710198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57611706-7796-4720-8fb9-e764e4602058/google.cl"; depth:47; endswith; nocase; http.host; content:"binarydock.courses"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847097/; classtype:trojan-activity;sid:84710197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847096/; classtype:trojan-activity;sid:84710196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.216.236.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847095/; classtype:trojan-activity;sid:84710195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3390e460-829b-4c4f-95c7-43f9f9f59637/google.cl"; depth:47; endswith; nocase; http.host; content:"cloudinfrastructure.courses"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847094/; classtype:trojan-activity;sid:84710194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.124.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847093/; classtype:trojan-activity;sid:84710193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=c2e8afac-1006-4363-b636-a32c0909e885"; depth:47; endswith; nocase; http.host; content:"sgs68ivh.binary-dock.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847092/; classtype:trojan-activity;sid:84710192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.157.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847091/; classtype:trojan-activity;sid:84710191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7493752f-c8cf-481b-b9b5-84e796bb5032/google.cl"; depth:47; endswith; nocase; http.host; content:"puffingsiterreorganize.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847090/; classtype:trojan-activity;sid:84710190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.141.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847089/; classtype:trojan-activity;sid:84710189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.19.101"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847088/; classtype:trojan-activity;sid:84710188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/92785fc1-4d01-4e6b-beb7-260fc3da7c87/google.cl"; depth:47; endswith; nocase; http.host; content:"smuggler-beluga-notion.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847087/; classtype:trojan-activity;sid:84710187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.36.31"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847086/; classtype:trojan-activity;sid:84710186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.126.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847085/; classtype:trojan-activity;sid:84710185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.157.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847084/; classtype:trojan-activity;sid:84710184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.36.31"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847083/; classtype:trojan-activity;sid:84710183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.126.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847082/; classtype:trojan-activity;sid:84710182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.119.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847081/; classtype:trojan-activity;sid:84710181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.240.236"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847080/; classtype:trojan-activity;sid:84710180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb62c38c-dfe1-4d59-97a6-70f864ecde84/google.cl"; depth:47; endswith; nocase; http.host; content:"inhalerotolaryngologist.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847079/; classtype:trojan-activity;sid:84710179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.157.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847078/; classtype:trojan-activity;sid:84710178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d78be1cb-a2b1-4ccb-9b61-8dcad87f9405/google.cl"; depth:47; endswith; nocase; http.host; content:"adulter-bassist.courses"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847077/; classtype:trojan-activity;sid:84710177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.127.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847076/; classtype:trojan-activity;sid:84710176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/08992efe-1d68-4486-8c19-fca8166fd914/google.cl"; depth:47; endswith; nocase; http.host; content:"leniniansexualbeginner.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847075/; classtype:trojan-activity;sid:84710175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.157.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847074/; classtype:trojan-activity;sid:84710174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.248.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847073/; classtype:trojan-activity;sid:84710173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.103.233"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847072/; classtype:trojan-activity;sid:84710172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/229ed27e-e2c5-4a24-b6a8-cbe6361a90e3/google.cl"; depth:47; endswith; nocase; http.host; content:"federatedstoragelab.courses"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847071/; classtype:trojan-activity;sid:84710171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=3b207d8a-b086-48db-9fc0-807a48d14e97"; depth:47; endswith; nocase; http.host; content:"5nan0z8w.sniffingviableoffice.digital"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847070/; classtype:trojan-activity;sid:84710170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.13.248.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847069/; classtype:trojan-activity;sid:84710169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.169.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847068/; classtype:trojan-activity;sid:84710168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.127.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847067/; classtype:trojan-activity;sid:84710167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.235.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847066/; classtype:trojan-activity;sid:84710166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.138.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847065/; classtype:trojan-activity;sid:84710165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.15.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847064/; classtype:trojan-activity;sid:84710164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d272ec44-3cb4-452d-9dd5-3dd48da53788/google.cl"; depth:47; endswith; nocase; http.host; content:"leniniansexualbeginner.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847063/; classtype:trojan-activity;sid:84710163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847061/; classtype:trojan-activity;sid:84710161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.90.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847062/; classtype:trojan-activity;sid:84710162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.243.140.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847059/; classtype:trojan-activity;sid:84710159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.85.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847060/; classtype:trojan-activity;sid:84710160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847056/; classtype:trojan-activity;sid:84710156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.121.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847057/; classtype:trojan-activity;sid:84710157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.123.207.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847058/; classtype:trojan-activity;sid:84710158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.61.48.88"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847055/; classtype:trojan-activity;sid:84710155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.240.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847053/; classtype:trojan-activity;sid:84710153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.161.160.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847054/; classtype:trojan-activity;sid:84710154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.71.131.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847052/; classtype:trojan-activity;sid:84710152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.206.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847051/; classtype:trojan-activity;sid:84710151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.143.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847048/; classtype:trojan-activity;sid:84710148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.121.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847049/; classtype:trojan-activity;sid:84710149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.123.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847050/; classtype:trojan-activity;sid:84710150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.81.98.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847047/; classtype:trojan-activity;sid:84710147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.204.196.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847042/; classtype:trojan-activity;sid:84710142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.238.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847043/; classtype:trojan-activity;sid:84710143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.85.68.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847044/; classtype:trojan-activity;sid:84710144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.18.150"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847045/; classtype:trojan-activity;sid:84710145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.102.130.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847046/; classtype:trojan-activity;sid:84710146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.73.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847041/; classtype:trojan-activity;sid:84710141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.245.39.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847038/; classtype:trojan-activity;sid:84710138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.235.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847039/; classtype:trojan-activity;sid:84710139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.123.207.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847040/; classtype:trojan-activity;sid:84710140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.73.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847034/; classtype:trojan-activity;sid:84710134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.61.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847035/; classtype:trojan-activity;sid:84710135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.216.153.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847036/; classtype:trojan-activity;sid:84710136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.127.235.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847037/; classtype:trojan-activity;sid:84710137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.123.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847033/; classtype:trojan-activity;sid:84710133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.81.98.79"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847032/; classtype:trojan-activity;sid:84710132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.127.235.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847030/; classtype:trojan-activity;sid:84710130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.83.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847031/; classtype:trojan-activity;sid:84710131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847026/; classtype:trojan-activity;sid:84710126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847027/; classtype:trojan-activity;sid:84710127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.167"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847028/; classtype:trojan-activity;sid:84710128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.78.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847029/; classtype:trojan-activity;sid:84710129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.85.68.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847021/; classtype:trojan-activity;sid:84710121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.143.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847022/; classtype:trojan-activity;sid:84710122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.18.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847023/; classtype:trojan-activity;sid:84710123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.85.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847024/; classtype:trojan-activity;sid:84710124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.216.153.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847025/; classtype:trojan-activity;sid:84710125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.249.61.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847020/; classtype:trojan-activity;sid:84710120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.150.97.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847018/; classtype:trojan-activity;sid:84710118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.150.97.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847019/; classtype:trojan-activity;sid:84710119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.202.146.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847017/; classtype:trojan-activity;sid:84710117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f0b7f4e9-593e-42d0-bf6d-12d827b48092/google.cl"; depth:47; endswith; nocase; http.host; content:"runtime-control-plane.courses"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847016/; classtype:trojan-activity;sid:84710116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.204.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847015/; classtype:trojan-activity;sid:84710115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.211.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_15; reference:url, urlhaus.abuse.ch/url/3847014/; classtype:trojan-activity;sid:84710114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37680f74-25b6-48fc-a6c5-3b57ea4bf690/google.cl"; depth:47; endswith; nocase; http.host; content:"gnashhusks.courses"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847013/; classtype:trojan-activity;sid:84710113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/14914ea2-0ce8-463b-8c5f-9ca3541041fc/google.cl"; depth:47; endswith; nocase; http.host; content:"gnashhusks.courses"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847012/; classtype:trojan-activity;sid:84710112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.6.64"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847011/; classtype:trojan-activity;sid:84710111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.72.109"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847010/; classtype:trojan-activity;sid:84710110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.202.146.79"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847009/; classtype:trojan-activity;sid:84710109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.204.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847008/; classtype:trojan-activity;sid:84710108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.211.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847007/; classtype:trojan-activity;sid:84710107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.86.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847006/; classtype:trojan-activity;sid:84710106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.78.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847005/; classtype:trojan-activity;sid:84710105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.201.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847004/; classtype:trojan-activity;sid:84710104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.239.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847003/; classtype:trojan-activity;sid:84710103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.72.109"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847002/; classtype:trojan-activity;sid:84710102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.225.169.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847001/; classtype:trojan-activity;sid:84710101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3847000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30e03c6a-3e6a-43f7-84ef-fa693c680c70/google.cl"; depth:47; endswith; nocase; http.host; content:"distributedcache.courses"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3847000/; classtype:trojan-activity;sid:84710100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.73.161.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846999/; classtype:trojan-activity;sid:84710099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.247.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846998/; classtype:trojan-activity;sid:84710098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.239.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846997/; classtype:trojan-activity;sid:84710097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.95.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846996/; classtype:trojan-activity;sid:84710096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.16.150.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846995/; classtype:trojan-activity;sid:84710095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64d13237-e4d7-4848-bd9c-51b863213f81/google.cl"; depth:47; endswith; nocase; http.host; content:"kadush-sideburnsushan.courses"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846994/; classtype:trojan-activity;sid:84710094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.150.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846993/; classtype:trojan-activity;sid:84710093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.158.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846992/; classtype:trojan-activity;sid:84710092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ce674904-0ade-43f2-ac12-b70da1b158e7/google.cl"; depth:47; endswith; nocase; http.host; content:"virtual-session-gateway.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846991/; classtype:trojan-activity;sid:84710091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=bbaaa8e4-6e5b-43b4-949e-8b454c94d1dc"; depth:47; endswith; nocase; http.host; content:"krc5t7kn.ripples-shark.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846990/; classtype:trojan-activity;sid:84710090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.150.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846989/; classtype:trojan-activity;sid:84710089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.222.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846988/; classtype:trojan-activity;sid:84710088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.189.30.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846987/; classtype:trojan-activity;sid:84710087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.50.65"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846986/; classtype:trojan-activity;sid:84710086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.233.129"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846985/; classtype:trojan-activity;sid:84710085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.137.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846984/; classtype:trojan-activity;sid:84710084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61667fce-e2cb-4c61-a389-5690f8e88f50/google.cl"; depth:47; endswith; nocase; http.host; content:"inherittruckdoge.courses"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846983/; classtype:trojan-activity;sid:84710083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.166.42.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846982/; classtype:trojan-activity;sid:84710082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.50.65"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846981/; classtype:trojan-activity;sid:84710081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846980/; classtype:trojan-activity;sid:84710080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.176.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846979/; classtype:trojan-activity;sid:84710079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7abbc2df-ef82-4065-93d0-6cad1a13b2d5/google.cl"; depth:47; endswith; nocase; http.host; content:"telemetrycore.courses"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846978/; classtype:trojan-activity;sid:84710078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.137.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846977/; classtype:trojan-activity;sid:84710077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/etmzaya.arm7"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846971/; classtype:trojan-activity;sid:84710071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/oumekpv.mpsl"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846972/; classtype:trojan-activity;sid:84710072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/mhrhxwe.mips"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846973/; classtype:trojan-activity;sid:84710073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/jroecxg.x86_64"; depth:19; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846974/; classtype:trojan-activity;sid:84710074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/hjwouxy.aarch64"; depth:20; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846975/; classtype:trojan-activity;sid:84710075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/ivrpuco.i486"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846976/; classtype:trojan-activity;sid:84710076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/android.sh"; depth:15; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846966/; classtype:trojan-activity;sid:84710066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/yconpck.arm"; depth:16; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846967/; classtype:trojan-activity;sid:84710067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/rsglkfk.ppc"; depth:16; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846968/; classtype:trojan-activity;sid:84710068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/whickdx.i686"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846969/; classtype:trojan-activity;sid:84710069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/pjxxpbx.arm6"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846970/; classtype:trojan-activity;sid:84710070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/subvrpp.mips64"; depth:19; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846963/; classtype:trojan-activity;sid:84710063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/dxconeq.i586"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846964/; classtype:trojan-activity;sid:84710064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vc7/tvyhsow.arm5"; depth:17; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846965/; classtype:trojan-activity;sid:84710065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.189.158.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846962/; classtype:trojan-activity;sid:84710062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.228.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846961/; classtype:trojan-activity;sid:84710061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846960/; classtype:trojan-activity;sid:84710060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eba67d3c-235f-42ce-9b81-680af0ece736/google.cl"; depth:47; endswith; nocase; http.host; content:"cartwell-pastphantom.courses"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846959/; classtype:trojan-activity;sid:84710059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846958/; classtype:trojan-activity;sid:84710058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.181.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846957/; classtype:trojan-activity;sid:84710057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.178.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846956/; classtype:trojan-activity;sid:84710056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.228.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846955/; classtype:trojan-activity;sid:84710055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.54.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846954/; classtype:trojan-activity;sid:84710054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.71.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846953/; classtype:trojan-activity;sid:84710053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.166.42.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846952/; classtype:trojan-activity;sid:84710052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06f10c6d-19bc-4317-ac57-dbf95e3fe3c9/google.cl"; depth:47; endswith; nocase; http.host; content:"edge-processing-network.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846951/; classtype:trojan-activity;sid:84710051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1c4c6f08-91e7-48f5-824d-95afbd4a4064/google.cl"; depth:47; endswith; nocase; http.host; content:"edge-processing-network.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846950/; classtype:trojan-activity;sid:84710050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.203.88.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846949/; classtype:trojan-activity;sid:84710049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i/android.sh"; depth:13; endswith; nocase; http.host; content:"166.88.225.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846948/; classtype:trojan-activity;sid:84710048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.71.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846947/; classtype:trojan-activity;sid:84710047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.18.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846946/; classtype:trojan-activity;sid:84710046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ce857951-9f2c-42b8-8a25-428b16935851/google.cl"; depth:47; endswith; nocase; http.host; content:"edge-processing-network.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846945/; classtype:trojan-activity;sid:84710045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.37.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846944/; classtype:trojan-activity;sid:84710044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/848b17c1-37ea-4abf-a4ee-9c59c9a4f888/google.cl"; depth:47; endswith; nocase; http.host; content:"serverless-mesh-core.courses"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846943/; classtype:trojan-activity;sid:84710043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7336aa4b-663f-4b61-b139-4e946a7be996"; depth:47; endswith; nocase; http.host; content:"p4l3fctz.bitter-salty.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846942/; classtype:trojan-activity;sid:84710042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.18.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846941/; classtype:trojan-activity;sid:84710041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.112.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846940/; classtype:trojan-activity;sid:84710040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.37.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846939/; classtype:trojan-activity;sid:84710039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.243.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846938/; classtype:trojan-activity;sid:84710038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e9238b57-9112-46cd-a4ed-fa8a8cf04ec7/google.cl"; depth:47; endswith; nocase; http.host; content:"microservicehub.courses"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846937/; classtype:trojan-activity;sid:84710037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.221.222.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846936/; classtype:trojan-activity;sid:84710036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.131.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846935/; classtype:trojan-activity;sid:84710035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.163.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846934/; classtype:trojan-activity;sid:84710034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.163.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846933/; classtype:trojan-activity;sid:84710033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.101.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846932/; classtype:trojan-activity;sid:84710032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.243.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846931/; classtype:trojan-activity;sid:84710031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug/loader.sh"; depth:16; endswith; nocase; http.host; content:"193.233.113.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846929/; classtype:trojan-activity;sid:84710029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"193.233.113.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846930/; classtype:trojan-activity;sid:84710030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"193.233.113.85"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846928/; classtype:trojan-activity;sid:84710028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug/loader.sh"; depth:16; endswith; nocase; http.host; content:"83.217.209.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846927/; classtype:trojan-activity;sid:84710027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.101.226"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846926/; classtype:trojan-activity;sid:84710026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.154.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846925/; classtype:trojan-activity;sid:84710025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.131.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846924/; classtype:trojan-activity;sid:84710024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8dc7215-b51d-4762-b7cd-08a21b0bba3b/google.cl"; depth:47; endswith; nocase; http.host; content:"packet-routing-lab.courses"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846923/; classtype:trojan-activity;sid:84710023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.191.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846922/; classtype:trojan-activity;sid:84710022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.208.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846921/; classtype:trojan-activity;sid:84710021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.sh"; depth:5; endswith; nocase; http.host; content:"91.214.78.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846920/; classtype:trojan-activity;sid:84710020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/354b7637-d386-4074-8286-cbcc7ae1a08f/google.cl"; depth:47; endswith; nocase; http.host; content:"cloudruntime.courses"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846919/; classtype:trojan-activity;sid:84710019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot-amd64"; depth:15; endswith; nocase; http.host; content:"91.214.78.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846917/; classtype:trojan-activity;sid:84710017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot-arm7"; depth:14; endswith; nocase; http.host; content:"91.214.78.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846918/; classtype:trojan-activity;sid:84710018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot-mipsel"; depth:16; endswith; nocase; http.host; content:"91.214.78.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846916/; classtype:trojan-activity;sid:84710016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bot-mips"; depth:14; endswith; nocase; http.host; content:"91.214.78.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846915/; classtype:trojan-activity;sid:84710015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.81.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846914/; classtype:trojan-activity;sid:84710014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.154.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846913/; classtype:trojan-activity;sid:84710013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"83.217.209.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846911/; classtype:trojan-activity;sid:84710011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload.sh"; depth:11; endswith; nocase; http.host; content:"83.217.209.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846912/; classtype:trojan-activity;sid:84710012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846910/; classtype:trojan-activity;sid:84710010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.sh"; depth:5; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846906/; classtype:trojan-activity;sid:84710006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.sh"; depth:5; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846907/; classtype:trojan-activity;sid:84710007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846908/; classtype:trojan-activity;sid:84710008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846909/; classtype:trojan-activity;sid:84710009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846905/; classtype:trojan-activity;sid:84710005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.arm"; depth:14; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846904/; classtype:trojan-activity;sid:84710004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/4"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846903/; classtype:trojan-activity;sid:84710003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.mpsl"; depth:15; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846902/; classtype:trojan-activity;sid:84710002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/9"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846901/; classtype:trojan-activity;sid:84710001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.arm5"; depth:15; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846899/; classtype:trojan-activity;sid:84709999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/6"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846900/; classtype:trojan-activity;sid:84710000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.arm7"; depth:15; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846884/; classtype:trojan-activity;sid:84709984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/10"; depth:8; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846885/; classtype:trojan-activity;sid:84709985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.arm6"; depth:15; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846886/; classtype:trojan-activity;sid:84709986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.sh4"; depth:14; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846887/; classtype:trojan-activity;sid:84709987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/1"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846888/; classtype:trojan-activity;sid:84709988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/3"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846889/; classtype:trojan-activity;sid:84709989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/2"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846890/; classtype:trojan-activity;sid:84709990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.x86"; depth:14; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846891/; classtype:trojan-activity;sid:84709991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/11"; depth:8; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846892/; classtype:trojan-activity;sid:84709992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/5"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846893/; classtype:trojan-activity;sid:84709993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.ppc"; depth:14; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846894/; classtype:trojan-activity;sid:84709994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/8"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846895/; classtype:trojan-activity;sid:84709995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.mips"; depth:15; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846896/; classtype:trojan-activity;sid:84709996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/axis.x86_64"; depth:17; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846897/; classtype:trojan-activity;sid:84709997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/7"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846898/; classtype:trojan-activity;sid:84709998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.208.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846883/; classtype:trojan-activity;sid:84709983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0afb7780-04e8-40be-b342-45a8dd51c61e/google.cl"; depth:47; endswith; nocase; http.host; content:"coder-logic-vault.courses"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846882/; classtype:trojan-activity;sid:84709982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7e533182-9ac1-48de-8948-ec74b0f1aee9/google.cl"; depth:47; endswith; nocase; http.host; content:"coder-logic-vault.courses"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846881/; classtype:trojan-activity;sid:84709981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.81.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846880/; classtype:trojan-activity;sid:84709980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lol.sh"; depth:7; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846879/; classtype:trojan-activity;sid:84709979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.sh"; depth:5; endswith; nocase; http.host; content:"64.89.163.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846878/; classtype:trojan-activity;sid:84709978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8c73b68-f542-4300-a89e-6d1778c42196/google.cl"; depth:47; endswith; nocase; http.host; content:"advanced-it-infrastructure.courses"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846877/; classtype:trojan-activity;sid:84709977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.56.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846876/; classtype:trojan-activity;sid:84709976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=64b46dad-5ad6-452a-bdcc-3ce3ad6767d6"; depth:47; endswith; nocase; http.host; content:"sd9arw2r.flos-strip.digital"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846875/; classtype:trojan-activity;sid:84709975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.56.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846874/; classtype:trojan-activity;sid:84709974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846873/; classtype:trojan-activity;sid:84709973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0281b943-135c-4e7e-a18f-3a0caed9eff6/google.cl"; depth:47; endswith; nocase; http.host; content:"enterprise-security-log.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846872/; classtype:trojan-activity;sid:84709972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1e815954-32e3-4c4c-8e1a-c1ee19b912e6/google.cl"; depth:47; endswith; nocase; http.host; content:"quickwebdevops.courses"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846871/; classtype:trojan-activity;sid:84709971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.152.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846870/; classtype:trojan-activity;sid:84709970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.243.140.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846869/; classtype:trojan-activity;sid:84709969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.152.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846868/; classtype:trojan-activity;sid:84709968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3da71941-fb0e-4331-ab54-9a79c00560e4/google.cl"; depth:47; endswith; nocase; http.host; content:"system-analytics-pro-guide.courses"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846867/; classtype:trojan-activity;sid:84709967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.215.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846866/; classtype:trojan-activity;sid:84709966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846865/; classtype:trojan-activity;sid:84709965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.177.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846864/; classtype:trojan-activity;sid:84709964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/851ed414-d2ca-4b11-a466-a9f58b025cc8/google.cl"; depth:47; endswith; nocase; http.host; content:"masteringdigital-arch.courses"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846863/; classtype:trojan-activity;sid:84709963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.44.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846862/; classtype:trojan-activity;sid:84709962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.97.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846861/; classtype:trojan-activity;sid:84709961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.225.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846860/; classtype:trojan-activity;sid:84709960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21.exe"; depth:7; endswith; nocase; http.host; content:"130.12.182.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846859/; classtype:trojan-activity;sid:84709959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/990fc840-f430-480b-9516-90758238ecf2/google.cl"; depth:47; endswith; nocase; http.host; content:"logic-buffer-skills.courses"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846858/; classtype:trojan-activity;sid:84709958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.44.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846857/; classtype:trojan-activity;sid:84709957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.183.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846856/; classtype:trojan-activity;sid:84709956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.183.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846855/; classtype:trojan-activity;sid:84709955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846854/; classtype:trojan-activity;sid:84709954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846852/; classtype:trojan-activity;sid:84709952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846853/; classtype:trojan-activity;sid:84709953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846848/; classtype:trojan-activity;sid:84709948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846849/; classtype:trojan-activity;sid:84709949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846850/; classtype:trojan-activity;sid:84709950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846851/; classtype:trojan-activity;sid:84709951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846847/; classtype:trojan-activity;sid:84709947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"81.29.156.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846846/; classtype:trojan-activity;sid:84709946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.19.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846845/; classtype:trojan-activity;sid:84709945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.225.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846844/; classtype:trojan-activity;sid:84709944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.178.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846843/; classtype:trojan-activity;sid:84709943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.140.2.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846842/; classtype:trojan-activity;sid:84709942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"130.12.181.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846841/; classtype:trojan-activity;sid:84709941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/65efc533-b83e-453a-b077-40dc11bfc29b/google.cl"; depth:47; endswith; nocase; http.host; content:"expert-trading-academy.courses"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846840/; classtype:trojan-activity;sid:84709940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.248.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846839/; classtype:trojan-activity;sid:84709939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=623d7ceb-aece-49c0-b48d-af8448485a0a"; depth:47; endswith; nocase; http.host; content:"ws09ax4h.limous-nitout.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846838/; classtype:trojan-activity;sid:84709938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.242.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846837/; classtype:trojan-activity;sid:84709937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.181.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846836/; classtype:trojan-activity;sid:84709936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.56.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846835/; classtype:trojan-activity;sid:84709935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/db517e21-2d05-4ee9-960d-670ce7fe4cbd/google.cl"; depth:47; endswith; nocase; http.host; content:"smartworkflowmanagement.courses"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846834/; classtype:trojan-activity;sid:84709934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.153.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846833/; classtype:trojan-activity;sid:84709933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.249.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846832/; classtype:trojan-activity;sid:84709932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.140.2.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846831/; classtype:trojan-activity;sid:84709931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.242.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846830/; classtype:trojan-activity;sid:84709930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.44.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846829/; classtype:trojan-activity;sid:84709929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.119.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846828/; classtype:trojan-activity;sid:84709928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.174.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846827/; classtype:trojan-activity;sid:84709927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/655a1817-12cf-47d9-ae92-6a7092e43547/google.cl"; depth:47; endswith; nocase; http.host; content:"pro-cyber-defense.courses"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846826/; classtype:trojan-activity;sid:84709926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.109.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846825/; classtype:trojan-activity;sid:84709925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.174.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846824/; classtype:trojan-activity;sid:84709924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6b778a2-9a7b-4b46-84c1-822dfdda5a21/google.cl"; depth:47; endswith; nocase; http.host; content:"pro-cyber-defense.courses"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846823/; classtype:trojan-activity;sid:84709923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b7f892e0-e5c3-4e36-9aa6-26e0daecc724/google.cl"; depth:47; endswith; nocase; http.host; content:"obese-table-usweb-play.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846822/; classtype:trojan-activity;sid:84709922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.170.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846821/; classtype:trojan-activity;sid:84709921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.101.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846820/; classtype:trojan-activity;sid:84709920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.153.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846819/; classtype:trojan-activity;sid:84709919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.239.97.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846818/; classtype:trojan-activity;sid:84709918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/62622778-096e-4c6b-abd0-0fc14d34237c/google.cl"; depth:47; endswith; nocase; http.host; content:"layer-obs-usget-tron.wiki"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846817/; classtype:trojan-activity;sid:84709917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.22.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846816/; classtype:trojan-activity;sid:84709916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.153.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846815/; classtype:trojan-activity;sid:84709915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a99f888b-41bd-4e51-bcc0-653742cd92a8/google.cl"; depth:47; endswith; nocase; http.host; content:"layer-get-win-tron.wiki"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846814/; classtype:trojan-activity;sid:84709914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.22.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846813/; classtype:trojan-activity;sid:84709913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.arc"; depth:86; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846809/; classtype:trojan-activity;sid:84709909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.i686"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846810/; classtype:trojan-activity;sid:84709910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.i468"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846811/; classtype:trojan-activity;sid:84709911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.x86_64"; depth:89; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846812/; classtype:trojan-activity;sid:84709912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/yq62c9s.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846807/; classtype:trojan-activity;sid:84709907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_84d3c218647e61fe.cmd"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846808/; classtype:trojan-activity;sid:84709908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.36.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846806/; classtype:trojan-activity;sid:84709906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=874c5982-4444-41b9-9b08-cb7c70ce24cb"; depth:47; endswith; nocase; http.host; content:"ywh94lky.champag-mannered.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846805/; classtype:trojan-activity;sid:84709905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeb4036d-536c-40b9-b8ab-9f8a2ef9cec5/google.cl"; depth:47; endswith; nocase; http.host; content:"card-oracle-mac-laptop.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846804/; classtype:trojan-activity;sid:84709904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.241.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846803/; classtype:trojan-activity;sid:84709903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15ce3a08-7c9c-4292-b549-6f4bc27fb873/google.cl"; depth:47; endswith; nocase; http.host; content:"handout-voivo-desk-ship-link.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846802/; classtype:trojan-activity;sid:84709902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7ba6e339-50bb-4db5-b1f8-2bc8118b7b23/google.cl"; depth:47; endswith; nocase; http.host; content:"master-voivo-system-shop-slink.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846801/; classtype:trojan-activity;sid:84709901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/admin/clipclap.exe"; depth:25; endswith; nocase; http.host; content:"41.216.188.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846800/; classtype:trojan-activity;sid:84709900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.170.136.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846799/; classtype:trojan-activity;sid:84709899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arc"; depth:8; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846795/; classtype:trojan-activity;sid:84709895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846796/; classtype:trojan-activity;sid:84709896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846797/; classtype:trojan-activity;sid:84709897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.167.74.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846798/; classtype:trojan-activity;sid:84709898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846791/; classtype:trojan-activity;sid:84709891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846792/; classtype:trojan-activity;sid:84709892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsr"; depth:10; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846793/; classtype:trojan-activity;sid:84709893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846794/; classtype:trojan-activity;sid:84709894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846790/; classtype:trojan-activity;sid:84709890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846789/; classtype:trojan-activity;sid:84709889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/big.exe"; depth:14; endswith; nocase; http.host; content:"83.217.208.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846788/; classtype:trojan-activity;sid:84709888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6717bd2a-2cb6-4d1c-94fa-369d8db4a3e9/google.cl"; depth:47; endswith; nocase; http.host; content:"master-core-system-date-slink.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846787/; classtype:trojan-activity;sid:84709887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.71.131.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846786/; classtype:trojan-activity;sid:84709886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w4rr7.arm7"; depth:16; endswith; nocase; http.host; content:"77.90.51.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846785/; classtype:trojan-activity;sid:84709885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w4rr7.mips"; depth:16; endswith; nocase; http.host; content:"77.90.51.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846784/; classtype:trojan-activity;sid:84709884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w4rr7.arm4"; depth:16; endswith; nocase; http.host; content:"77.90.51.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846783/; classtype:trojan-activity;sid:84709883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w4rr7.x86"; depth:15; endswith; nocase; http.host; content:"77.90.51.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846781/; classtype:trojan-activity;sid:84709881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w4rr7.arm"; depth:15; endswith; nocase; http.host; content:"77.90.51.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846782/; classtype:trojan-activity;sid:84709882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.122.8.255"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846780/; classtype:trojan-activity;sid:84709880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.150.34.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846779/; classtype:trojan-activity;sid:84709879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.150.34.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846778/; classtype:trojan-activity;sid:84709878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"83.217.208.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846777/; classtype:trojan-activity;sid:84709877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"77.91.96.50"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846773/; classtype:trojan-activity;sid:84709873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"193.233.113.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846774/; classtype:trojan-activity;sid:84709874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"77.91.96.50"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846775/; classtype:trojan-activity;sid:84709875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.233.113.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846776/; classtype:trojan-activity;sid:84709876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"83.217.208.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846772/; classtype:trojan-activity;sid:84709872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.32.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846771/; classtype:trojan-activity;sid:84709871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.15.90.202"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846770/; classtype:trojan-activity;sid:84709870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.9.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846769/; classtype:trojan-activity;sid:84709869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27/goodtimetowintheworld.hta"; depth:29; endswith; nocase; http.host; content:"144.172.99.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846768/; classtype:trojan-activity;sid:84709868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rau.ps1"; depth:8; endswith; nocase; http.host; content:"zinixpro.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846767/; classtype:trojan-activity;sid:84709867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leaks/a"; depth:8; endswith; nocase; http.host; content:"zinixpro.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846766/; classtype:trojan-activity;sid:84709866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scheldt"; depth:8; endswith; nocase; http.host; content:"193.143.1.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846765/; classtype:trojan-activity;sid:84709865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.1.246.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846764/; classtype:trojan-activity;sid:84709864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.92.1.66"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846763/; classtype:trojan-activity;sid:84709863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"84.54.33.73"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846762/; classtype:trojan-activity;sid:84709862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"84.54.33.73"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846760/; classtype:trojan-activity;sid:84709860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.92.1.66"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846761/; classtype:trojan-activity;sid:84709861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tasksvc.vbs"; depth:12; endswith; nocase; http.host; content:"84.54.33.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846759/; classtype:trojan-activity;sid:84709859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.207.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846758/; classtype:trojan-activity;sid:84709858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d91de5e8-c661-4616-a6de-111fcc155b11/google.ct"; depth:47; endswith; nocase; http.host; content:"stack-core-node-date-hash.wiki"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846757/; classtype:trojan-activity;sid:84709857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system.vbs"; depth:11; endswith; nocase; http.host; content:"84.54.33.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846756/; classtype:trojan-activity;sid:84709856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.smart/premium.mp4"; depth:19; endswith; nocase; http.host; content:"eventsyouwant.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846755/; classtype:trojan-activity;sid:84709855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846754/; classtype:trojan-activity;sid:84709854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mueiel09765.exe"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846753/; classtype:trojan-activity;sid:84709853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live-013-0512.exe"; depth:18; endswith; nocase; http.host; content:"144.208.127.191"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846752/; classtype:trojan-activity;sid:84709852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v5pfpu6s/digitalprintfilfaster.msi"; depth:35; endswith; nocase; http.host; content:"85.239.144.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846749/; classtype:trojan-activity;sid:84709849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8635093259/axjwj5z.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846750/; classtype:trojan-activity;sid:84709850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8635093259/uatadgy.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846751/; classtype:trojan-activity;sid:84709851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_211940.png"; depth:15; endswith; nocase; http.host; content:"49.13.77.253"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846748/; classtype:trojan-activity;sid:84709848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_000636.png"; depth:15; endswith; nocase; http.host; content:"nbf101.great-site.net"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846747/; classtype:trojan-activity;sid:84709847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_211940.png"; depth:15; endswith; nocase; http.host; content:"updatedserver.shop"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846745/; classtype:trojan-activity;sid:84709845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_094607.png"; depth:15; endswith; nocase; http.host; content:"domsemblevideo.42web.io"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846746/; classtype:trojan-activity;sid:84709846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wner/img_054845.png"; depth:20; endswith; nocase; http.host; content:"apparelgate.co.uk"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846741/; classtype:trojan-activity;sid:84709841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"144.172.117.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846742/; classtype:trojan-activity;sid:84709842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_011948.png"; depth:15; endswith; nocase; http.host; content:"crypterrr.42web.io"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846743/; classtype:trojan-activity;sid:84709843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_131417.png"; depth:15; endswith; nocase; http.host; content:"domsemblevideo.42web.io"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846744/; classtype:trojan-activity;sid:84709844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_232639.png"; depth:15; endswith; nocase; http.host; content:"kukere.42web.io"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846740/; classtype:trojan-activity;sid:84709840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rulonnoe/|3f|ysclid=mp5a14eekd139909245"; depth:40; endswith; nocase; http.host; content:"xn--80akpgkmjf.xn--p1ai"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846739/; classtype:trojan-activity;sid:84709839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_133323.png"; depth:15; endswith; nocase; http.host; content:"updatedserverrr.io"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846738/; classtype:trojan-activity;sid:84709838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_105924.png"; depth:15; endswith; nocase; http.host; content:"digobkp.store"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846736/; classtype:trojan-activity;sid:84709836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_227383c3dbb38c3e.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846737/; classtype:trojan-activity;sid:84709837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_115437.png"; depth:15; endswith; nocase; http.host; content:"emaisboletos.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846734/; classtype:trojan-activity;sid:84709834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_020716.png"; depth:15; endswith; nocase; http.host; content:"updatedserver.shop"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846735/; classtype:trojan-activity;sid:84709835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_234900.png"; depth:15; endswith; nocase; http.host; content:"vidacaninapet.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846733/; classtype:trojan-activity;sid:84709833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/zedd.txt"; depth:17; endswith; nocase; http.host; content:"myzedd.site"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846730/; classtype:trojan-activity;sid:84709830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/631858"; depth:9; endswith; nocase; http.host; content:"download-api-endpoint.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846731/; classtype:trojan-activity;sid:84709831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_070903.png"; depth:15; endswith; nocase; http.host; content:"grantexx.gr"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846732/; classtype:trojan-activity;sid:84709832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bql6ni355agdginanj"; depth:19; endswith; nocase; http.host; content:"85.239.144.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846729/; classtype:trojan-activity;sid:84709829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_095637.png"; depth:15; endswith; nocase; http.host; content:"digobkp.store"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846723/; classtype:trojan-activity;sid:84709823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_095637.png"; depth:15; endswith; nocase; http.host; content:"digobkp.store"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846724/; classtype:trojan-activity;sid:84709824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_114748.png"; depth:15; endswith; nocase; http.host; content:"proemails.shop"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846725/; classtype:trojan-activity;sid:84709825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_100912.png"; depth:15; endswith; nocase; http.host; content:"falacerta.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846726/; classtype:trojan-activity;sid:84709826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_103920.png"; depth:15; endswith; nocase; http.host; content:"digobkp.store"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846727/; classtype:trojan-activity;sid:84709827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v5pfpu6s/setup_s3.exe"; depth:22; endswith; nocase; http.host; content:"85.239.144.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846728/; classtype:trojan-activity;sid:84709828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_61993a7ebdf7fa70.cmd"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846721/; classtype:trojan-activity;sid:84709821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_f8a7e57f50a6ddef.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846722/; classtype:trojan-activity;sid:84709822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.13.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846720/; classtype:trojan-activity;sid:84709820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1445797339582431235/1504170058425827498/system.exe|3f|ex=6a060308|7c|26|7c|is=6a04b188|7c|26|7c|hm=beaf5165c4f5934419ba254189d5a16341177a0e672bca5e2e58b04679848f26|7c|26|7c|"; depth:186; endswith; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846719/; classtype:trojan-activity;sid:84709819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.153.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846718/; classtype:trojan-activity;sid:84709818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_c0d2eb6a8b73120b.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846716/; classtype:trojan-activity;sid:84709816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/19342100/bc2a21b704ec228b6074/cherry626.exe"; depth:53; endswith; nocase; http.host; content:"www.upload.ee"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846717/; classtype:trojan-activity;sid:84709817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_84ed2bb0805178f4.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846714/; classtype:trojan-activity;sid:84709814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_e54e8523b405bfd9.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846715/; classtype:trojan-activity;sid:84709815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0a7a9a3a-db16-466d-a0d6-989d44c68b21"; depth:47; endswith; nocase; http.host; content:"4oob20cq.sue-intentioned.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846713/; classtype:trojan-activity;sid:84709813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.153.34.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846712/; classtype:trojan-activity;sid:84709812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.223.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846711/; classtype:trojan-activity;sid:84709811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/admin/blueline.exe"; depth:25; endswith; nocase; http.host; content:"5.230.201.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846710/; classtype:trojan-activity;sid:84709810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"192.109.200.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846709/; classtype:trojan-activity;sid:84709809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"192.109.200.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846707/; classtype:trojan-activity;sid:84709807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"192.109.200.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846708/; classtype:trojan-activity;sid:84709808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5626872516/kwvnwwy.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846705/; classtype:trojan-activity;sid:84709805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_85d2c85927c9d169.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846706/; classtype:trojan-activity;sid:84709806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/lel/random.exe"; depth:21; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846702/; classtype:trojan-activity;sid:84709802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_f62e597c9e278a4b.exe"; depth:32; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846703/; classtype:trojan-activity;sid:84709803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files-129312398/files/file_28c231b33781e48d.exe"; depth:48; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846704/; classtype:trojan-activity;sid:84709804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.196.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846701/; classtype:trojan-activity;sid:84709801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.196.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846700/; classtype:trojan-activity;sid:84709800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.171.177.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846699/; classtype:trojan-activity;sid:84709799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5e188ee-d234-49ed-bbd1-24d08d4c7196/google.ct"; depth:47; endswith; nocase; http.host; content:"global-infra-node-date-hash.wiki"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846698/; classtype:trojan-activity;sid:84709798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.216.14.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846697/; classtype:trojan-activity;sid:84709797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846696/; classtype:trojan-activity;sid:84709796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.207.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846695/; classtype:trojan-activity;sid:84709795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.191.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846694/; classtype:trojan-activity;sid:84709794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; endswith; nocase; http.host; content:"185.102.115.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846693/; classtype:trojan-activity;sid:84709793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"185.102.115.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846692/; classtype:trojan-activity;sid:84709792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"185.102.115.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846691/; classtype:trojan-activity;sid:84709791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.236.252.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846690/; classtype:trojan-activity;sid:84709790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.236.252.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846689/; classtype:trojan-activity;sid:84709789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.84.228"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846688/; classtype:trojan-activity;sid:84709788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/260da37e-0551-4ada-a28e-d8fc8369003f/google.ct"; depth:47; endswith; nocase; http.host; content:"global-infra-logic-get-hash.wiki"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846687/; classtype:trojan-activity;sid:84709787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scsi_tmf_0"; depth:16; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846683/; classtype:trojan-activity;sid:84709783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846684/; classtype:trojan-activity;sid:84709784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polld"; depth:16; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846685/; classtype:trojan-activity;sid:84709785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xfsaild_sda"; depth:17; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846686/; classtype:trojan-activity;sid:84709786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846676/; classtype:trojan-activity;sid:84709776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846677/; classtype:trojan-activity;sid:84709777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846678/; classtype:trojan-activity;sid:84709778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846679/; classtype:trojan-activity;sid:84709779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846680/; classtype:trojan-activity;sid:84709780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846681/; classtype:trojan-activity;sid:84709781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846682/; classtype:trojan-activity;sid:84709782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846674/; classtype:trojan-activity;sid:84709774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846675/; classtype:trojan-activity;sid:84709775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846673/; classtype:trojan-activity;sid:84709773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"150.40.126.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846672/; classtype:trojan-activity;sid:84709772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.92.1.213"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846671/; classtype:trojan-activity;sid:84709771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846670/; classtype:trojan-activity;sid:84709770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsr"; depth:10; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846667/; classtype:trojan-activity;sid:84709767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"176.65.139.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846668/; classtype:trojan-activity;sid:84709768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846669/; classtype:trojan-activity;sid:84709769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846666/; classtype:trojan-activity;sid:84709766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846665/; classtype:trojan-activity;sid:84709765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.216.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846664/; classtype:trojan-activity;sid:84709764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.ppc"; depth:86; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846652/; classtype:trojan-activity;sid:84709752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.sh4"; depth:86; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846653/; classtype:trojan-activity;sid:84709753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846654/; classtype:trojan-activity;sid:84709754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.arm5"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846655/; classtype:trojan-activity;sid:84709755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.arm6"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846656/; classtype:trojan-activity;sid:84709756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.arm7"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846657/; classtype:trojan-activity;sid:84709757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.mips"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846658/; classtype:trojan-activity;sid:84709758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.x86"; depth:86; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846659/; classtype:trojan-activity;sid:84709759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.spc"; depth:86; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846660/; classtype:trojan-activity;sid:84709760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.mpsl"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846661/; classtype:trojan-activity;sid:84709761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.m68k"; depth:87; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846662/; classtype:trojan-activity;sid:84709762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/001010101010010110101011101010101101010111010101/nwfaiehg4ewijfgriehgirehaughrarg.arm"; depth:86; endswith; nocase; http.host; content:"176.65.139.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846663/; classtype:trojan-activity;sid:84709763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ecb2c516-4dc5-407e-a9fb-45e197c7aee6/google.ct"; depth:47; endswith; nocase; http.host; content:"hypervisor-resource-grid.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846651/; classtype:trojan-activity;sid:84709751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.154.98.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846648/; classtype:trojan-activity;sid:84709748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.154.98.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846649/; classtype:trojan-activity;sid:84709749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"185.241.208.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846650/; classtype:trojan-activity;sid:84709750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.36.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846647/; classtype:trojan-activity;sid:84709747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"124.198.131.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846646/; classtype:trojan-activity;sid:84709746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.131.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846645/; classtype:trojan-activity;sid:84709745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846644/; classtype:trojan-activity;sid:84709744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.33.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846642/; classtype:trojan-activity;sid:84709742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.95.246.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846643/; classtype:trojan-activity;sid:84709743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.216.14.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846641/; classtype:trojan-activity;sid:84709741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846640/; classtype:trojan-activity;sid:84709740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846636/; classtype:trojan-activity;sid:84709736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846637/; classtype:trojan-activity;sid:84709737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846638/; classtype:trojan-activity;sid:84709738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846639/; classtype:trojan-activity;sid:84709739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846633/; classtype:trojan-activity;sid:84709733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846634/; classtype:trojan-activity;sid:84709734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846635/; classtype:trojan-activity;sid:84709735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846629/; classtype:trojan-activity;sid:84709729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846630/; classtype:trojan-activity;sid:84709730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846631/; classtype:trojan-activity;sid:84709731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846632/; classtype:trojan-activity;sid:84709732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846628/; classtype:trojan-activity;sid:84709728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846627/; classtype:trojan-activity;sid:84709727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.216.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846626/; classtype:trojan-activity;sid:84709726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.190.23.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846625/; classtype:trojan-activity;sid:84709725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.191.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846624/; classtype:trojan-activity;sid:84709724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.49.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846623/; classtype:trojan-activity;sid:84709723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/67a72c79-81bb-426d-9600-a94ef04a9f3e/google.ct"; depth:47; endswith; nocase; http.host; content:"asynchronous-message-routing-framework.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846622/; classtype:trojan-activity;sid:84709722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.75.175"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846621/; classtype:trojan-activity;sid:84709721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.40.77.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846620/; classtype:trojan-activity;sid:84709720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.21.174.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846619/; classtype:trojan-activity;sid:84709719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2640e5d2-eb61-4e55-ad76-839747778aa9/google.ct"; depth:47; endswith; nocase; http.host; content:"telemetry-stream-hub.wiki"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846618/; classtype:trojan-activity;sid:84709718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.190.23.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846617/; classtype:trojan-activity;sid:84709717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.223.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846616/; classtype:trojan-activity;sid:84709716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.49.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846615/; classtype:trojan-activity;sid:84709715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.230.83.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846614/; classtype:trojan-activity;sid:84709714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.12.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846613/; classtype:trojan-activity;sid:84709713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=116eaccf-4fd5-4af0-9842-a2a69c4f85e9"; depth:47; endswith; nocase; http.host; content:"8xorq0f0.after-diacritic.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846612/; classtype:trojan-activity;sid:84709712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f4b68dac-766d-43f1-85dc-a66eb321db00/google.ct"; depth:47; endswith; nocase; http.host; content:"federated-storage-cluster-system.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846611/; classtype:trojan-activity;sid:84709711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.234.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846610/; classtype:trojan-activity;sid:84709710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.153.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846609/; classtype:trojan-activity;sid:84709709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.162.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846608/; classtype:trojan-activity;sid:84709708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2e9cfcf6-65db-4606-8f21-f1666043c88d/google.ct"; depth:47; endswith; nocase; http.host; content:"microservice-control-plane-node.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846607/; classtype:trojan-activity;sid:84709707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.129.12.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846606/; classtype:trojan-activity;sid:84709706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.57.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846605/; classtype:trojan-activity;sid:84709705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.10.132.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846604/; classtype:trojan-activity;sid:84709704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f2824239-0f1f-4a43-bcf2-574055731de6/google.ct"; depth:47; endswith; nocase; http.host; content:"cloud-infrastructure-management-platform.wiki"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846603/; classtype:trojan-activity;sid:84709703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.150.252.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846602/; classtype:trojan-activity;sid:84709702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846601/; classtype:trojan-activity;sid:84709701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.10.132.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846600/; classtype:trojan-activity;sid:84709700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c850bf60-243d-4cbb-b6ab-80f4def598ab/google.ct"; depth:47; endswith; nocase; http.host; content:"edge-processing-network.wiki"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846599/; classtype:trojan-activity;sid:84709699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846598/; classtype:trojan-activity;sid:84709698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.150.252.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846597/; classtype:trojan-activity;sid:84709697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"72.255.30.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846596/; classtype:trojan-activity;sid:84709696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0aeb1308-ff90-48e8-bb16-519020f325b8/google.ct"; depth:47; endswith; nocase; http.host; content:"serverless-runtime-orchestration-engine.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846595/; classtype:trojan-activity;sid:84709695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.217.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846594/; classtype:trojan-activity;sid:84709694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846593/; classtype:trojan-activity;sid:84709693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.94.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846592/; classtype:trojan-activity;sid:84709692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846591/; classtype:trojan-activity;sid:84709691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.207.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846590/; classtype:trojan-activity;sid:84709690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846578/; classtype:trojan-activity;sid:84709678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846579/; classtype:trojan-activity;sid:84709679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846580/; classtype:trojan-activity;sid:84709680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846581/; classtype:trojan-activity;sid:84709681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846582/; classtype:trojan-activity;sid:84709682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846583/; classtype:trojan-activity;sid:84709683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846584/; classtype:trojan-activity;sid:84709684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846585/; classtype:trojan-activity;sid:84709685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846586/; classtype:trojan-activity;sid:84709686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846587/; classtype:trojan-activity;sid:84709687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846588/; classtype:trojan-activity;sid:84709688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.149.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846589/; classtype:trojan-activity;sid:84709689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6c62a2a9-703e-42c7-bf00-759e9c9e21ab/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-cache-storage-layer.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846577/; classtype:trojan-activity;sid:84709677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.194.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846576/; classtype:trojan-activity;sid:84709676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/900dd387-42c2-449e-b5f8-4b59279d3eb5/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-cache-storage-layer.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846575/; classtype:trojan-activity;sid:84709675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7f21d227-1b8c-4c85-8ed9-d35f3d789776"; depth:47; endswith; nocase; http.host; content:"t7osftz9.estat-goldilock.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846574/; classtype:trojan-activity;sid:84709674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6f6d3e2-72b0-4441-959a-fd4cbe9c248a/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-cache-storage-layer.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846573/; classtype:trojan-activity;sid:84709673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.129.40.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846572/; classtype:trojan-activity;sid:84709672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.94.145"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846571/; classtype:trojan-activity;sid:84709671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.246.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846570/; classtype:trojan-activity;sid:84709670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.81.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846569/; classtype:trojan-activity;sid:84709669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.33.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846568/; classtype:trojan-activity;sid:84709668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=b9802600-6dbd-431d-9776-3bf2c4f79826"; depth:47; endswith; nocase; http.host; content:"bq99ksyi.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846567/; classtype:trojan-activity;sid:84709667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.184.249"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846566/; classtype:trojan-activity;sid:84709666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.81.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846565/; classtype:trojan-activity;sid:84709665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/424567a5-eb5c-4b5e-bce3-eacf5b8df971/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-cache-storage-layer.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846564/; classtype:trojan-activity;sid:84709664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.140.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846563/; classtype:trojan-activity;sid:84709663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.140.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846562/; classtype:trojan-activity;sid:84709662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.225.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846561/; classtype:trojan-activity;sid:84709661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.184.249"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846560/; classtype:trojan-activity;sid:84709660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/807c3881-26e3-42b3-8737-15fdc96d991c/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-cache-storage-layer.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846559/; classtype:trojan-activity;sid:84709659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.sh"; depth:5; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846558/; classtype:trojan-activity;sid:84709658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.225.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846557/; classtype:trojan-activity;sid:84709657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58ca6267-9c52-473b-a724-01e4ee71f78e/google.ct"; depth:47; endswith; nocase; http.host; content:"virtual-routing-gateway.wiki"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846556/; classtype:trojan-activity;sid:84709656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.229.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846555/; classtype:trojan-activity;sid:84709655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.82.252"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846554/; classtype:trojan-activity;sid:84709654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f01d8ba9-cd08-4663-90ce-c6db2fb38768/google.ct"; depth:47; endswith; nocase; http.host; content:"desk-sensor-tabel-tunnel-key.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846553/; classtype:trojan-activity;sid:84709653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.16.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846552/; classtype:trojan-activity;sid:84709652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.29.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846551/; classtype:trojan-activity;sid:84709651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.17.29.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846550/; classtype:trojan-activity;sid:84709650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.111.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846549/; classtype:trojan-activity;sid:84709649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12d0af6a-a86c-415d-bb4c-5aadc289f186/google.ct"; depth:47; endswith; nocase; http.host; content:"engine-block-tabel-stream-key.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846548/; classtype:trojan-activity;sid:84709648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.202.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846547/; classtype:trojan-activity;sid:84709647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.1.227.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846546/; classtype:trojan-activity;sid:84709646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/92c764c1-ff82-4023-a702-309971bc7633/google.ct"; depth:47; endswith; nocase; http.host; content:"binary-block-tabel-expert-get.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846545/; classtype:trojan-activity;sid:84709645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.202.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846544/; classtype:trojan-activity;sid:84709644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f9676fa8-b8b2-43b4-87d3-f6119c3f0334/google.ct"; depth:47; endswith; nocase; http.host; content:"binary-block-state-collection.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846543/; classtype:trojan-activity;sid:84709643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7066060f-9d7e-4711-8de8-024882058851"; depth:47; endswith; nocase; http.host; content:"qe74wzzp.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846542/; classtype:trojan-activity;sid:84709642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.233.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846541/; classtype:trojan-activity;sid:84709641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846540/; classtype:trojan-activity;sid:84709640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.8.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846539/; classtype:trojan-activity;sid:84709639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.215.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846538/; classtype:trojan-activity;sid:84709638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.230.83.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846537/; classtype:trojan-activity;sid:84709637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c64d4fb9-ead4-41fb-9029-6664aaef4b24/google.ct"; depth:47; endswith; nocase; http.host; content:"byte-stream-encryption-standard-base.wiki"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846536/; classtype:trojan-activity;sid:84709636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.116.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846535/; classtype:trojan-activity;sid:84709635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/977d39d8-5d31-4a5a-a92f-8180ba3da926/google.ct"; depth:47; endswith; nocase; http.host; content:"trace-route-diagnostic-signal-map.wiki"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846534/; classtype:trojan-activity;sid:84709634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.42.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846533/; classtype:trojan-activity;sid:84709633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.8.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846532/; classtype:trojan-activity;sid:84709632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.229.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846531/; classtype:trojan-activity;sid:84709631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.105.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846530/; classtype:trojan-activity;sid:84709630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.251.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846529/; classtype:trojan-activity;sid:84709629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846528/; classtype:trojan-activity;sid:84709628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9addae9f-a2b1-4e8f-bb5d-40db06aa3edc/google.ct"; depth:47; endswith; nocase; http.host; content:"kernel-patch-update-release-history.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846527/; classtype:trojan-activity;sid:84709627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.251.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846526/; classtype:trojan-activity;sid:84709626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.129.40.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846525/; classtype:trojan-activity;sid:84709625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.170.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846524/; classtype:trojan-activity;sid:84709624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.105.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846523/; classtype:trojan-activity;sid:84709623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8f17c972-8dcd-48e2-9699-dd33797c674c/google.ct"; depth:47; endswith; nocase; http.host; content:"meta-data-shredding-cleanup-utility.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846522/; classtype:trojan-activity;sid:84709622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.149.206.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846520/; classtype:trojan-activity;sid:84709620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.196.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846521/; classtype:trojan-activity;sid:84709621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.44.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846519/; classtype:trojan-activity;sid:84709619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.118.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846518/; classtype:trojan-activity;sid:84709618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.46.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846517/; classtype:trojan-activity;sid:84709617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/38435a52-4879-40be-aba3-b5f64322ae6a/google.ct"; depth:47; endswith; nocase; http.host; content:"remote-sensor-proxy-tunnel-config.wiki"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846516/; classtype:trojan-activity;sid:84709616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.196.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846515/; classtype:trojan-activity;sid:84709615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=f61eb22b-2132-4e56-bbbf-7bdeb503aea8"; depth:47; endswith; nocase; http.host; content:"9xbc3jzp.disorientbreak.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846514/; classtype:trojan-activity;sid:84709614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.118.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846513/; classtype:trojan-activity;sid:84709613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c75a1bce-85a6-4ae2-bcd2-b599a5593d83/google.ct"; depth:47; endswith; nocase; http.host; content:"stat-collection-engine-performance-view.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846512/; classtype:trojan-activity;sid:84709612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.231.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846511/; classtype:trojan-activity;sid:84709611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.90.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846510/; classtype:trojan-activity;sid:84709610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.224.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846509/; classtype:trojan-activity;sid:84709609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846508/; classtype:trojan-activity;sid:84709608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.86.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846507/; classtype:trojan-activity;sid:84709607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.24.16.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846506/; classtype:trojan-activity;sid:84709606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846505/; classtype:trojan-activity;sid:84709605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c77fde23-9bbf-411a-9ac1-54d8e37782dd/google.ct"; depth:47; endswith; nocase; http.host; content:"binary-buffer-overflow-protection-lab.wiki"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846504/; classtype:trojan-activity;sid:84709604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.90.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846503/; classtype:trojan-activity;sid:84709603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.215.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846502/; classtype:trojan-activity;sid:84709602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.224.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846501/; classtype:trojan-activity;sid:84709601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.217.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846500/; classtype:trojan-activity;sid:84709600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/21e19164-f354-4f6d-a26e-ea3c43ac773a/google.ct"; depth:47; endswith; nocase; http.host; content:"analytical-traffic-audit-record-file.wiki"; depth:41; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846499/; classtype:trojan-activity;sid:84709599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips64"; depth:18; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846496/; classtype:trojan-activity;sid:84709596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mipsel_softfloat"; depth:28; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846497/; classtype:trojan-activity;sid:84709597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_aarch64"; depth:19; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846498/; classtype:trojan-activity;sid:84709598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_386"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846494/; classtype:trojan-activity;sid:84709594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_amd64"; depth:17; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846495/; classtype:trojan-activity;sid:84709595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_arm5"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846493/; classtype:trojan-activity;sid:84709593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.sh4"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846486/; classtype:trojan-activity;sid:84709586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.dbg"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846487/; classtype:trojan-activity;sid:84709587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv7l"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846488/; classtype:trojan-activity;sid:84709588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.apk"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846489/; classtype:trojan-activity;sid:84709589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.mpsl"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846490/; classtype:trojan-activity;sid:84709590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arc"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846491/; classtype:trojan-activity;sid:84709591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm6"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846492/; classtype:trojan-activity;sid:84709592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.x86"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846485/; classtype:trojan-activity;sid:84709585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm7"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846484/; classtype:trojan-activity;sid:84709584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.i686"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846482/; classtype:trojan-activity;sid:84709582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846483/; classtype:trojan-activity;sid:84709583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.158.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846481/; classtype:trojan-activity;sid:84709581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_arm7"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846475/; classtype:trojan-activity;sid:84709575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_ppc64"; depth:17; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846476/; classtype:trojan-activity;sid:84709576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_arm6"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846477/; classtype:trojan-activity;sid:84709577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips_softfloat"; depth:26; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846478/; classtype:trojan-activity;sid:84709578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips_hardfloat"; depth:26; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846479/; classtype:trojan-activity;sid:84709579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mipsel_hardfloat"; depth:28; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846480/; classtype:trojan-activity;sid:84709580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_ppc64el"; depth:19; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846474/; classtype:trojan-activity;sid:84709574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_mips64el"; depth:20; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846473/; classtype:trojan-activity;sid:84709573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.ppc"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846472/; classtype:trojan-activity;sid:84709572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.spc"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846461/; classtype:trojan-activity;sid:84709561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kla.sh"; depth:7; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846462/; classtype:trojan-activity;sid:84709562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w.sh"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846463/; classtype:trojan-activity;sid:84709563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kla.sh"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846464/; classtype:trojan-activity;sid:84709564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.m68k"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846465/; classtype:trojan-activity;sid:84709565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm4"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846466/; classtype:trojan-activity;sid:84709566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv5l"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846467/; classtype:trojan-activity;sid:84709567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.i486"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846468/; classtype:trojan-activity;sid:84709568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv4l"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846469/; classtype:trojan-activity;sid:84709569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.ppc440"; depth:18; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846470/; classtype:trojan-activity;sid:84709570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv6l"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846471/; classtype:trojan-activity;sid:84709571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/linux_ak.sh"; depth:17; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846459/; classtype:trojan-activity;sid:84709559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.arm5"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846460/; classtype:trojan-activity;sid:84709560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sora.sh"; depth:13; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846458/; classtype:trojan-activity;sid:84709558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846456/; classtype:trojan-activity;sid:84709556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/manji.mips"; depth:16; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846457/; classtype:trojan-activity;sid:84709557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.211.105.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846455/; classtype:trojan-activity;sid:84709555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.215.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846454/; classtype:trojan-activity;sid:84709554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846453/; classtype:trojan-activity;sid:84709553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"162.141.92.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846450/; classtype:trojan-activity;sid:84709550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"162.141.92.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846451/; classtype:trojan-activity;sid:84709551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"162.141.92.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846452/; classtype:trojan-activity;sid:84709552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.39.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846449/; classtype:trojan-activity;sid:84709549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"162.141.92.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846448/; classtype:trojan-activity;sid:84709548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.86.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846446/; classtype:trojan-activity;sid:84709546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"162.141.92.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846447/; classtype:trojan-activity;sid:84709547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acf985c0-529f-4299-865d-438d99060aee/google.ct"; depth:47; endswith; nocase; http.host; content:"hardware-resource-monitor-tool-box.wiki"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846445/; classtype:trojan-activity;sid:84709545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846444/; classtype:trojan-activity;sid:84709544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.194.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846443/; classtype:trojan-activity;sid:84709543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.39.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846442/; classtype:trojan-activity;sid:84709542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.211.105.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846441/; classtype:trojan-activity;sid:84709541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ac76e26e-ae29-4693-80e6-e02bc7e11dbc/google.ct"; depth:47; endswith; nocase; http.host; content:"crypt-algorithm-analysis-expert-board.wiki"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846440/; classtype:trojan-activity;sid:84709540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846439/; classtype:trojan-activity;sid:84709539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=7b0863ee-88ee-4705-b288-07cb0c301f33"; depth:47; endswith; nocase; http.host; content:"i0zaakp5.monotheism-sled.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846438/; classtype:trojan-activity;sid:84709538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.37.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846437/; classtype:trojan-activity;sid:84709537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.149.146.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846436/; classtype:trojan-activity;sid:84709536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7eb749d9-f1bd-4d75-9e6a-ca1ed72667d7/google.ct"; depth:47; endswith; nocase; http.host; content:"brightestprocexchange.wiki"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846435/; classtype:trojan-activity;sid:84709535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/selfrep.sh"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846434/; classtype:trojan-activity;sid:84709534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load.sh"; depth:8; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846433/; classtype:trojan-activity;sid:84709533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846432/; classtype:trojan-activity;sid:84709532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.237.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846431/; classtype:trojan-activity;sid:84709531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.36.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846430/; classtype:trojan-activity;sid:84709530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18f833d8-de43-4fb5-8bac-a956741fead6/google.ct"; depth:47; endswith; nocase; http.host; content:"antiq-telegraphyproduct.wiki"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846429/; classtype:trojan-activity;sid:84709529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.149.146.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846428/; classtype:trojan-activity;sid:84709528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.36.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846427/; classtype:trojan-activity;sid:84709527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.161.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846426/; classtype:trojan-activity;sid:84709526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.229.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846425/; classtype:trojan-activity;sid:84709525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.25.167"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846424/; classtype:trojan-activity;sid:84709524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.210.35.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846423/; classtype:trojan-activity;sid:84709523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.156.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846422/; classtype:trojan-activity;sid:84709522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/77321903-788b-4544-acb8-8a4866e56080/google.ct"; depth:47; endswith; nocase; http.host; content:"beacontweezersbinge.wiki"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846421/; classtype:trojan-activity;sid:84709521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.161.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846419/; classtype:trojan-activity;sid:84709519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.159.219"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846420/; classtype:trojan-activity;sid:84709520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.110.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846418/; classtype:trojan-activity;sid:84709518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.156.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846417/; classtype:trojan-activity;sid:84709517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.149.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846416/; classtype:trojan-activity;sid:84709516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.31.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846415/; classtype:trojan-activity;sid:84709515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.210.35.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846414/; classtype:trojan-activity;sid:84709514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c691927-6dca-40a2-9484-b59adef99719/google.ct"; depth:47; endswith; nocase; http.host; content:"medicin-morisomtobeafraid.wiki"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846413/; classtype:trojan-activity;sid:84709513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.110.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846412/; classtype:trojan-activity;sid:84709512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846411/; classtype:trojan-activity;sid:84709511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.39.12.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846410/; classtype:trojan-activity;sid:84709510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/602df357-d594-48c5-8b36-1834dbfb8c97/google.ct"; depth:47; endswith; nocase; http.host; content:"immersevocalistidleness.wiki"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846409/; classtype:trojan-activity;sid:84709509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.30.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846408/; classtype:trojan-activity;sid:84709508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.106.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_14; reference:url, urlhaus.abuse.ch/url/3846407/; classtype:trojan-activity;sid:84709507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846406/; classtype:trojan-activity;sid:84709506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00b9126d-7dc2-4259-8d0f-1b05def60d39/google.ct"; depth:47; endswith; nocase; http.host; content:"conjur-kremlinshort.wiki"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846405/; classtype:trojan-activity;sid:84709505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=0411697c-1539-403f-b8d8-a1120d9a7329"; depth:47; endswith; nocase; http.host; content:"64bc33vp.chequecholeric.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846404/; classtype:trojan-activity;sid:84709504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846403/; classtype:trojan-activity;sid:84709503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/82ecab99-0a61-4fd2-b14e-bb8e3eaa7ff6/google.ct"; depth:47; endswith; nocase; http.host; content:"patenttag.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846402/; classtype:trojan-activity;sid:84709502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.31.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846401/; classtype:trojan-activity;sid:84709501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.65.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846400/; classtype:trojan-activity;sid:84709500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.65.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846399/; classtype:trojan-activity;sid:84709499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.75.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846398/; classtype:trojan-activity;sid:84709498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.242.14.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846397/; classtype:trojan-activity;sid:84709497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.149.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846396/; classtype:trojan-activity;sid:84709496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846395/; classtype:trojan-activity;sid:84709495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.75.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846394/; classtype:trojan-activity;sid:84709494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/980ea300-72b6-4e01-82fc-5dfb2d50f575/google.ct"; depth:47; endswith; nocase; http.host; content:"hemorrhoid-daydark.wiki"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846393/; classtype:trojan-activity;sid:84709493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846392/; classtype:trojan-activity;sid:84709492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.13.149.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846391/; classtype:trojan-activity;sid:84709491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.243.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846390/; classtype:trojan-activity;sid:84709490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.55.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846389/; classtype:trojan-activity;sid:84709489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846388/; classtype:trojan-activity;sid:84709488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c296cae2-c1da-494d-b4cd-262311efebb9/google.ct"; depth:47; endswith; nocase; http.host; content:"scalpingstillephemer-natorel.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846387/; classtype:trojan-activity;sid:84709487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.32.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846386/; classtype:trojan-activity;sid:84709486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.34.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846385/; classtype:trojan-activity;sid:84709485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.164.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846384/; classtype:trojan-activity;sid:84709484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f74e746c-4931-4651-bc4e-871a24a29c69/google.ct"; depth:47; endswith; nocase; http.host; content:"hemorrhoid-daydark.wiki"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846383/; classtype:trojan-activity;sid:84709483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.90.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846382/; classtype:trojan-activity;sid:84709482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.81.62.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846381/; classtype:trojan-activity;sid:84709481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f73b95d7-5072-411a-b833-b15d92d4961f/google.ct"; depth:47; endswith; nocase; http.host; content:"scalpingstillephemer-natorel.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846380/; classtype:trojan-activity;sid:84709480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.92.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846379/; classtype:trojan-activity;sid:84709479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.90.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846378/; classtype:trojan-activity;sid:84709478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=9e7b63eb-382a-4bc3-ba24-ba660743cce8"; depth:47; endswith; nocase; http.host; content:"m1rz16og.poles-wrinkle.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846377/; classtype:trojan-activity;sid:84709477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=3fce5bc3-12bf-4856-a3ce-15cd0ad531f3"; depth:47; endswith; nocase; http.host; content:"op1h26r1.exhaustoverwint.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846376/; classtype:trojan-activity;sid:84709476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.139.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846375/; classtype:trojan-activity;sid:84709475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/47cfd9fe-c027-4027-9212-26474b714f81/google.ct"; depth:47; endswith; nocase; http.host; content:"packetdistributionmesh.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846374/; classtype:trojan-activity;sid:84709474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846373/; classtype:trojan-activity;sid:84709473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.92.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846372/; classtype:trojan-activity;sid:84709472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.67.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846371/; classtype:trojan-activity;sid:84709471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.241.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846370/; classtype:trojan-activity;sid:84709470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.150.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846369/; classtype:trojan-activity;sid:84709469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd13431b-cc63-4214-870f-71753b5fb3cc/google.ct"; depth:47; endswith; nocase; http.host; content:"hypervisorresourcecontroller.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846368/; classtype:trojan-activity;sid:84709468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846367/; classtype:trojan-activity;sid:84709467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.239.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846366/; classtype:trojan-activity;sid:84709466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.150.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846365/; classtype:trojan-activity;sid:84709465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.12.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846364/; classtype:trojan-activity;sid:84709464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.67.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846363/; classtype:trojan-activity;sid:84709463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baabdb37-5427-4c6c-ab76-53715c43cf58/google.ct"; depth:47; endswith; nocase; http.host; content:"telemetry-observability-core.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846362/; classtype:trojan-activity;sid:84709462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846361/; classtype:trojan-activity;sid:84709461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arc"; depth:8; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846360/; classtype:trojan-activity;sid:84709460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846358/; classtype:trojan-activity;sid:84709458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846359/; classtype:trojan-activity;sid:84709459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846355/; classtype:trojan-activity;sid:84709455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846356/; classtype:trojan-activity;sid:84709456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846357/; classtype:trojan-activity;sid:84709457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846347/; classtype:trojan-activity;sid:84709447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846348/; classtype:trojan-activity;sid:84709448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846349/; classtype:trojan-activity;sid:84709449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846350/; classtype:trojan-activity;sid:84709450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846351/; classtype:trojan-activity;sid:84709451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846352/; classtype:trojan-activity;sid:84709452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846353/; classtype:trojan-activity;sid:84709453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsr"; depth:10; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846354/; classtype:trojan-activity;sid:84709454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.82.252"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846346/; classtype:trojan-activity;sid:84709446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.42.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846345/; classtype:trojan-activity;sid:84709445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.243.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846344/; classtype:trojan-activity;sid:84709444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cc8a7d28-43ff-43ea-a2ae-8f7ff5dc35b5/google.ct"; depth:47; endswith; nocase; http.host; content:"runtimeexecutionlayer.wiki"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846343/; classtype:trojan-activity;sid:84709443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.224.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846342/; classtype:trojan-activity;sid:84709442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.42.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846341/; classtype:trojan-activity;sid:84709441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.243.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846340/; classtype:trojan-activity;sid:84709440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0973b5d6-e163-4714-b460-1c00edf05bef/google.ct"; depth:47; endswith; nocase; http.host; content:"decentralizedmessagingframework.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846339/; classtype:trojan-activity;sid:84709439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.151.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846338/; classtype:trojan-activity;sid:84709438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.249.61.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846337/; classtype:trojan-activity;sid:84709437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.224.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846336/; classtype:trojan-activity;sid:84709436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.151.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846334/; classtype:trojan-activity;sid:84709434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ec1edee-9761-4553-8dfd-5f0b3cc550d7/google.ct"; depth:47; endswith; nocase; http.host; content:"distributedobjectstoragenet.wiki"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846335/; classtype:trojan-activity;sid:84709435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.5.135"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846333/; classtype:trojan-activity;sid:84709433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.232.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846332/; classtype:trojan-activity;sid:84709432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/366c47de-01d5-4d5d-bbfc-71cee1862a6d/google.ct"; depth:47; endswith; nocase; http.host; content:"microkernel-routing-engine.wiki"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846331/; classtype:trojan-activity;sid:84709431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.46.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846330/; classtype:trojan-activity;sid:84709430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.5.135"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846329/; classtype:trojan-activity;sid:84709429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846328/; classtype:trojan-activity;sid:84709428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4e8d835a-d7c6-4214-ae29-a989fe86d8b4/google.ct"; depth:47; endswith; nocase; http.host; content:"streamprocessingnode.wiki"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846327/; classtype:trojan-activity;sid:84709427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.185.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846326/; classtype:trojan-activity;sid:84709426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"64.89.160.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846324/; classtype:trojan-activity;sid:84709424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.28.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846325/; classtype:trojan-activity;sid:84709425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"64.89.160.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846322/; classtype:trojan-activity;sid:84709422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"64.89.160.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846323/; classtype:trojan-activity;sid:84709423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"64.89.160.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846321/; classtype:trojan-activity;sid:84709421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"89.40.31.61"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846320/; classtype:trojan-activity;sid:84709420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"212.232.22.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846318/; classtype:trojan-activity;sid:84709418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"46.151.182.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846319/; classtype:trojan-activity;sid:84709419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"46.151.182.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846316/; classtype:trojan-activity;sid:84709416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"212.232.22.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846317/; classtype:trojan-activity;sid:84709417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"46.151.182.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846314/; classtype:trojan-activity;sid:84709414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"46.151.182.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846315/; classtype:trojan-activity;sid:84709415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.90.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846313/; classtype:trojan-activity;sid:84709413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.127.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846312/; classtype:trojan-activity;sid:84709412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dfc0d53a-d334-485d-8e2a-c27cc2d332e8/google.ct"; depth:47; endswith; nocase; http.host; content:"virtual-session-broker.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846311/; classtype:trojan-activity;sid:84709411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.90.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846310/; classtype:trojan-activity;sid:84709410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846309/; classtype:trojan-activity;sid:84709409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.185.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846308/; classtype:trojan-activity;sid:84709408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/466f37f9-24a3-4903-9512-f0177685e3bf/google.ct"; depth:47; endswith; nocase; http.host; content:"containerorchestrationhub.wiki"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846307/; classtype:trojan-activity;sid:84709407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"170.83.13.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846306/; classtype:trojan-activity;sid:84709406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.185.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846305/; classtype:trojan-activity;sid:84709405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.234.9.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846304/; classtype:trojan-activity;sid:84709404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"170.83.13.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846303/; classtype:trojan-activity;sid:84709403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ae6116fe-2eb1-4544-bb56-b4eb5e959476/google.ct"; depth:47; endswith; nocase; http.host; content:"decentralizedworkflowengine.wiki"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846302/; classtype:trojan-activity;sid:84709402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.236.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846301/; classtype:trojan-activity;sid:84709401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/408a5b9f-4e98-40ba-9a7a-380fc1ae1712/google.ct"; depth:47; endswith; nocase; http.host; content:"decentralizedworkflowengine.wiki"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846300/; classtype:trojan-activity;sid:84709400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=efpkfzyhzispedvl"; depth:27; endswith; nocase; http.host; content:"ohqvz201.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846299/; classtype:trojan-activity;sid:84709399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2fb5564-3186-4722-98b3-a575e24ae86c/file.name"; depth:47; endswith; nocase; http.host; content:"seducingdelirium.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846298/; classtype:trojan-activity;sid:84709398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0110f1f2-9ff6-4a3a-987d-bdcb8864faae/google.ct"; depth:47; endswith; nocase; http.host; content:"packetrelay.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846297/; classtype:trojan-activity;sid:84709397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.172.154.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846296/; classtype:trojan-activity;sid:84709396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b52c2b88-fc88-43e1-8de8-9183da24f756/google.ct"; depth:47; endswith; nocase; http.host; content:"decentralizedworkflowengine.wiki"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846295/; classtype:trojan-activity;sid:84709395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.236.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846294/; classtype:trojan-activity;sid:84709394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/571ebba2-19e0-434f-90ba-f4fe31d04c21/google.ct"; depth:47; endswith; nocase; http.host; content:"serverless-mesh-core.wiki"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846293/; classtype:trojan-activity;sid:84709393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.242.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846292/; classtype:trojan-activity;sid:84709392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1139a7fa-f919-4cf2-bb69-dd437146bc5d/google.ct"; depth:47; endswith; nocase; http.host; content:"observability-stream-hub.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846290/; classtype:trojan-activity;sid:84709390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=ejlnuafdxhmhgijq"; depth:27; endswith; nocase; http.host; content:"q8gac86p.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846291/; classtype:trojan-activity;sid:84709391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c172d30d-a998-4815-a840-508f7cc098aa/file.name"; depth:47; endswith; nocase; http.host; content:"seducingdelirium.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846289/; classtype:trojan-activity;sid:84709389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846288/; classtype:trojan-activity;sid:84709388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/945c6efb-528f-4280-8166-f6d3fd2249bd/google.ct"; depth:47; endswith; nocase; http.host; content:"observability-stream-hub.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846287/; classtype:trojan-activity;sid:84709387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=fvmcxpugxwjhasym"; depth:27; endswith; nocase; http.host; content:"oy85ola7.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846286/; classtype:trojan-activity;sid:84709386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d156c1db-fafd-4e68-851f-e5b5d5f44c99/google.ct"; depth:47; endswith; nocase; http.host; content:"federated-runtime-network.wiki"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846285/; classtype:trojan-activity;sid:84709385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=vmvbpjmcldlzkpmx"; depth:27; endswith; nocase; http.host; content:"r9chy91i.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846284/; classtype:trojan-activity;sid:84709384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/120c3a15-298f-4002-b8f2-102a42fdbd0f/google.ct"; depth:47; endswith; nocase; http.host; content:"observability-stream-hub.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846283/; classtype:trojan-activity;sid:84709383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.124.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846282/; classtype:trojan-activity;sid:84709382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.219.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846281/; classtype:trojan-activity;sid:84709381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.237.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846279/; classtype:trojan-activity;sid:84709379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.78.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846280/; classtype:trojan-activity;sid:84709380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=lqujkdovljouxctw"; depth:27; endswith; nocase; http.host; content:"pt6nyxsf.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846278/; classtype:trojan-activity;sid:84709378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846277/; classtype:trojan-activity;sid:84709377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9faf3f96-4f15-40ea-b853-5078ee570dfe/google.ct"; depth:47; endswith; nocase; http.host; content:"observability-stream-hub.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846276/; classtype:trojan-activity;sid:84709376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.121.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846275/; classtype:trojan-activity;sid:84709375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/16d161c3-6ba0-4eae-a848-ac0c12677b6b/google.ct"; depth:47; endswith; nocase; http.host; content:"hypervisorcontrolplanegrid.wiki"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846274/; classtype:trojan-activity;sid:84709374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.124.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846273/; classtype:trojan-activity;sid:84709373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.197.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846271/; classtype:trojan-activity;sid:84709371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.121.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846272/; classtype:trojan-activity;sid:84709372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.22.192.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846270/; classtype:trojan-activity;sid:84709370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.78.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846269/; classtype:trojan-activity;sid:84709369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=hmbyosfytbaahund"; depth:27; endswith; nocase; http.host; content:"vg2tw8iq.unseen-zorenka.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846268/; classtype:trojan-activity;sid:84709368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.231.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846267/; classtype:trojan-activity;sid:84709367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.219.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846266/; classtype:trojan-activity;sid:84709366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846265/; classtype:trojan-activity;sid:84709365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.241.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846264/; classtype:trojan-activity;sid:84709364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dfeef5dc-fd23-43e4-a3c5-556e00f8c95e/google.ct"; depth:47; endswith; nocase; http.host; content:"observability-stream-hub.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846263/; classtype:trojan-activity;sid:84709363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846262/; classtype:trojan-activity;sid:84709362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.157.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846261/; classtype:trojan-activity;sid:84709361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37d9c672-9af9-45f4-8aec-5b027efc9eb6/google.ct"; depth:47; endswith; nocase; http.host; content:"hypervisorcontrolplanegrid.wiki"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846260/; classtype:trojan-activity;sid:84709360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.1.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846259/; classtype:trojan-activity;sid:84709359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.233.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846258/; classtype:trojan-activity;sid:84709358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.233.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846257/; classtype:trojan-activity;sid:84709357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.157.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846256/; classtype:trojan-activity;sid:84709356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.162.33.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846255/; classtype:trojan-activity;sid:84709355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.57.53.136"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846254/; classtype:trojan-activity;sid:84709354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71446e39-6b3a-4727-bd2a-1ff92cfb96e5/google.ct"; depth:47; endswith; nocase; http.host; content:"federated-runtime-network.wiki"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846253/; classtype:trojan-activity;sid:84709353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.252.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846252/; classtype:trojan-activity;sid:84709352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.79.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846251/; classtype:trojan-activity;sid:84709351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.23.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846250/; classtype:trojan-activity;sid:84709350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1294c9bf-212e-4fe6-bd5c-a8b4bbc6a0f6/google.ct"; depth:47; endswith; nocase; http.host; content:"serverless-mesh-core.wiki"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846249/; classtype:trojan-activity;sid:84709349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.170.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846248/; classtype:trojan-activity;sid:84709348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.170.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846247/; classtype:trojan-activity;sid:84709347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"193.32.162.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846246/; classtype:trojan-activity;sid:84709346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"193.32.162.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846245/; classtype:trojan-activity;sid:84709345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"193.32.162.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846243/; classtype:trojan-activity;sid:84709343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"193.32.162.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846244/; classtype:trojan-activity;sid:84709344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"193.32.162.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846242/; classtype:trojan-activity;sid:84709342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"193.32.162.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846240/; classtype:trojan-activity;sid:84709340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"193.32.162.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846241/; classtype:trojan-activity;sid:84709341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846239/; classtype:trojan-activity;sid:84709339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06ddf1d8-bf3e-48c5-8f3f-9f4b4a870fd2/google.ct"; depth:47; endswith; nocase; http.host; content:"packetrelay.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846238/; classtype:trojan-activity;sid:84709338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.167.1.193"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846237/; classtype:trojan-activity;sid:84709337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.52.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846236/; classtype:trojan-activity;sid:84709336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/09cef8ff-f7ce-4dfb-99fc-0c3081dd7697/google.ct"; depth:47; endswith; nocase; http.host; content:"microservice-balancer-node.wiki"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846235/; classtype:trojan-activity;sid:84709335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=vcprdqkjknpytveg"; depth:27; endswith; nocase; http.host; content:"4bklvfdi.estradaannivers.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846234/; classtype:trojan-activity;sid:84709334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=sjsskhzwadmicudv"; depth:27; endswith; nocase; http.host; content:"9nl6t4w2.estradaannivers.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846233/; classtype:trojan-activity;sid:84709333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetest0071154z7.png"; depth:23; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846232/; classtype:trojan-activity;sid:84709332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetest00711z5.png"; depth:21; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846231/; classtype:trojan-activity;sid:84709331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetest0093t536.png"; depth:22; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846228/; classtype:trojan-activity;sid:84709328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecab001.png"; depth:16; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846229/; classtype:trojan-activity;sid:84709329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetext0117z45.png"; depth:21; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846230/; classtype:trojan-activity;sid:84709330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc/transfer_advise_swift.docx"; depth:31; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846226/; classtype:trojan-activity;sid:84709326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/transfer_advise_swift.cmd"; depth:30; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846227/; classtype:trojan-activity;sid:84709327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/873b7fbf-755a-42ec-b36b-47de57f62aab/google.ct"; depth:47; endswith; nocase; http.host; content:"microservice-balancer-node.wiki"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846225/; classtype:trojan-activity;sid:84709325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.76.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846224/; classtype:trojan-activity;sid:84709324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.16.164.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846223/; classtype:trojan-activity;sid:84709323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.32.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846222/; classtype:trojan-activity;sid:84709322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.76.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846221/; classtype:trojan-activity;sid:84709321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.161.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846220/; classtype:trojan-activity;sid:84709320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/95076485-ebb7-4d4e-840e-96e3c6cd77be/google.ct"; depth:47; endswith; nocase; http.host; content:"asyncpipelinehub.wiki"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846219/; classtype:trojan-activity;sid:84709319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.243.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846218/; classtype:trojan-activity;sid:84709318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdclient.exe"; depth:13; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846217/; classtype:trojan-activity;sid:84709317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.71.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846216/; classtype:trojan-activity;sid:84709316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.201.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846215/; classtype:trojan-activity;sid:84709315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4663b661-3e9c-401e-9773-6c8f76accd1a/google.ct"; depth:47; endswith; nocase; http.host; content:"virtual-packet-gateway.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846214/; classtype:trojan-activity;sid:84709314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.32.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846213/; classtype:trojan-activity;sid:84709313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.155.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846212/; classtype:trojan-activity;sid:84709312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.71.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846211/; classtype:trojan-activity;sid:84709311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.201.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846210/; classtype:trojan-activity;sid:84709310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fee574ec-4c97-4d98-84c5-6ce4de8f7fab/google.ct"; depth:47; endswith; nocase; http.host; content:"containerfabric.wiki"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846209/; classtype:trojan-activity;sid:84709309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846208/; classtype:trojan-activity;sid:84709308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/67/img_171102.png"; depth:18; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846207/; classtype:trojan-activity;sid:84709307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/67/weneedbetterthingsforbest.hta"; depth:33; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846206/; classtype:trojan-activity;sid:84709306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846205/; classtype:trojan-activity;sid:84709305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ufezaa"; depth:7; endswith; nocase; http.host; content:"linkku.me"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846203/; classtype:trojan-activity;sid:84709303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpswww.veeam.comfree-hybrid-cloud-trial.htmlst=bingpaidsearch|7c|26|7c|utm_campaign_id=604987702|7c|26|7c|utm_adgroup=trial-hybrid-cloud-nb-backup|7c|26|7c|utm.php"; depth:166; endswith; nocase; http.host; content:"107.173.9.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846204/; classtype:trojan-activity;sid:84709304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d56bb2bd-7183-4ec9-ae18-dbd3600a72d1/google.ct"; depth:47; endswith; nocase; http.host; content:"cafe-club-oracle-card.wiki"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846202/; classtype:trojan-activity;sid:84709302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_173518.png"; depth:15; endswith; nocase; http.host; content:"sycoreltd.yzz.me"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846201/; classtype:trojan-activity;sid:84709301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32/img_221919.png"; depth:18; endswith; nocase; http.host; content:"209.54.103.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846200/; classtype:trojan-activity;sid:84709300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32/givemegoodpersoninlifeforlove.hta"; depth:37; endswith; nocase; http.host; content:"209.54.103.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846199/; classtype:trojan-activity;sid:84709299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8szzw"; depth:7; endswith; nocase; http.host; content:"cebol.me"; depth:8; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846198/; classtype:trojan-activity;sid:84709298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/veeam.comfree-hybrid-cloud-trial.htmlst=bingpaidsearch|7c|26|7c|utm_campaign_id=604987702|7c|26|7c|utm_adgroup=trial-hybrid-cloud-nb-backup|7c|26|7c|utm_adgroup.php"; depth:165; endswith; nocase; http.host; content:"209.54.103.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846197/; classtype:trojan-activity;sid:84709297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.12.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846196/; classtype:trojan-activity;sid:84709296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/719dae0c-7c77-4108-b646-ecb9b905186a/google.ct"; depth:47; endswith; nocase; http.host; content:"prime-object-container-task-archive.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846195/; classtype:trojan-activity;sid:84709295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71bfad22-f3da-400d-90f7-609a9872c642/google.ct"; depth:47; endswith; nocase; http.host; content:"eaglefungustourismscreen.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846194/; classtype:trojan-activity;sid:84709294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.76.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846193/; classtype:trojan-activity;sid:84709293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5da33451-b3ea-4865-aaee-15bbc200c229/google.ct"; depth:47; endswith; nocase; http.host; content:"secure-remote-access-method-file.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846192/; classtype:trojan-activity;sid:84709292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc812321-09e9-41cd-b3d7-34ca5812ad16/google.ct"; depth:47; endswith; nocase; http.host; content:"bula-silomercitationlaptop.wiki"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846191/; classtype:trojan-activity;sid:84709291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.76.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846190/; classtype:trojan-activity;sid:84709290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.31.247"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846189/; classtype:trojan-activity;sid:84709289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.242.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846188/; classtype:trojan-activity;sid:84709288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=xlynswxtsrrhdhmy"; depth:27; endswith; nocase; http.host; content:"utl1juep.estradaannivers.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846187/; classtype:trojan-activity;sid:84709287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.4.2.146"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846186/; classtype:trojan-activity;sid:84709286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.4.2.146"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846185/; classtype:trojan-activity;sid:84709285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/178ca1b8-122a-45db-8701-54a54ba0af0c/google.ct"; depth:47; endswith; nocase; http.host; content:"virtual-compute-engine-template-doc.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846184/; classtype:trojan-activity;sid:84709284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3062e946-7d0a-4f38-bbd9-9eb7604e1eb2/google.ct"; depth:47; endswith; nocase; http.host; content:"tertsiyavocalsunseenfile.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846183/; classtype:trojan-activity;sid:84709283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.130.79.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846181/; classtype:trojan-activity;sid:84709281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"24.95.54.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846182/; classtype:trojan-activity;sid:84709282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/931c1f4c-c65d-4544-a2b4-15835e711dae/google.ct"; depth:47; endswith; nocase; http.host; content:"backup-terminal-gateway-handle-list.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846180/; classtype:trojan-activity;sid:84709280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a15feb6-1c4b-4183-962e-b5f4376b3e5a/google.ct"; depth:47; endswith; nocase; http.host; content:"obese-uzousweb-play.wiki"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846179/; classtype:trojan-activity;sid:84709279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.148.241.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846178/; classtype:trojan-activity;sid:84709278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.246.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846177/; classtype:trojan-activity;sid:84709277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.130.79.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846176/; classtype:trojan-activity;sid:84709276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.238.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846175/; classtype:trojan-activity;sid:84709275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.14.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846174/; classtype:trojan-activity;sid:84709274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6526b071-e02e-4c45-847d-a53b8da412af/google.ct"; depth:47; endswith; nocase; http.host; content:"active-instance-registry-support-index.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846173/; classtype:trojan-activity;sid:84709273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.50.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846172/; classtype:trojan-activity;sid:84709272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94d807a8-84f9-434c-bc33-2552924f4513/google.ct"; depth:47; endswith; nocase; http.host; content:"lyapissvebechkopassword.wiki"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846171/; classtype:trojan-activity;sid:84709271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.28.63.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846170/; classtype:trojan-activity;sid:84709270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.208.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846169/; classtype:trojan-activity;sid:84709269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.16.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846168/; classtype:trojan-activity;sid:84709268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.241.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846167/; classtype:trojan-activity;sid:84709267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2419200-ed11-4f5d-b4d5-b0ee729b7bbc/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-source-element-package-site.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846166/; classtype:trojan-activity;sid:84709266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fcf3664b-c373-4fec-879f-ee04989f4725/google.ct"; depth:47; endswith; nocase; http.host; content:"handout-voivodeshiplink.wiki"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846165/; classtype:trojan-activity;sid:84709265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.50.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846164/; classtype:trojan-activity;sid:84709264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.208.66"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846163/; classtype:trojan-activity;sid:84709263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.21.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846162/; classtype:trojan-activity;sid:84709262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.111.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846161/; classtype:trojan-activity;sid:84709261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/862eca77-d08f-4668-9388-2aba73630cef/google.ct"; depth:47; endswith; nocase; http.host; content:"accoun-table-unleash-soft.wiki"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846160/; classtype:trojan-activity;sid:84709260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/50542787-0f3b-4bb7-8597-211406a88877/google.ct"; depth:47; endswith; nocase; http.host; content:"enterprise-solution-buffer-utility-log.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846159/; classtype:trojan-activity;sid:84709259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0f84517d-6d16-4c2f-af65-b44669c004f5/google.ct"; depth:47; endswith; nocase; http.host; content:"sub-substituteunfeignedflash.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846158/; classtype:trojan-activity;sid:84709258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.129.184.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846157/; classtype:trojan-activity;sid:84709257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.151.218.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846156/; classtype:trojan-activity;sid:84709256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.238.38.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846155/; classtype:trojan-activity;sid:84709255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.112.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846154/; classtype:trojan-activity;sid:84709254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.237.127.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846153/; classtype:trojan-activity;sid:84709253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846152/; classtype:trojan-activity;sid:84709252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.243.253"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846151/; classtype:trojan-activity;sid:84709251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/398df28f-7fed-4c5f-a7f1-b888d2e9317e/google.ct"; depth:47; endswith; nocase; http.host; content:"root-directory-repository-process-vault.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846150/; classtype:trojan-activity;sid:84709250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.129.184.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846149/; classtype:trojan-activity;sid:84709249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.168.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846148/; classtype:trojan-activity;sid:84709248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.237.127.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846147/; classtype:trojan-activity;sid:84709247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.112.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846146/; classtype:trojan-activity;sid:84709246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af58c925-cc5d-4345-bc31-38fdf6bb1d1c/google.ct"; depth:47; endswith; nocase; http.host; content:"cherish-cultscreencard.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846145/; classtype:trojan-activity;sid:84709245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.104.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846144/; classtype:trojan-activity;sid:84709244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.101.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846143/; classtype:trojan-activity;sid:84709243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.104.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846142/; classtype:trojan-activity;sid:84709242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32e15bee-eb27-4657-9ae5-aece1ed079f1/google.ct"; depth:47; endswith; nocase; http.host; content:"cluster-module-deployment-standard-map.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846141/; classtype:trojan-activity;sid:84709241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.101.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846140/; classtype:trojan-activity;sid:84709240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.194.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846139/; classtype:trojan-activity;sid:84709239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.69.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846138/; classtype:trojan-activity;sid:84709238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.40.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846137/; classtype:trojan-activity;sid:84709237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.123.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846136/; classtype:trojan-activity;sid:84709236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846135/; classtype:trojan-activity;sid:84709235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33f9da35-5e63-4875-ac96-cb78b24afa04/google.ct"; depth:47; endswith; nocase; http.host; content:"cherish-cultscreencard.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846134/; classtype:trojan-activity;sid:84709234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/132c7c19-2abb-4b53-8286-ffae42e63f36/google.ct"; depth:47; endswith; nocase; http.host; content:"pro-architecture-engineering-vault-info.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846133/; classtype:trojan-activity;sid:84709233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.255.27.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846132/; classtype:trojan-activity;sid:84709232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56a84247-0951-410f-b61e-6978b6481cd5/google.ct"; depth:47; endswith; nocase; http.host; content:"cherish-cultscreencard.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846130/; classtype:trojan-activity;sid:84709230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56a84247-0951-410f-b61e-6978b6481cd5/google.ct"; depth:47; endswith; nocase; http.host; content:"cherish-cultscreencard.wiki"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846131/; classtype:trojan-activity;sid:84709231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.49.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846129/; classtype:trojan-activity;sid:84709229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.165.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846128/; classtype:trojan-activity;sid:84709228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee7786d2-9f32-47d8-9a22-9bda422cc6a8/google.ct"; depth:47; endswith; nocase; http.host; content:"pro-architecture-engineering-vault-info.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846127/; classtype:trojan-activity;sid:84709227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.177.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846126/; classtype:trojan-activity;sid:84709226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.95.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846125/; classtype:trojan-activity;sid:84709225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ac459173-32bf-40ba-86e9-9530cedddeda/google.ct"; depth:47; endswith; nocase; http.host; content:"eaglefungustourismscreen.wiki"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846124/; classtype:trojan-activity;sid:84709224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.49.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846123/; classtype:trojan-activity;sid:84709223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.92.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846122/; classtype:trojan-activity;sid:84709222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.165.21"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846121/; classtype:trojan-activity;sid:84709221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5783b1e8-e7d5-45b1-b83c-3e69cfee20f8/google.ct"; depth:47; endswith; nocase; http.host; content:"cafe-club-oracle-card.wiki"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846120/; classtype:trojan-activity;sid:84709220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.123.111"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846119/; classtype:trojan-activity;sid:84709219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.40.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846118/; classtype:trojan-activity;sid:84709218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846117/; classtype:trojan-activity;sid:84709217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f182beb6-0467-4553-af3f-48058a0d8dfb/google.ct"; depth:47; endswith; nocase; http.host; content:"prime-object-container-task-archive.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846116/; classtype:trojan-activity;sid:84709216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d942bd10-63f2-49f1-88d1-4c8e609fc2b1/google.ct"; depth:47; endswith; nocase; http.host; content:"cluster-module-deployment-standard-map.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846115/; classtype:trojan-activity;sid:84709215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8b0e64a9-81d0-41fb-955c-dd2617f99115/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846114/; classtype:trojan-activity;sid:84709214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.16.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846113/; classtype:trojan-activity;sid:84709213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846112/; classtype:trojan-activity;sid:84709212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6efe3ce-5d0a-4bce-bbef-acedbf0419fe/google.ct"; depth:47; endswith; nocase; http.host; content:"secure-remote-access-method-file.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846111/; classtype:trojan-activity;sid:84709211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.155.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846110/; classtype:trojan-activity;sid:84709210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.16.27"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846109/; classtype:trojan-activity;sid:84709209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.168.127.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846108/; classtype:trojan-activity;sid:84709208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b4617571-a23f-4592-bf6f-ed70d8bfb7f1/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846106/; classtype:trojan-activity;sid:84709206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/38424c6a-314e-4e65-94f3-52b32ae00d65/google.ct"; depth:47; endswith; nocase; http.host; content:"virtual-compute-engine-template-doc.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846107/; classtype:trojan-activity;sid:84709207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.168.127.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846105/; classtype:trojan-activity;sid:84709205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846104/; classtype:trojan-activity;sid:84709204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846103/; classtype:trojan-activity;sid:84709203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.168.196.158"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846102/; classtype:trojan-activity;sid:84709202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d7500541-8edc-4d42-81de-61ea4f9471e8/google.ct"; depth:47; endswith; nocase; http.host; content:"backup-terminal-gateway-handle-list.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846101/; classtype:trojan-activity;sid:84709201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/808c827c-0b81-492d-95ac-811cf1619f16/google.ct"; depth:47; endswith; nocase; http.host; content:"pro-architecture-engineering-vault-info.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846100/; classtype:trojan-activity;sid:84709200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.24.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846099/; classtype:trojan-activity;sid:84709199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846098/; classtype:trojan-activity;sid:84709198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.13.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846097/; classtype:trojan-activity;sid:84709197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5ccd06c9-c00e-4c14-a9ca-8ec576d6058f/google.ct"; depth:47; endswith; nocase; http.host; content:"prime-object-container-task-archive.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846096/; classtype:trojan-activity;sid:84709196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58f6f55b-7a6e-4ba2-9679-4f0ac629d239/google.ct"; depth:47; endswith; nocase; http.host; content:"active-instance-registry-support-index.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846095/; classtype:trojan-activity;sid:84709195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846094/; classtype:trojan-activity;sid:84709194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846093/; classtype:trojan-activity;sid:84709193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5ec24b4d-362f-42d9-b04e-9f52ced29f8a/google.ct"; depth:47; endswith; nocase; http.host; content:"secure-remote-access-method-file.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846092/; classtype:trojan-activity;sid:84709192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51c9fc7b-d9fb-4c26-bbf9-9914fa5ef13d/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-source-element-package-site.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846091/; classtype:trojan-activity;sid:84709191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.150.252.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846090/; classtype:trojan-activity;sid:84709190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.53.136"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846089/; classtype:trojan-activity;sid:84709189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846088/; classtype:trojan-activity;sid:84709188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54a249bd-4921-45bc-8a02-5db280b19132/google.ct"; depth:47; endswith; nocase; http.host; content:"virtual-compute-engine-template-doc.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846087/; classtype:trojan-activity;sid:84709187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846086/; classtype:trojan-activity;sid:84709186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846085/; classtype:trojan-activity;sid:84709185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846084/; classtype:trojan-activity;sid:84709184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/143bc67e-f337-4f57-9aa6-63ee34d6e7df/google.ct"; depth:47; endswith; nocase; http.host; content:"enterprise-solution-buffer-utility-log.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846083/; classtype:trojan-activity;sid:84709183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.13.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846082/; classtype:trojan-activity;sid:84709182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.28.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846081/; classtype:trojan-activity;sid:84709181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.150.252.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846080/; classtype:trojan-activity;sid:84709180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.165.194.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846079/; classtype:trojan-activity;sid:84709179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.83.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846078/; classtype:trojan-activity;sid:84709178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.76.57.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846077/; classtype:trojan-activity;sid:84709177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.20.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846076/; classtype:trojan-activity;sid:84709176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.204.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846074/; classtype:trojan-activity;sid:84709174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.167.86.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846075/; classtype:trojan-activity;sid:84709175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11dfc84c-d5b6-4d0f-bc00-ff3e5cbf8010/google.ct"; depth:47; endswith; nocase; http.host; content:"root-directory-repository-process-vault.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846073/; classtype:trojan-activity;sid:84709173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.109.8"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846072/; classtype:trojan-activity;sid:84709172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.98.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846071/; classtype:trojan-activity;sid:84709171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/71f48150-4790-426a-be4f-2637c60a118d/google.ct"; depth:47; endswith; nocase; http.host; content:"backup-terminal-gateway-handle-list.wiki"; depth:40; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846070/; classtype:trojan-activity;sid:84709170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.193.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846069/; classtype:trojan-activity;sid:84709169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.20.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846068/; classtype:trojan-activity;sid:84709168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.28.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846067/; classtype:trojan-activity;sid:84709167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846066/; classtype:trojan-activity;sid:84709166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.165.194.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846065/; classtype:trojan-activity;sid:84709165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.158.177"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846064/; classtype:trojan-activity;sid:84709164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.16.164.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846063/; classtype:trojan-activity;sid:84709163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.83.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846062/; classtype:trojan-activity;sid:84709162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b154dfa3-8166-44d4-baf5-63b6f48d9fa8/google.ct"; depth:47; endswith; nocase; http.host; content:"cluster-module-deployment-standard-map.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846061/; classtype:trojan-activity;sid:84709161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.204.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846060/; classtype:trojan-activity;sid:84709160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.193.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846059/; classtype:trojan-activity;sid:84709159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba574fe9-fcd9-4d22-8a99-1328924c9699/google.ct"; depth:47; endswith; nocase; http.host; content:"active-instance-registry-support-index.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846058/; classtype:trojan-activity;sid:84709158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846057/; classtype:trojan-activity;sid:84709157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wocv"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846042/; classtype:trojan-activity;sid:84709142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rmds"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846043/; classtype:trojan-activity;sid:84709143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bwq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846044/; classtype:trojan-activity;sid:84709144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rk2"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846045/; classtype:trojan-activity;sid:84709145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1af"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846046/; classtype:trojan-activity;sid:84709146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dt5x"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846047/; classtype:trojan-activity;sid:84709147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uds"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846048/; classtype:trojan-activity;sid:84709148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5zd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846049/; classtype:trojan-activity;sid:84709149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r9h"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846050/; classtype:trojan-activity;sid:84709150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1bvw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846051/; classtype:trojan-activity;sid:84709151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z3e"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846052/; classtype:trojan-activity;sid:84709152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6rco"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846053/; classtype:trojan-activity;sid:84709153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u8fr"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846054/; classtype:trojan-activity;sid:84709154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alw"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846055/; classtype:trojan-activity;sid:84709155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ybz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846056/; classtype:trojan-activity;sid:84709156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghi"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846012/; classtype:trojan-activity;sid:84709112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfhj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846013/; classtype:trojan-activity;sid:84709113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msj3"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846014/; classtype:trojan-activity;sid:84709114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm2"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846015/; classtype:trojan-activity;sid:84709115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xf3"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846016/; classtype:trojan-activity;sid:84709116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rioa"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846017/; classtype:trojan-activity;sid:84709117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846018/; classtype:trojan-activity;sid:84709118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gj2r"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846019/; classtype:trojan-activity;sid:84709119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hg6"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846020/; classtype:trojan-activity;sid:84709120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846021/; classtype:trojan-activity;sid:84709121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/42zo"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846022/; classtype:trojan-activity;sid:84709122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ak5"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846023/; classtype:trojan-activity;sid:84709123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54y"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846024/; classtype:trojan-activity;sid:84709124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n8cj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846025/; classtype:trojan-activity;sid:84709125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mm79"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846026/; classtype:trojan-activity;sid:84709126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n8jw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846027/; classtype:trojan-activity;sid:84709127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7gwc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846028/; classtype:trojan-activity;sid:84709128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grs"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846029/; classtype:trojan-activity;sid:84709129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3pwk"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846030/; classtype:trojan-activity;sid:84709130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agns"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846031/; classtype:trojan-activity;sid:84709131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rmu"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846032/; classtype:trojan-activity;sid:84709132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sq9"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846033/; classtype:trojan-activity;sid:84709133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6n"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846034/; classtype:trojan-activity;sid:84709134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jwg"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846035/; classtype:trojan-activity;sid:84709135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7esu"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846036/; classtype:trojan-activity;sid:84709136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t6y"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846037/; classtype:trojan-activity;sid:84709137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5pt"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846038/; classtype:trojan-activity;sid:84709138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ckj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846039/; classtype:trojan-activity;sid:84709139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k49"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846040/; classtype:trojan-activity;sid:84709140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846041/; classtype:trojan-activity;sid:84709141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7a6"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846011/; classtype:trojan-activity;sid:84709111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.98.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846010/; classtype:trojan-activity;sid:84709110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.50.148.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846009/; classtype:trojan-activity;sid:84709109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6e7035ee-416f-4aaf-b13b-800afe52757a/google.ct"; depth:47; endswith; nocase; http.host; content:"pro-architecture-engineering-vault-info.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846008/; classtype:trojan-activity;sid:84709108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.204.157.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846007/; classtype:trojan-activity;sid:84709107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bd5f8587-826f-475b-b758-cbfcf6d02b62/google.ct"; depth:47; endswith; nocase; http.host; content:"distributed-source-element-package-site.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846006/; classtype:trojan-activity;sid:84709106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.242.9.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846005/; classtype:trojan-activity;sid:84709105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"154.242.9.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846004/; classtype:trojan-activity;sid:84709104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.20.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846003/; classtype:trojan-activity;sid:84709103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.141.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846002/; classtype:trojan-activity;sid:84709102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.204.157.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846001/; classtype:trojan-activity;sid:84709101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3846000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2c181645-5f9f-4a26-b98c-f5fffc06d26e/google.ct"; depth:47; endswith; nocase; http.host; content:"contactdisrupwhite.wiki"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3846000/; classtype:trojan-activity;sid:84709100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd489a3-0cca-46e6-8ccc-c6f32fb10015/google.ct"; depth:47; endswith; nocase; http.host; content:"enterprise-solution-buffer-utility-log.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845999/; classtype:trojan-activity;sid:84709099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.243.253"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845998/; classtype:trojan-activity;sid:84709098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.77.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845997/; classtype:trojan-activity;sid:84709097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.142.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845996/; classtype:trojan-activity;sid:84709096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.60"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845995/; classtype:trojan-activity;sid:84709095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.88.243"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845994/; classtype:trojan-activity;sid:84709094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.249.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845993/; classtype:trojan-activity;sid:84709093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.163.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845992/; classtype:trojan-activity;sid:84709092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a406023c-d0e4-46ef-a90a-d1e8794154ab/google.ct"; depth:47; endswith; nocase; http.host; content:"quart-rantman.wiki"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845990/; classtype:trojan-activity;sid:84709090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eda71d32-4af2-4864-84db-a5a84a1d006a/google.ct"; depth:47; endswith; nocase; http.host; content:"root-directory-repository-process-vault.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845991/; classtype:trojan-activity;sid:84709091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.28.63.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845989/; classtype:trojan-activity;sid:84709089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.151.225"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845988/; classtype:trojan-activity;sid:84709088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845982/; classtype:trojan-activity;sid:84709082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845983/; classtype:trojan-activity;sid:84709083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845984/; classtype:trojan-activity;sid:84709084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845985/; classtype:trojan-activity;sid:84709085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845986/; classtype:trojan-activity;sid:84709086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845987/; classtype:trojan-activity;sid:84709087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845974/; classtype:trojan-activity;sid:84709074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845975/; classtype:trojan-activity;sid:84709075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845976/; classtype:trojan-activity;sid:84709076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845977/; classtype:trojan-activity;sid:84709077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845978/; classtype:trojan-activity;sid:84709078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845979/; classtype:trojan-activity;sid:84709079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arc"; depth:17; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845980/; classtype:trojan-activity;sid:84709080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"45.153.34.170"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845981/; classtype:trojan-activity;sid:84709081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.249.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845973/; classtype:trojan-activity;sid:84709073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.247.83.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845972/; classtype:trojan-activity;sid:84709072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8cbbd338-10f8-4fa2-84ea-ab0c924bff4e/google.ct"; depth:47; endswith; nocase; http.host; content:"snooze-wontdrama.wiki"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845971/; classtype:trojan-activity;sid:84709071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.77.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845970/; classtype:trojan-activity;sid:84709070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.38.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845969/; classtype:trojan-activity;sid:84709069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca44555e-7880-4448-a18c-ae94b98ad164/google.ct"; depth:47; endswith; nocase; http.host; content:"cluster-module-deployment-standard-map.wiki"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845968/; classtype:trojan-activity;sid:84709068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845967/; classtype:trojan-activity;sid:84709067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.210.147.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845966/; classtype:trojan-activity;sid:84709066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.209.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845965/; classtype:trojan-activity;sid:84709065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dnfn"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845945/; classtype:trojan-activity;sid:84709045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aba"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845946/; classtype:trojan-activity;sid:84709046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vbk5"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845947/; classtype:trojan-activity;sid:84709047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gemt"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845948/; classtype:trojan-activity;sid:84709048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t8vp"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845949/; classtype:trojan-activity;sid:84709049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2ej"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845950/; classtype:trojan-activity;sid:84709050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ropf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845951/; classtype:trojan-activity;sid:84709051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kxg4"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845952/; classtype:trojan-activity;sid:84709052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbll"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845953/; classtype:trojan-activity;sid:84709053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z5i"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845954/; classtype:trojan-activity;sid:84709054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sad"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845955/; classtype:trojan-activity;sid:84709055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/em9r"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845956/; classtype:trojan-activity;sid:84709056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4nd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845957/; classtype:trojan-activity;sid:84709057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o8q"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845958/; classtype:trojan-activity;sid:84709058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l3l9"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845959/; classtype:trojan-activity;sid:84709059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dkjo"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845960/; classtype:trojan-activity;sid:84709060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiu4"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845961/; classtype:trojan-activity;sid:84709061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36e"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845962/; classtype:trojan-activity;sid:84709062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b9i"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845963/; classtype:trojan-activity;sid:84709063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.220.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845964/; classtype:trojan-activity;sid:84709064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojgo"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845928/; classtype:trojan-activity;sid:84709028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tenu"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845929/; classtype:trojan-activity;sid:84709029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e19k"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845930/; classtype:trojan-activity;sid:84709030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxt2"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845931/; classtype:trojan-activity;sid:84709031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9oik"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845932/; classtype:trojan-activity;sid:84709032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irh"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845933/; classtype:trojan-activity;sid:84709033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n44"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845934/; classtype:trojan-activity;sid:84709034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/icq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845935/; classtype:trojan-activity;sid:84709035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845936/; classtype:trojan-activity;sid:84709036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzs7"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845937/; classtype:trojan-activity;sid:84709037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n0fz"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845938/; classtype:trojan-activity;sid:84709038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afs"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845939/; classtype:trojan-activity;sid:84709039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fyfw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845940/; classtype:trojan-activity;sid:84709040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b27"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845941/; classtype:trojan-activity;sid:84709041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xqk"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845942/; classtype:trojan-activity;sid:84709042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ut6d"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845943/; classtype:trojan-activity;sid:84709043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uo2k"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845944/; classtype:trojan-activity;sid:84709044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iby"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845921/; classtype:trojan-activity;sid:84709021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zcm"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845922/; classtype:trojan-activity;sid:84709022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h0v"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845923/; classtype:trojan-activity;sid:84709023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ozt"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845924/; classtype:trojan-activity;sid:84709024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tzb"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845925/; classtype:trojan-activity;sid:84709025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dga"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845926/; classtype:trojan-activity;sid:84709026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hcp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845927/; classtype:trojan-activity;sid:84709027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntu"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845903/; classtype:trojan-activity;sid:84709003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rto6"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845904/; classtype:trojan-activity;sid:84709004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fxn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845905/; classtype:trojan-activity;sid:84709005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saun"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845906/; classtype:trojan-activity;sid:84709006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k15"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845907/; classtype:trojan-activity;sid:84709007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hd4"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845908/; classtype:trojan-activity;sid:84709008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c21"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845909/; classtype:trojan-activity;sid:84709009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26p"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845910/; classtype:trojan-activity;sid:84709010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dmvd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845911/; classtype:trojan-activity;sid:84709011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/88c"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845912/; classtype:trojan-activity;sid:84709012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/udeg"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845913/; classtype:trojan-activity;sid:84709013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u3lt"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845914/; classtype:trojan-activity;sid:84709014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m3dx"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845915/; classtype:trojan-activity;sid:84709015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bth"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845916/; classtype:trojan-activity;sid:84709016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bhmu"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845917/; classtype:trojan-activity;sid:84709017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ozx3"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845918/; classtype:trojan-activity;sid:84709018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpe"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845919/; classtype:trojan-activity;sid:84709019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ddu"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845920/; classtype:trojan-activity;sid:84709020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.238.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845902/; classtype:trojan-activity;sid:84709002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.247.83.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845901/; classtype:trojan-activity;sid:84709001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.86.142.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845900/; classtype:trojan-activity;sid:84709000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.38.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845899/; classtype:trojan-activity;sid:84708999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.136.85.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845898/; classtype:trojan-activity;sid:84708998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5377a516-06a1-4a9c-95fd-30da2ce2ddc7/google.ct"; depth:47; endswith; nocase; http.host; content:"miststarvationsify.wiki"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845897/; classtype:trojan-activity;sid:84708997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a0adf388-659b-4bd9-a161-640b66b5f972/google.ct"; depth:47; endswith; nocase; http.host; content:"pro-architecture-engineering-vault-info.wiki"; depth:44; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845896/; classtype:trojan-activity;sid:84708996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.86.142.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845895/; classtype:trojan-activity;sid:84708995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.214.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845894/; classtype:trojan-activity;sid:84708994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.144.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845893/; classtype:trojan-activity;sid:84708993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30544815-898d-4521-8e5e-833ebc5a881f/google.ct"; depth:47; endswith; nocase; http.host; content:"long-pescar.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845892/; classtype:trojan-activity;sid:84708992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.165.21.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845891/; classtype:trojan-activity;sid:84708991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7b9c5b1e-6c62-4568-b9fd-c6c2cae84cdb/google.ct"; depth:47; endswith; nocase; http.host; content:"contactdisrupwhite.wiki"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845890/; classtype:trojan-activity;sid:84708990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845889/; classtype:trojan-activity;sid:84708989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.238.38.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845888/; classtype:trojan-activity;sid:84708988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.88.101.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845887/; classtype:trojan-activity;sid:84708987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.135.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845886/; classtype:trojan-activity;sid:84708986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.224.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845885/; classtype:trojan-activity;sid:84708985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.228.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845884/; classtype:trojan-activity;sid:84708984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.214.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845883/; classtype:trojan-activity;sid:84708983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a53d0eb3-748b-4d3c-a8f0-2f420e3d4dd6/google.ct"; depth:47; endswith; nocase; http.host; content:"glarsitttrain.wiki"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845882/; classtype:trojan-activity;sid:84708982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de23bbce-e735-40b9-91ba-4f19d2a3b1f9/google.ct"; depth:47; endswith; nocase; http.host; content:"quart-rantman.wiki"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845881/; classtype:trojan-activity;sid:84708981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845880/; classtype:trojan-activity;sid:84708980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.91.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845879/; classtype:trojan-activity;sid:84708979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.88.101.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845878/; classtype:trojan-activity;sid:84708978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.135.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845877/; classtype:trojan-activity;sid:84708977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.25.107.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845875/; classtype:trojan-activity;sid:84708975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845876/; classtype:trojan-activity;sid:84708976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.46.172.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845874/; classtype:trojan-activity;sid:84708974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.126.195"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845873/; classtype:trojan-activity;sid:84708973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10bc9c0e-fc42-430f-87a2-a93077579a39/google.ct"; depth:47; endswith; nocase; http.host; content:"snooze-wontdrama.wiki"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845872/; classtype:trojan-activity;sid:84708972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0b68def4-8f13-4537-b69f-9543a4260e8e/google.ct"; depth:47; endswith; nocase; http.host; content:"angelpatter.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845871/; classtype:trojan-activity;sid:84708971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.142.121.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845870/; classtype:trojan-activity;sid:84708970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.46.172.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845869/; classtype:trojan-activity;sid:84708969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.124.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845868/; classtype:trojan-activity;sid:84708968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1dea6270-512a-43ea-b08d-eb37fef6f4e0/google.ct"; depth:47; endswith; nocase; http.host; content:"girlytrans-fusion.wiki"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845867/; classtype:trojan-activity;sid:84708967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.200.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_13; reference:url, urlhaus.abuse.ch/url/3845866/; classtype:trojan-activity;sid:84708966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bd5109ec-c32a-43a2-ae4e-752a3c623f45/google.ct"; depth:47; endswith; nocase; http.host; content:"miststarvationsify.wiki"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845865/; classtype:trojan-activity;sid:84708965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.208.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845864/; classtype:trojan-activity;sid:84708964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.88.243"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845863/; classtype:trojan-activity;sid:84708963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.110.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845862/; classtype:trojan-activity;sid:84708962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aca783e5-9e54-4f62-83cc-c8cb92ddb0a4/google.ct"; depth:47; endswith; nocase; http.host; content:"passoverphysiqclass.wiki"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845861/; classtype:trojan-activity;sid:84708961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/798932a5-b694-42d8-a7ee-34c9689936a8/google.ct"; depth:47; endswith; nocase; http.host; content:"long-pescar.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845860/; classtype:trojan-activity;sid:84708960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.114.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845859/; classtype:trojan-activity;sid:84708959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.242.143.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845858/; classtype:trojan-activity;sid:84708958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.208.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845857/; classtype:trojan-activity;sid:84708957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.10.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845856/; classtype:trojan-activity;sid:84708956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0ebcbee-b938-4658-8a3e-e82ebdd0f64b/google.ct"; depth:47; endswith; nocase; http.host; content:"ordersub-versive.wiki"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845855/; classtype:trojan-activity;sid:84708955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2b7b6e5-f8ea-44d0-a72f-5ea7eab15244/google.ct"; depth:47; endswith; nocase; http.host; content:"glarsitttrain.wiki"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845854/; classtype:trojan-activity;sid:84708954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.114.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845853/; classtype:trojan-activity;sid:84708953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.200.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845852/; classtype:trojan-activity;sid:84708952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d12c4579-d1e4-48ac-b311-f2295e92e7ad/google.ct"; depth:47; endswith; nocase; http.host; content:"long-pescar.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845851/; classtype:trojan-activity;sid:84708951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d12c4579-d1e4-48ac-b311-f2295e92e7ad/google.ct"; depth:47; endswith; nocase; http.host; content:"long-pescar.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845850/; classtype:trojan-activity;sid:84708950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.210.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845849/; classtype:trojan-activity;sid:84708949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a74af8b-5f86-4fdd-bf08-adebe5190217/google.ct"; depth:47; endswith; nocase; http.host; content:"angelpatter.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845848/; classtype:trojan-activity;sid:84708948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.242.143.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845847/; classtype:trojan-activity;sid:84708947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.251.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845846/; classtype:trojan-activity;sid:84708946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.162.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845845/; classtype:trojan-activity;sid:84708945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.146.50.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845844/; classtype:trojan-activity;sid:84708944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.38.87.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845843/; classtype:trojan-activity;sid:84708943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eca2b0d5-2ba8-4a5f-aedc-334601b0c525/google.ct"; depth:47; endswith; nocase; http.host; content:"glarsitttrain.wiki"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845841/; classtype:trojan-activity;sid:84708941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eca2b0d5-2ba8-4a5f-aedc-334601b0c525/google.ct"; depth:47; endswith; nocase; http.host; content:"glarsitttrain.wiki"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845842/; classtype:trojan-activity;sid:84708942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/87ef811e-5405-4a11-9978-0a98ff64596c/google.ct"; depth:47; endswith; nocase; http.host; content:"girlytrans-fusion.wiki"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845840/; classtype:trojan-activity;sid:84708940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.141.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845839/; classtype:trojan-activity;sid:84708939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.21.174.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845837/; classtype:trojan-activity;sid:84708937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0fc754b8-4489-45df-84c4-e1485c7a8794/google.ct"; depth:47; endswith; nocase; http.host; content:"angelpatter.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845838/; classtype:trojan-activity;sid:84708938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.73.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845835/; classtype:trojan-activity;sid:84708935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0fc754b8-4489-45df-84c4-e1485c7a8794/google.ct"; depth:47; endswith; nocase; http.host; content:"angelpatter.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845836/; classtype:trojan-activity;sid:84708936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.224.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845834/; classtype:trojan-activity;sid:84708934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dfeaa18a-e831-429e-a225-07a7a22598a6/google.ct"; depth:47; endswith; nocase; http.host; content:"passoverphysiqclass.wiki"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845833/; classtype:trojan-activity;sid:84708933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.59.6.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845832/; classtype:trojan-activity;sid:84708932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.33.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845831/; classtype:trojan-activity;sid:84708931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/24a9d9af-a729-4afc-8eb4-5ac3c254453c/google.ct"; depth:47; endswith; nocase; http.host; content:"girlytrans-fusion.wiki"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845830/; classtype:trojan-activity;sid:84708930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/24a9d9af-a729-4afc-8eb4-5ac3c254453c/google.ct"; depth:47; endswith; nocase; http.host; content:"girlytrans-fusion.wiki"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845829/; classtype:trojan-activity;sid:84708929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845828/; classtype:trojan-activity;sid:84708928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab46e5bd-64e7-4453-8069-ce33a5cc6656/google.ct"; depth:47; endswith; nocase; http.host; content:"ordersub-versive.wiki"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845827/; classtype:trojan-activity;sid:84708927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.186.112.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845826/; classtype:trojan-activity;sid:84708926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.195.140.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845825/; classtype:trojan-activity;sid:84708925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.33.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845824/; classtype:trojan-activity;sid:84708924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.226.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845823/; classtype:trojan-activity;sid:84708923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8dc15019-74d9-459a-af06-8382bd308a1f/google.ct"; depth:47; endswith; nocase; http.host; content:"passoverphysiqclass.wiki"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845821/; classtype:trojan-activity;sid:84708921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8dc15019-74d9-459a-af06-8382bd308a1f/google.ct"; depth:47; endswith; nocase; http.host; content:"passoverphysiqclass.wiki"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845822/; classtype:trojan-activity;sid:84708922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.240.216.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845820/; classtype:trojan-activity;sid:84708920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/60845241-6f73-4c99-88ce-cd920bd8cd62/google.ct"; depth:47; endswith; nocase; http.host; content:"passwordweb.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845819/; classtype:trojan-activity;sid:84708919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.38.87.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845818/; classtype:trojan-activity;sid:84708918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.103.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845817/; classtype:trojan-activity;sid:84708917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.84.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845816/; classtype:trojan-activity;sid:84708916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845815/; classtype:trojan-activity;sid:84708915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6cc5ad94-2779-432e-9caa-8dbdd724742e/google.ct"; depth:47; endswith; nocase; http.host; content:"ordersub-versive.wiki"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845814/; classtype:trojan-activity;sid:84708914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6cc5ad94-2779-432e-9caa-8dbdd724742e/google.ct"; depth:47; endswith; nocase; http.host; content:"ordersub-versive.wiki"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845813/; classtype:trojan-activity;sid:84708913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/74059139-cf72-4b14-a243-b255536cd6da/google.ct"; depth:47; endswith; nocase; http.host; content:"laptoplink.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845812/; classtype:trojan-activity;sid:84708912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.24.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845811/; classtype:trojan-activity;sid:84708911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.84.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845810/; classtype:trojan-activity;sid:84708910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.75.175"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845809/; classtype:trojan-activity;sid:84708909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.240.216.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845808/; classtype:trojan-activity;sid:84708908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845803/; classtype:trojan-activity;sid:84708903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845804/; classtype:trojan-activity;sid:84708904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845805/; classtype:trojan-activity;sid:84708905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/testload.sh"; depth:12; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845806/; classtype:trojan-activity;sid:84708906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845807/; classtype:trojan-activity;sid:84708907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845802/; classtype:trojan-activity;sid:84708902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845801/; classtype:trojan-activity;sid:84708901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.180.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845800/; classtype:trojan-activity;sid:84708900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/90acf02e-fdb0-47fc-acaf-2e7b8a35578d/google.ct"; depth:47; endswith; nocase; http.host; content:"passwordweb.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845799/; classtype:trojan-activity;sid:84708899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98fb1985-1eb2-4e13-bcf2-61a05f790442/google.ct"; depth:47; endswith; nocase; http.host; content:"unitmemory.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845798/; classtype:trojan-activity;sid:84708898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.85.103.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845797/; classtype:trojan-activity;sid:84708897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.18.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845796/; classtype:trojan-activity;sid:84708896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f489f86f-57c6-440a-b679-d4dc87378e52/google.ct"; depth:47; endswith; nocase; http.host; content:"laptoplink.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845795/; classtype:trojan-activity;sid:84708895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e384e1bc-6f6f-48d1-a9ec-c610dc74e9f7/google.ct"; depth:47; endswith; nocase; http.host; content:"softwarefile.wiki"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845794/; classtype:trojan-activity;sid:84708894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.180.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845793/; classtype:trojan-activity;sid:84708893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.148.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845791/; classtype:trojan-activity;sid:84708891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.176.127.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845792/; classtype:trojan-activity;sid:84708892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a2927ad-0c39-41ee-b2ba-b0d53174807e/google.ct"; depth:47; endswith; nocase; http.host; content:"unitmemory.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845790/; classtype:trojan-activity;sid:84708890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.220.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845789/; classtype:trojan-activity;sid:84708889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6ccb512-45fd-4781-9860-5f2fdf6f0a35/google.ct"; depth:47; endswith; nocase; http.host; content:"supplyflash.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845788/; classtype:trojan-activity;sid:84708888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.23.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845787/; classtype:trojan-activity;sid:84708887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.193.228"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845786/; classtype:trojan-activity;sid:84708886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.105.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845785/; classtype:trojan-activity;sid:84708885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/038189f0-fad9-4834-b250-2cbf9a567ef4/google.ct"; depth:47; endswith; nocase; http.host; content:"softwarefile.wiki"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845784/; classtype:trojan-activity;sid:84708884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.117.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845783/; classtype:trojan-activity;sid:84708883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/164dbbd6-b83d-4568-b01b-dc6f1f1d1a3d/google.ct"; depth:47; endswith; nocase; http.host; content:"supplyflash.wiki"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845782/; classtype:trojan-activity;sid:84708882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/438fee3c-f140-4a22-ac73-31cf98084491/google.ct"; depth:47; endswith; nocase; http.host; content:"screencard.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845781/; classtype:trojan-activity;sid:84708881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845775/; classtype:trojan-activity;sid:84708875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845776/; classtype:trojan-activity;sid:84708876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845777/; classtype:trojan-activity;sid:84708877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845778/; classtype:trojan-activity;sid:84708878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845779/; classtype:trojan-activity;sid:84708879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845780/; classtype:trojan-activity;sid:84708880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845774/; classtype:trojan-activity;sid:84708874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jyvy"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845773/; classtype:trojan-activity;sid:84708873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cpo"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845772/; classtype:trojan-activity;sid:84708872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.105.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845771/; classtype:trojan-activity;sid:84708871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.169.235.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845770/; classtype:trojan-activity;sid:84708870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c552892a-4999-4418-a838-b08cc3d1ba71/google.ct"; depth:47; endswith; nocase; http.host; content:"codeframe.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845769/; classtype:trojan-activity;sid:84708869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.83.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845768/; classtype:trojan-activity;sid:84708868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845767/; classtype:trojan-activity;sid:84708867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.53.104"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845766/; classtype:trojan-activity;sid:84708866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"103.153.68.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845765/; classtype:trojan-activity;sid:84708865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"103.153.68.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845763/; classtype:trojan-activity;sid:84708863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"103.153.68.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845764/; classtype:trojan-activity;sid:84708864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"103.153.68.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845762/; classtype:trojan-activity;sid:84708862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink.sh"; depth:10; endswith; nocase; http.host; content:"103.153.68.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845761/; classtype:trojan-activity;sid:84708861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"103.153.68.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845760/; classtype:trojan-activity;sid:84708860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/474d67fd-5d29-4788-8cf4-a323f7b48791/google.ct"; depth:47; endswith; nocase; http.host; content:"devmatrix.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845759/; classtype:trojan-activity;sid:84708859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.100.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845758/; classtype:trojan-activity;sid:84708858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=hrkprsueofvxgzly"; depth:27; endswith; nocase; http.host; content:"qaff1aeg.chronicle5-diachiha.digital"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845757/; classtype:trojan-activity;sid:84708857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.254.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845756/; classtype:trojan-activity;sid:84708856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.83.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845755/; classtype:trojan-activity;sid:84708855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realtek.sh"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845751/; classtype:trojan-activity;sid:84708851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsrouter"; depth:15; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845752/; classtype:trojan-activity;sid:84708852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845753/; classtype:trojan-activity;sid:84708853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845754/; classtype:trojan-activity;sid:84708854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.i686"; depth:9; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845748/; classtype:trojan-activity;sid:84708848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zorgy.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845749/; classtype:trojan-activity;sid:84708849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845750/; classtype:trojan-activity;sid:84708850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845747/; classtype:trojan-activity;sid:84708847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845746/; classtype:trojan-activity;sid:84708846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845740/; classtype:trojan-activity;sid:84708840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845741/; classtype:trojan-activity;sid:84708841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845742/; classtype:trojan-activity;sid:84708842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845743/; classtype:trojan-activity;sid:84708843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845744/; classtype:trojan-activity;sid:84708844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845745/; classtype:trojan-activity;sid:84708845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845738/; classtype:trojan-activity;sid:84708838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fbi.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845739/; classtype:trojan-activity;sid:84708839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c198fdf9-c838-4339-8253-732b48312afe/google.ct"; depth:47; endswith; nocase; http.host; content:"cryptogrid.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845737/; classtype:trojan-activity;sid:84708837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.153.78.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845736/; classtype:trojan-activity;sid:84708836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.133.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845735/; classtype:trojan-activity;sid:84708835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.254.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845734/; classtype:trojan-activity;sid:84708834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.90.104.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845733/; classtype:trojan-activity;sid:84708833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845732/; classtype:trojan-activity;sid:84708832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.1.184"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845731/; classtype:trojan-activity;sid:84708831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.153.78.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845730/; classtype:trojan-activity;sid:84708830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.82.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845729/; classtype:trojan-activity;sid:84708829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a8ed7a6-e898-4839-bbfd-3184e017e873/google.ct"; depth:47; endswith; nocase; http.host; content:"byteforge.surf"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845728/; classtype:trojan-activity;sid:84708828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.100.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845727/; classtype:trojan-activity;sid:84708827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.13.248"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845726/; classtype:trojan-activity;sid:84708826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.49.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845725/; classtype:trojan-activity;sid:84708825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.23.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845724/; classtype:trojan-activity;sid:84708824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1cfb4915-b656-4e39-abca-04731707dac4/google.ct"; depth:47; endswith; nocase; http.host; content:"scriptmesh.surf"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845723/; classtype:trojan-activity;sid:84708823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.3.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845722/; classtype:trojan-activity;sid:84708822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.23.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845721/; classtype:trojan-activity;sid:84708821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.82.157"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845720/; classtype:trojan-activity;sid:84708820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.112.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845719/; classtype:trojan-activity;sid:84708819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fdcc63e1-b733-4ffc-b4b0-564c82dd4464/google.ct"; depth:47; endswith; nocase; http.host; content:"pixelcore.surf"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845718/; classtype:trojan-activity;sid:84708818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.96.93.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845717/; classtype:trojan-activity;sid:84708817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.49.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845716/; classtype:trojan-activity;sid:84708816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845714/; classtype:trojan-activity;sid:84708814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.114.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845715/; classtype:trojan-activity;sid:84708815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.3.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845713/; classtype:trojan-activity;sid:84708813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.189.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845712/; classtype:trojan-activity;sid:84708812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.238.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845711/; classtype:trojan-activity;sid:84708811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/74248fae-d56c-4f0c-851f-93e0ada0fe9a/google.ct"; depth:47; endswith; nocase; http.host; content:"cybergrid.surf"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845710/; classtype:trojan-activity;sid:84708810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.104.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845709/; classtype:trojan-activity;sid:84708809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.181.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845708/; classtype:trojan-activity;sid:84708808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.112.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845707/; classtype:trojan-activity;sid:84708807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.133.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845706/; classtype:trojan-activity;sid:84708806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b651396d-c645-4948-91f8-1494ad50c200/google.ct"; depth:47; endswith; nocase; http.host; content:"logicnode.surf"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845705/; classtype:trojan-activity;sid:84708805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845704/; classtype:trojan-activity;sid:84708804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.144.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845703/; classtype:trojan-activity;sid:84708803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.48.114.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845702/; classtype:trojan-activity;sid:84708802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1f408e4b-5c24-4a47-9d08-ac348e3486b3/google.ct"; depth:47; endswith; nocase; http.host; content:"codeframe.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845701/; classtype:trojan-activity;sid:84708801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1f408e4b-5c24-4a47-9d08-ac348e3486b3/google.ct"; depth:47; endswith; nocase; http.host; content:"codeframe.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845700/; classtype:trojan-activity;sid:84708800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845699/; classtype:trojan-activity;sid:84708799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.73.163.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845698/; classtype:trojan-activity;sid:84708798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.37.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845697/; classtype:trojan-activity;sid:84708797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.226.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845696/; classtype:trojan-activity;sid:84708796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.170.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845695/; classtype:trojan-activity;sid:84708795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.144.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845694/; classtype:trojan-activity;sid:84708794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845693/; classtype:trojan-activity;sid:84708793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/error84"; depth:8; endswith; nocase; http.host; content:"62.60.130.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845692/; classtype:trojan-activity;sid:84708792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.253.80.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845691/; classtype:trojan-activity;sid:84708791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/34c8f678-b269-4705-a9ce-719a066fef17/google.ct"; depth:47; endswith; nocase; http.host; content:"stackforge.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845690/; classtype:trojan-activity;sid:84708790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/34c8f678-b269-4705-a9ce-719a066fef17/google.ct"; depth:47; endswith; nocase; http.host; content:"stackforge.wiki"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845689/; classtype:trojan-activity;sid:84708789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.73.163.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845688/; classtype:trojan-activity;sid:84708788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.90.104.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845687/; classtype:trojan-activity;sid:84708787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.48.114.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845686/; classtype:trojan-activity;sid:84708786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845685/; classtype:trojan-activity;sid:84708785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.95.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845684/; classtype:trojan-activity;sid:84708784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.253.80.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845683/; classtype:trojan-activity;sid:84708783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.203.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845682/; classtype:trojan-activity;sid:84708782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.29.214.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845681/; classtype:trojan-activity;sid:84708781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.170.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845680/; classtype:trojan-activity;sid:84708780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.34.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845679/; classtype:trojan-activity;sid:84708779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845678/; classtype:trojan-activity;sid:84708778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.217.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845677/; classtype:trojan-activity;sid:84708777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/29eb1df6-6d14-4af7-a269-d54f4eab59a5/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845675/; classtype:trojan-activity;sid:84708775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/29eb1df6-6d14-4af7-a269-d54f4eab59a5/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845676/; classtype:trojan-activity;sid:84708776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/$|7c|7b|7c|uuid__|7c|7d|7c|/google.ct"; depth:38; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845673/; classtype:trojan-activity;sid:84708773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/$%7buuid__%7d/google.ct"; depth:24; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845674/; classtype:trojan-activity;sid:84708774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0220461a-e5ed-47e6-bfa5-e66b0ea86b96/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845672/; classtype:trojan-activity;sid:84708772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0220461a-e5ed-47e6-bfa5-e66b0ea86b96/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845671/; classtype:trojan-activity;sid:84708771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845670/; classtype:trojan-activity;sid:84708770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/516b5f87-d872-40da-bda8-d20b31c2a180/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845668/; classtype:trojan-activity;sid:84708768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/516b5f87-d872-40da-bda8-d20b31c2a180/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845669/; classtype:trojan-activity;sid:84708769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.34.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845667/; classtype:trojan-activity;sid:84708767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fae81002-82da-484f-8f0c-4be2e154a7cb/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845666/; classtype:trojan-activity;sid:84708766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fae81002-82da-484f-8f0c-4be2e154a7cb/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845665/; classtype:trojan-activity;sid:84708765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.117.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845664/; classtype:trojan-activity;sid:84708764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccd0950c-3cc5-4378-975d-90956ef8162c/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845663/; classtype:trojan-activity;sid:84708763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccd0950c-3cc5-4378-975d-90956ef8162c/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845662/; classtype:trojan-activity;sid:84708762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.117.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845660/; classtype:trojan-activity;sid:84708760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.217.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845661/; classtype:trojan-activity;sid:84708761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b7c252d5-5141-4448-bc4f-f96a457d994d/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845659/; classtype:trojan-activity;sid:84708759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b7c252d5-5141-4448-bc4f-f96a457d994d/google.ct"; depth:47; endswith; nocase; http.host; content:"netvector.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845658/; classtype:trojan-activity;sid:84708758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7861c157-638e-4210-b2de-f8bbd4c06d32/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845656/; classtype:trojan-activity;sid:84708756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7861c157-638e-4210-b2de-f8bbd4c06d32/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845657/; classtype:trojan-activity;sid:84708757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dcm-t1/101125/raw/main/t1.zip"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845655/; classtype:trojan-activity;sid:84708755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dcm-t1/101125/main/t1.zip"; depth:26; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845651/; classtype:trojan-activity;sid:84708751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/t1-26/main/t1.zip"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845652/; classtype:trojan-activity;sid:84708752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.37.125.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845653/; classtype:trojan-activity;sid:84708753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d/raw/main/pd-92725.zip"; depth:31; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845654/; classtype:trojan-activity;sid:84708754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/t1-26/raw/main/t1.zip"; depth:29; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845650/; classtype:trojan-activity;sid:84708750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d/raw/main/pd-92725.zip/"; depth:32; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845649/; classtype:trojan-activity;sid:84708749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/68102b7c-8334-4fdd-a2bc-2d8c9bafd95f/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845647/; classtype:trojan-activity;sid:84708747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouskii126/hihi/raw/main/document.zip"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845648/; classtype:trojan-activity;sid:84708748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/68102b7c-8334-4fdd-a2bc-2d8c9bafd95f/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845646/; classtype:trojan-activity;sid:84708746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/ut1-26/blob/main/up-t1.png"; depth:33; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845644/; classtype:trojan-activity;sid:84708744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/pd-9-11125/main/u-p.png"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845645/; classtype:trojan-activity;sid:84708745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/ut1-26/raw/main/up-t1.png"; depth:32; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845640/; classtype:trojan-activity;sid:84708740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouskiiu/ut/main/ud.txt"; depth:24; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845641/; classtype:trojan-activity;sid:84708741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/ut1-26/main/up-t1.png"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845642/; classtype:trojan-activity;sid:84708742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-7-te/ud-vtn/main/ud-t2.txt"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845643/; classtype:trojan-activity;sid:84708743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/pd-9-11125/raw/main/u-p.png"; depth:34; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845632/; classtype:trojan-activity;sid:84708732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/102125/blob/main/ud.png"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845633/; classtype:trojan-activity;sid:84708733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d-3t/blob/main/dcm-t2.zip"; depth:33; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845634/; classtype:trojan-activity;sid:84708734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/102125/main/ud.png"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845635/; classtype:trojan-activity;sid:84708735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d7cdb85d-1901-4f9c-ac4d-edac1430b673"; depth:37; endswith; nocase; http.host; content:"fast.raidher.icu"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845636/; classtype:trojan-activity;sid:84708736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/102125/blob/main/u-p.png"; depth:31; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845637/; classtype:trojan-activity;sid:84708737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/102125/raw/main/ud.png"; depth:29; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845638/; classtype:trojan-activity;sid:84708738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/ut1-26/main/ud.txt"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845639/; classtype:trojan-activity;sid:84708739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"proishestvie2026onlaine.vercel.app"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845630/; classtype:trojan-activity;sid:84708730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"51523.file-open.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845631/; classtype:trojan-activity;sid:84708731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d/blob/main/pd-92725.zip"; depth:32; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845626/; classtype:trojan-activity;sid:84708726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/ut1-26/blob/main/ud.txt"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845627/; classtype:trojan-activity;sid:84708727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/pd-9-11125/blob/main/ud.png"; depth:34; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845628/; classtype:trojan-activity;sid:84708728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/download"; depth:13; endswith; nocase; http.host; content:"ok-dtpnew.cyou"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845629/; classtype:trojan-activity;sid:84708729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"photo-album-jopki.vercel.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845613/; classtype:trojan-activity;sid:84708713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/t1-26/blob/main/t1.zip"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845614/; classtype:trojan-activity;sid:84708714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d-3t/blob/main/dcm-t1.zip"; depth:33; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845615/; classtype:trojan-activity;sid:84708715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouskii126/hihi/main/document.zip"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845616/; classtype:trojan-activity;sid:84708716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"dtp-photo19.file-open.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845617/; classtype:trojan-activity;sid:84708717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/download"; depth:13; endswith; nocase; http.host; content:"avariya.cfd"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845618/; classtype:trojan-activity;sid:84708718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pd1-pd/d-3t/blob/main/dcm-t3.zip"; depth:33; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845619/; classtype:trojan-activity;sid:84708719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/download"; depth:13; endswith; nocase; http.host; content:"photogrs-rid.top"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845620/; classtype:trojan-activity;sid:84708720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"dtp-photos10.file-open.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845621/; classtype:trojan-activity;sid:84708721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/download"; depth:13; endswith; nocase; http.host; content:"ok-ru-photo6.live"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845622/; classtype:trojan-activity;sid:84708722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/download"; depth:13; endswith; nocase; http.host; content:"svo-baza-poisk.pro"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845623/; classtype:trojan-activity;sid:84708723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"smother-portf.file-open.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845624/; classtype:trojan-activity;sid:84708724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-pd/pd-9-11125/blob/main/u-p.png"; depth:35; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845625/; classtype:trojan-activity;sid:84708725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845610/; classtype:trojan-activity;sid:84708710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845611/; classtype:trojan-activity;sid:84708711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc64"; depth:10; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845612/; classtype:trojan-activity;sid:84708712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"photo-albuum.vercel.app"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845597/; classtype:trojan-activity;sid:84708697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; endswith; nocase; http.host; content:"fotolends.lat"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845598/; classtype:trojan-activity;sid:84708698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aba86bec-6d75-44a9-8a64-9fe1c7a9ed8e/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845599/; classtype:trojan-activity;sid:84708699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.arm7"; depth:31; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845600/; classtype:trojan-activity;sid:84708700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.mpsl"; depth:31; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845601/; classtype:trojan-activity;sid:84708701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845602/; classtype:trojan-activity;sid:84708702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.ppc"; depth:30; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845603/; classtype:trojan-activity;sid:84708703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845604/; classtype:trojan-activity;sid:84708704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845605/; classtype:trojan-activity;sid:84708705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armhf"; depth:6; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845606/; classtype:trojan-activity;sid:84708706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845607/; classtype:trojan-activity;sid:84708707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845608/; classtype:trojan-activity;sid:84708708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845609/; classtype:trojan-activity;sid:84708709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aba86bec-6d75-44a9-8a64-9fe1c7a9ed8e/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845596/; classtype:trojan-activity;sid:84708696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"russia24.icu"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845594/; classtype:trojan-activity;sid:84708694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"photoalbbum.vercel.app"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845595/; classtype:trojan-activity;sid:84708695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845591/; classtype:trojan-activity;sid:84708691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"photo-album-anusa.vercel.app"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845592/; classtype:trojan-activity;sid:84708692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; endswith; nocase; http.host; content:"94.141.122.175"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845593/; classtype:trojan-activity;sid:84708693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/launcher.exe"; depth:20; endswith; nocase; http.host; content:"w63709gi.beget.tech"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845590/; classtype:trojan-activity;sid:84708690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.mips"; depth:31; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845584/; classtype:trojan-activity;sid:84708684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.arm5"; depth:31; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845585/; classtype:trojan-activity;sid:84708685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; endswith; nocase; http.host; content:"fotomaxinstall.click"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845586/; classtype:trojan-activity;sid:84708686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/ysnyliaosnn1mng2sorqi/swift_3786.rar|3f|rlkey=brotbnbbrem89mnvv1fi9qike|7c|26|7c|st=6teip751|7c|26|7c|dl=1"; depth:114; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845587/; classtype:trojan-activity;sid:84708687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; endswith; nocase; http.host; content:"5.252.155.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845588/; classtype:trojan-activity;sid:84708688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.apk"; depth:8; endswith; nocase; http.host; content:"www.fotoinstalll.ink"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845589/; classtype:trojan-activity;sid:84708689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.x86"; depth:30; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845579/; classtype:trojan-activity;sid:84708679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.m68k"; depth:31; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845580/; classtype:trojan-activity;sid:84708680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.arm6"; depth:31; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845581/; classtype:trojan-activity;sid:84708681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.arm"; depth:30; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845582/; classtype:trojan-activity;sid:84708682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/389242390482/3atonational.spc"; depth:30; endswith; nocase; http.host; content:"87.121.79.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845583/; classtype:trojan-activity;sid:84708683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"photomax-12-05.vercel.app"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845577/; classtype:trojan-activity;sid:84708677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"avariya2026dtpru.vercel.app"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845578/; classtype:trojan-activity;sid:84708678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doodlenoodle123/win-stager.msi/blob/main/win-stager.ps1"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845576/; classtype:trojan-activity;sid:84708676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugd/09c1d5_b4a43d563e1e4b159370953dd56117b7.txt"; depth:48; endswith; nocase; http.host; content:"09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845561/; classtype:trojan-activity;sid:84708661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845562/; classtype:trojan-activity;sid:84708662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845563/; classtype:trojan-activity;sid:84708663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845564/; classtype:trojan-activity;sid:84708664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845565/; classtype:trojan-activity;sid:84708665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845566/; classtype:trojan-activity;sid:84708666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845567/; classtype:trojan-activity;sid:84708667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845568/; classtype:trojan-activity;sid:84708668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845569/; classtype:trojan-activity;sid:84708669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845570/; classtype:trojan-activity;sid:84708670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845571/; classtype:trojan-activity;sid:84708671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845572/; classtype:trojan-activity;sid:84708672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dynamic|3f|txd=fa90319c89e7a0272c859f9f1403c6c2f12793281d3a295ce283d6018d5dd1c3"; depth:80; endswith; nocase; http.host; content:"briskinternet.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845573/; classtype:trojan-activity;sid:84708673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845574/; classtype:trojan-activity;sid:84708674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"159.223.61.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845575/; classtype:trojan-activity;sid:84708675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7382018045/o4lpmlr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845558/; classtype:trojan-activity;sid:84708658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1772561689/fohqd4r.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845559/; classtype:trojan-activity;sid:84708659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8717422379/bkrjaut.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845560/; classtype:trojan-activity;sid:84708660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5763009148/sjfcqib.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845556/; classtype:trojan-activity;sid:84708656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7879618597/fclwbgc.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845557/; classtype:trojan-activity;sid:84708657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd/0/get/dapyiz_5hzacpxfjtb3nyyxon0dhzb8b6hvhtrzvxiipqx4yu64lenqt8q9blhiulroqzmonpcvhxrizfbrtyumg2dszpwv8sgqdetfxpulf2stbx99f8cwxfjbtobdzoqaugsthvj9jlk24avrpm1gy/file|3f|dl=1"; depth:175; endswith; nocase; http.host; content:"ucc6e338a3f30f0e0b9b543ba09c.dl.dropboxusercontent.com"; depth:54; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845554/; classtype:trojan-activity;sid:84708654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845555/; classtype:trojan-activity;sid:84708655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/tn1wyvz.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845549/; classtype:trojan-activity;sid:84708649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/on4lig4.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845550/; classtype:trojan-activity;sid:84708650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5763009148/yw3h0gr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845551/; classtype:trojan-activity;sid:84708651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/p5euiw0.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845552/; classtype:trojan-activity;sid:84708652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/iqal9vy.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845553/; classtype:trojan-activity;sid:84708653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5c72f77-e5c3-4809-bc6e-7c410d1125a3/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845548/; classtype:trojan-activity;sid:84708648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5c72f77-e5c3-4809-bc6e-7c410d1125a3/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845547/; classtype:trojan-activity;sid:84708647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40ff8fc1-a68b-4a64-9dfd-93335bf12dc6/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845545/; classtype:trojan-activity;sid:84708645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40ff8fc1-a68b-4a64-9dfd-93335bf12dc6/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845546/; classtype:trojan-activity;sid:84708646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/801dca8b-4664-4b6d-812e-386df653fe18/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845544/; classtype:trojan-activity;sid:84708644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/801dca8b-4664-4b6d-812e-386df653fe18/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845543/; classtype:trojan-activity;sid:84708643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.226.89.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845542/; classtype:trojan-activity;sid:84708642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faae9401-3489-419a-9e8e-a539ce4b92b0/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845540/; classtype:trojan-activity;sid:84708640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faae9401-3489-419a-9e8e-a539ce4b92b0/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845541/; classtype:trojan-activity;sid:84708641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_eva.png"; depth:12; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845536/; classtype:trojan-activity;sid:84708636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yubest.png"; depth:11; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845537/; classtype:trojan-activity;sid:84708637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linkhgyrb/bkrrafg.txt"; depth:22; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845538/; classtype:trojan-activity;sid:84708638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iiseva.png"; depth:11; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845539/; classtype:trojan-activity;sid:84708639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otsifar/othoytr.js"; depth:19; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845534/; classtype:trojan-activity;sid:84708634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/comany_profile_order%20requirment_dec_jan2026_2025.zip"; depth:61; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845535/; classtype:trojan-activity;sid:84708635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fb067ff-f42d-4f2b-ba15-c01743d4725e/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845533/; classtype:trojan-activity;sid:84708633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fb067ff-f42d-4f2b-ba15-c01743d4725e/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845532/; classtype:trojan-activity;sid:84708632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.114.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845531/; classtype:trojan-activity;sid:84708631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.117.222"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845530/; classtype:trojan-activity;sid:84708630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5ae095a-8c5c-407b-bb3d-0d60997d8829/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845529/; classtype:trojan-activity;sid:84708629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5ae095a-8c5c-407b-bb3d-0d60997d8829/google.ct"; depth:47; endswith; nocase; http.host; content:"datapulse.wiki"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845528/; classtype:trojan-activity;sid:84708628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.237.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845527/; classtype:trojan-activity;sid:84708627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a01fd0a-13e1-444c-b49b-65626cac8fbe/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845525/; classtype:trojan-activity;sid:84708625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9a01fd0a-13e1-444c-b49b-65626cac8fbe/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845526/; classtype:trojan-activity;sid:84708626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.117.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845524/; classtype:trojan-activity;sid:84708624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8a61f16-8f5a-433a-bf05-82eb3f4b20c8/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845523/; classtype:trojan-activity;sid:84708623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8a61f16-8f5a-433a-bf05-82eb3f4b20c8/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845522/; classtype:trojan-activity;sid:84708622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/837f9d89-ec7d-4758-b2dc-83c54babcbfc/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845521/; classtype:trojan-activity;sid:84708621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/837f9d89-ec7d-4758-b2dc-83c54babcbfc/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845520/; classtype:trojan-activity;sid:84708620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/308670ee-6163-4699-9ce9-f8e7906a9ba8/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845519/; classtype:trojan-activity;sid:84708619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/308670ee-6163-4699-9ce9-f8e7906a9ba8/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845518/; classtype:trojan-activity;sid:84708618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.226.89.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845517/; classtype:trojan-activity;sid:84708617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cf77e4a-1f3e-40c0-88f9-6c457d5023d1/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845516/; classtype:trojan-activity;sid:84708616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cf77e4a-1f3e-40c0-88f9-6c457d5023d1/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845515/; classtype:trojan-activity;sid:84708615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.216.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845514/; classtype:trojan-activity;sid:84708614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.237.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845513/; classtype:trojan-activity;sid:84708613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8b1beffc-4771-4102-b186-f9330df2e167/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845512/; classtype:trojan-activity;sid:84708612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8b1beffc-4771-4102-b186-f9330df2e167/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845511/; classtype:trojan-activity;sid:84708611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"150.255.27.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845510/; classtype:trojan-activity;sid:84708610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c77a256b-c000-4b24-8d8b-47ee65a11880/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845508/; classtype:trojan-activity;sid:84708608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c77a256b-c000-4b24-8d8b-47ee65a11880/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845509/; classtype:trojan-activity;sid:84708609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"187.45.95.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845506/; classtype:trojan-activity;sid:84708606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845507/; classtype:trojan-activity;sid:84708607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845505/; classtype:trojan-activity;sid:84708605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/528dcbb4-3368-4d19-8379-2a6b7d63e38b/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845504/; classtype:trojan-activity;sid:84708604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/528dcbb4-3368-4d19-8379-2a6b7d63e38b/google.ct"; depth:47; endswith; nocase; http.host; content:"dashcorpcloud.co"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845503/; classtype:trojan-activity;sid:84708603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e49776bd-0137-4afe-95ac-8c57c27805ec/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845501/; classtype:trojan-activity;sid:84708601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e49776bd-0137-4afe-95ac-8c57c27805ec/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845502/; classtype:trojan-activity;sid:84708602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.125.42.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845500/; classtype:trojan-activity;sid:84708600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.96.93.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845497/; classtype:trojan-activity;sid:84708597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e4d02f79-9e4c-4561-99bc-58e24778366d/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845498/; classtype:trojan-activity;sid:84708598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.178.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845499/; classtype:trojan-activity;sid:84708599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.184.46.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845496/; classtype:trojan-activity;sid:84708596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e4d02f79-9e4c-4561-99bc-58e24778366d/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845495/; classtype:trojan-activity;sid:84708595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c685cde4-7d6c-4b1f-b243-9ffb7d27a096/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845494/; classtype:trojan-activity;sid:84708594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c685cde4-7d6c-4b1f-b243-9ffb7d27a096/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845493/; classtype:trojan-activity;sid:84708593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.57.37.3"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845492/; classtype:trojan-activity;sid:84708592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845491/; classtype:trojan-activity;sid:84708591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a33c02c0-1087-4e71-8994-9302bc719b73/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845490/; classtype:trojan-activity;sid:84708590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a33c02c0-1087-4e71-8994-9302bc719b73/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845489/; classtype:trojan-activity;sid:84708589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.230.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845488/; classtype:trojan-activity;sid:84708588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da00e80a-eebe-4913-9115-d8826d9b1801/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845487/; classtype:trojan-activity;sid:84708587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da00e80a-eebe-4913-9115-d8826d9b1801/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845486/; classtype:trojan-activity;sid:84708586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36703d46-db3d-4c8a-818a-fb404cdcb68f/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845485/; classtype:trojan-activity;sid:84708585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36703d46-db3d-4c8a-818a-fb404cdcb68f/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845484/; classtype:trojan-activity;sid:84708584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=affxhyxyamoysczb"; depth:27; endswith; nocase; http.host; content:"b5fdl2mw.hor1inka-lonely.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845483/; classtype:trojan-activity;sid:84708583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8170b732-cf1a-40a3-ac14-68edaf35dbaf/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845481/; classtype:trojan-activity;sid:84708581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8170b732-cf1a-40a3-ac14-68edaf35dbaf/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845482/; classtype:trojan-activity;sid:84708582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=pacrtgjaeegtswbs"; depth:27; endswith; nocase; http.host; content:"p9015zuh.unp2idvalk.digital"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845480/; classtype:trojan-activity;sid:84708580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69d3676e-c942-448d-a3cb-e5c007af98a4/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845478/; classtype:trojan-activity;sid:84708578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69d3676e-c942-448d-a3cb-e5c007af98a4/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845479/; classtype:trojan-activity;sid:84708579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.125.42.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845477/; classtype:trojan-activity;sid:84708577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/93c23d74-688b-44e8-a3be-b71660893505/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845475/; classtype:trojan-activity;sid:84708575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/93c23d74-688b-44e8-a3be-b71660893505/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845476/; classtype:trojan-activity;sid:84708576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aa9401e2-5a6c-4414-a64f-8d84bc07b198/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845474/; classtype:trojan-activity;sid:84708574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aa9401e2-5a6c-4414-a64f-8d84bc07b198/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845473/; classtype:trojan-activity;sid:84708573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6139c8f6-c378-4f65-ae28-d3dfc15eee68/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845472/; classtype:trojan-activity;sid:84708572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6139c8f6-c378-4f65-ae28-d3dfc15eee68/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845471/; classtype:trojan-activity;sid:84708571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845470/; classtype:trojan-activity;sid:84708570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845468/; classtype:trojan-activity;sid:84708568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845469/; classtype:trojan-activity;sid:84708569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845465/; classtype:trojan-activity;sid:84708565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm/"; depth:5; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845466/; classtype:trojan-activity;sid:84708566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"95.135.208.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845467/; classtype:trojan-activity;sid:84708567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dce3e8a3-af17-4d7b-92b3-118b6b4bbb4d/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845463/; classtype:trojan-activity;sid:84708563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dce3e8a3-af17-4d7b-92b3-118b6b4bbb4d/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845464/; classtype:trojan-activity;sid:84708564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/22b8dad8-de06-410e-bbdd-8f6e20ea67d4/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845461/; classtype:trojan-activity;sid:84708561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/22b8dad8-de06-410e-bbdd-8f6e20ea67d4/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845462/; classtype:trojan-activity;sid:84708562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.230.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845460/; classtype:trojan-activity;sid:84708560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.184.46.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845459/; classtype:trojan-activity;sid:84708559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845458/; classtype:trojan-activity;sid:84708558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/59475bbc-a812-4fbf-b7b8-a90030208614/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845457/; classtype:trojan-activity;sid:84708557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/59475bbc-a812-4fbf-b7b8-a90030208614/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845456/; classtype:trojan-activity;sid:84708556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.179.235.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845455/; classtype:trojan-activity;sid:84708555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c36f804-6d3e-4843-a8a0-9b2870cc4efc/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845454/; classtype:trojan-activity;sid:84708554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c36f804-6d3e-4843-a8a0-9b2870cc4efc/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845453/; classtype:trojan-activity;sid:84708553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.23.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845452/; classtype:trojan-activity;sid:84708552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.13.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845451/; classtype:trojan-activity;sid:84708551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5e3065fd-464c-4c50-bc0c-c42119f718ac/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845450/; classtype:trojan-activity;sid:84708550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5e3065fd-464c-4c50-bc0c-c42119f718ac/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845449/; classtype:trojan-activity;sid:84708549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.210.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845448/; classtype:trojan-activity;sid:84708548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845447/; classtype:trojan-activity;sid:84708547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fdbe36e-73b0-46e7-a37d-00ce19dc1c74/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845446/; classtype:trojan-activity;sid:84708546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fdbe36e-73b0-46e7-a37d-00ce19dc1c74/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845445/; classtype:trojan-activity;sid:84708545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.151.218.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845444/; classtype:trojan-activity;sid:84708544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cb1aee61-9488-4e58-8734-42f7efbcde64/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845442/; classtype:trojan-activity;sid:84708542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cb1aee61-9488-4e58-8734-42f7efbcde64/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845443/; classtype:trojan-activity;sid:84708543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.13.248"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845441/; classtype:trojan-activity;sid:84708541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e272593a-18f4-47d6-98ad-4e5f45fed5ce/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845440/; classtype:trojan-activity;sid:84708540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e272593a-18f4-47d6-98ad-4e5f45fed5ce/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845439/; classtype:trojan-activity;sid:84708539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cadabc5d-cbff-4792-b272-b1794a3ad5b2/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845438/; classtype:trojan-activity;sid:84708538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845437/; classtype:trojan-activity;sid:84708537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cadabc5d-cbff-4792-b272-b1794a3ad5b2/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845436/; classtype:trojan-activity;sid:84708536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54c56555-6e2a-4c4d-83b6-b24859b1ae07/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845435/; classtype:trojan-activity;sid:84708535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54c56555-6e2a-4c4d-83b6-b24859b1ae07/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845434/; classtype:trojan-activity;sid:84708534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb2c064e-b53d-45a5-89eb-1d7a08fcc8fc/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845433/; classtype:trojan-activity;sid:84708533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb2c064e-b53d-45a5-89eb-1d7a08fcc8fc/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845432/; classtype:trojan-activity;sid:84708532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef28f7d3-303e-433a-8a29-d58cd6aecf40/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845430/; classtype:trojan-activity;sid:84708530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef28f7d3-303e-433a-8a29-d58cd6aecf40/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845431/; classtype:trojan-activity;sid:84708531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.23.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845429/; classtype:trojan-activity;sid:84708529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845428/; classtype:trojan-activity;sid:84708528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.210.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845427/; classtype:trojan-activity;sid:84708527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/23e61ebb-420a-4446-9185-039746d86e5d/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845426/; classtype:trojan-activity;sid:84708526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/23e61ebb-420a-4446-9185-039746d86e5d/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845425/; classtype:trojan-activity;sid:84708525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.98.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845424/; classtype:trojan-activity;sid:84708524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.127.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845423/; classtype:trojan-activity;sid:84708523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.158.19.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845422/; classtype:trojan-activity;sid:84708522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.209.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845421/; classtype:trojan-activity;sid:84708521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/03eb79ea-2282-4df9-afab-3167bae6be33/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845420/; classtype:trojan-activity;sid:84708520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/03eb79ea-2282-4df9-afab-3167bae6be33/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845419/; classtype:trojan-activity;sid:84708519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7683942d-084b-4bd3-ace5-d678724330f4/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845418/; classtype:trojan-activity;sid:84708518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7683942d-084b-4bd3-ace5-d678724330f4/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845417/; classtype:trojan-activity;sid:84708517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.238.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845416/; classtype:trojan-activity;sid:84708516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.232.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845415/; classtype:trojan-activity;sid:84708515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a33e9771-b625-4653-b504-34d17e7cf960/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845414/; classtype:trojan-activity;sid:84708514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a33e9771-b625-4653-b504-34d17e7cf960/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845413/; classtype:trojan-activity;sid:84708513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.70.242"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845412/; classtype:trojan-activity;sid:84708512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fd3443c0-383f-46c3-b11e-1d173e331816/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845410/; classtype:trojan-activity;sid:84708510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fd3443c0-383f-46c3-b11e-1d173e331816/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845411/; classtype:trojan-activity;sid:84708511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.127.226"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845409/; classtype:trojan-activity;sid:84708509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.191.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845408/; classtype:trojan-activity;sid:84708508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cf727ace-534d-4177-b75f-87e71670630d/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845407/; classtype:trojan-activity;sid:84708507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cf727ace-534d-4177-b75f-87e71670630d/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845406/; classtype:trojan-activity;sid:84708506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.232.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845405/; classtype:trojan-activity;sid:84708505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.126.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845404/; classtype:trojan-activity;sid:84708504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5972b8c5-08b5-4713-a917-db4d493c739d/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845402/; classtype:trojan-activity;sid:84708502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5972b8c5-08b5-4713-a917-db4d493c739d/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845403/; classtype:trojan-activity;sid:84708503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7ab0aa1f-7883-47d6-b686-4c2edcf28c09/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845401/; classtype:trojan-activity;sid:84708501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7ab0aa1f-7883-47d6-b686-4c2edcf28c09/google.ct"; depth:47; endswith; nocase; http.host; content:"data-core-logic-resource-center.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845400/; classtype:trojan-activity;sid:84708500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.159.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845399/; classtype:trojan-activity;sid:84708499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/65f39a71-ee49-4e5b-8703-3e09ceb6b88d/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845398/; classtype:trojan-activity;sid:84708498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/65f39a71-ee49-4e5b-8703-3e09ceb6b88d/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845397/; classtype:trojan-activity;sid:84708497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.226.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845396/; classtype:trojan-activity;sid:84708496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845395/; classtype:trojan-activity;sid:84708495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.70.242"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845394/; classtype:trojan-activity;sid:84708494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/706bd8f0-d643-44a0-a0f5-b69650d9afec/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845393/; classtype:trojan-activity;sid:84708493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/706bd8f0-d643-44a0-a0f5-b69650d9afec/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845392/; classtype:trojan-activity;sid:84708492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/824648df-f709-4d91-a1a0-80f25638ffdf/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845391/; classtype:trojan-activity;sid:84708491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/824648df-f709-4d91-a1a0-80f25638ffdf/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845390/; classtype:trojan-activity;sid:84708490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.158.19.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845389/; classtype:trojan-activity;sid:84708489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0513b386-d2ff-47b5-9717-e71386056511/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845388/; classtype:trojan-activity;sid:84708488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0513b386-d2ff-47b5-9717-e71386056511/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845387/; classtype:trojan-activity;sid:84708487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2f02d64-3d5d-4cbb-a88e-04d6ff63db87/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845386/; classtype:trojan-activity;sid:84708486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2f02d64-3d5d-4cbb-a88e-04d6ff63db87/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845385/; classtype:trojan-activity;sid:84708485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.213.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845384/; classtype:trojan-activity;sid:84708484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e1cea497-34fb-47c3-9df0-97878e9cadb9/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845383/; classtype:trojan-activity;sid:84708483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e1cea497-34fb-47c3-9df0-97878e9cadb9/google.ct"; depth:47; endswith; nocase; http.host; content:"network-security-ops-flow-base.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845382/; classtype:trojan-activity;sid:84708482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.126.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845381/; classtype:trojan-activity;sid:84708481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8d5d81a-bb7c-43c9-9f79-870650f62d28/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845380/; classtype:trojan-activity;sid:84708480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8d5d81a-bb7c-43c9-9f79-870650f62d28/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845379/; classtype:trojan-activity;sid:84708479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edac5160-cbf2-44a0-9de7-edd72a530600/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845377/; classtype:trojan-activity;sid:84708477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edac5160-cbf2-44a0-9de7-edd72a530600/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845378/; classtype:trojan-activity;sid:84708478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.191.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845376/; classtype:trojan-activity;sid:84708476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.238.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845375/; classtype:trojan-activity;sid:84708475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845374/; classtype:trojan-activity;sid:84708474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31c63f2a-eca7-4043-99c0-b6f5e525eb5d/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845373/; classtype:trojan-activity;sid:84708473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31c63f2a-eca7-4043-99c0-b6f5e525eb5d/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845372/; classtype:trojan-activity;sid:84708472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.98.228"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845371/; classtype:trojan-activity;sid:84708471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/70e93b65-b476-4dc1-bf7d-cb639362af60/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845370/; classtype:trojan-activity;sid:84708470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/70e93b65-b476-4dc1-bf7d-cb639362af60/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845369/; classtype:trojan-activity;sid:84708469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaae4c9e-6096-42a9-bc9e-eac24a926688/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845368/; classtype:trojan-activity;sid:84708468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaae4c9e-6096-42a9-bc9e-eac24a926688/google.ct"; depth:47; endswith; nocase; http.host; content:"open-api-protocol-storage-guide.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845367/; classtype:trojan-activity;sid:84708467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.226.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845366/; classtype:trojan-activity;sid:84708466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.109.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845365/; classtype:trojan-activity;sid:84708465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cb370c09-b45e-4d84-bbd3-fd256d6ee89b/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845363/; classtype:trojan-activity;sid:84708463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cb370c09-b45e-4d84-bbd3-fd256d6ee89b/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845364/; classtype:trojan-activity;sid:84708464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37b49bbb-1752-4a9e-8270-5f9abefe37d9/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845361/; classtype:trojan-activity;sid:84708461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37b49bbb-1752-4a9e-8270-5f9abefe37d9/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845362/; classtype:trojan-activity;sid:84708462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/228984a7-7242-4f89-8d70-3d2f012644e6/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845360/; classtype:trojan-activity;sid:84708460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/228984a7-7242-4f89-8d70-3d2f012644e6/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845359/; classtype:trojan-activity;sid:84708459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.98.238.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845358/; classtype:trojan-activity;sid:84708458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dcaca26e-56f9-4250-8b15-802e52238594/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845357/; classtype:trojan-activity;sid:84708457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dcaca26e-56f9-4250-8b15-802e52238594/google.ct"; depth:47; endswith; nocase; http.host; content:"system-stack-node-data-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845356/; classtype:trojan-activity;sid:84708456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/320ed27c-6dc9-41cf-ac71-9156ee8bf719/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845355/; classtype:trojan-activity;sid:84708455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/320ed27c-6dc9-41cf-ac71-9156ee8bf719/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845354/; classtype:trojan-activity;sid:84708454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7889149b-c15d-4720-9a5b-ffe7f18f6e30/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845352/; classtype:trojan-activity;sid:84708452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7889149b-c15d-4720-9a5b-ffe7f18f6e30/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845353/; classtype:trojan-activity;sid:84708453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.175.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845351/; classtype:trojan-activity;sid:84708451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de4716fe-30e5-4d96-9651-913fd8404122/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845350/; classtype:trojan-activity;sid:84708450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de4716fe-30e5-4d96-9651-913fd8404122/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845349/; classtype:trojan-activity;sid:84708449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/463bd746-b309-4339-8645-df83014f7b3f/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845347/; classtype:trojan-activity;sid:84708447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/463bd746-b309-4339-8645-df83014f7b3f/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845348/; classtype:trojan-activity;sid:84708448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.161.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845346/; classtype:trojan-activity;sid:84708446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4945ffa4-1b09-4e8a-8858-f91043a011a5/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845345/; classtype:trojan-activity;sid:84708445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4945ffa4-1b09-4e8a-8858-f91043a011a5/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845344/; classtype:trojan-activity;sid:84708444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.109.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845342/; classtype:trojan-activity;sid:84708442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.240.49"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845343/; classtype:trojan-activity;sid:84708443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1d85de60-de00-4ea7-8142-32111d585e10/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845341/; classtype:trojan-activity;sid:84708441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1d85de60-de00-4ea7-8142-32111d585e10/google.ct"; depth:47; endswith; nocase; http.host; content:"global-cloud-infra-logic-manual.wiki"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845340/; classtype:trojan-activity;sid:84708440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.1.233"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845339/; classtype:trojan-activity;sid:84708439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.139.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845338/; classtype:trojan-activity;sid:84708438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.98.238.40"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845337/; classtype:trojan-activity;sid:84708437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.163.187.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845336/; classtype:trojan-activity;sid:84708436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.175.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845335/; classtype:trojan-activity;sid:84708435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.141.155.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845334/; classtype:trojan-activity;sid:84708434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845333/; classtype:trojan-activity;sid:84708433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.222.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845331/; classtype:trojan-activity;sid:84708431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.91.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845332/; classtype:trojan-activity;sid:84708432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.222.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845330/; classtype:trojan-activity;sid:84708430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845329/; classtype:trojan-activity;sid:84708429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.138.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845328/; classtype:trojan-activity;sid:84708428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.133.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845327/; classtype:trojan-activity;sid:84708427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.239.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845326/; classtype:trojan-activity;sid:84708426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.1.233"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845325/; classtype:trojan-activity;sid:84708425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845324/; classtype:trojan-activity;sid:84708424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e36c3588-15d5-48e6-a864-638f607e3a75/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845323/; classtype:trojan-activity;sid:84708423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e36c3588-15d5-48e6-a864-638f607e3a75/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845322/; classtype:trojan-activity;sid:84708422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"198.2.100.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845321/; classtype:trojan-activity;sid:84708421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ec759d3-8a78-4a71-9631-b960843a2570/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845320/; classtype:trojan-activity;sid:84708420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ec759d3-8a78-4a71-9631-b960843a2570/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845319/; classtype:trojan-activity;sid:84708419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c97f4fa-84fc-4bb6-bd98-98270874efde/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845318/; classtype:trojan-activity;sid:84708418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c97f4fa-84fc-4bb6-bd98-98270874efde/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845317/; classtype:trojan-activity;sid:84708417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845316/; classtype:trojan-activity;sid:84708416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c6c47f2-36cd-4e28-8a60-e2bee74c0694/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845315/; classtype:trojan-activity;sid:84708415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5c6c47f2-36cd-4e28-8a60-e2bee74c0694/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845314/; classtype:trojan-activity;sid:84708414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afef312d-63ed-4c30-b3b5-58da8b868fea/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845313/; classtype:trojan-activity;sid:84708413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afef312d-63ed-4c30-b3b5-58da8b868fea/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845312/; classtype:trojan-activity;sid:84708412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845311/; classtype:trojan-activity;sid:84708411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7c881852-e522-4ce6-a104-6b8573c4a514/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845309/; classtype:trojan-activity;sid:84708409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7c881852-e522-4ce6-a104-6b8573c4a514/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845310/; classtype:trojan-activity;sid:84708410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a36e78d-fb86-4d5a-b499-57f2b8376933/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845308/; classtype:trojan-activity;sid:84708408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a36e78d-fb86-4d5a-b499-57f2b8376933/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845307/; classtype:trojan-activity;sid:84708407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a260d8ea-1d0c-4ea4-9987-e9901903417e/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845305/; classtype:trojan-activity;sid:84708405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a260d8ea-1d0c-4ea4-9987-e9901903417e/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845306/; classtype:trojan-activity;sid:84708406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845304/; classtype:trojan-activity;sid:84708404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f5e8897-5c43-4f2c-9d55-1ee88bc814bd/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845302/; classtype:trojan-activity;sid:84708402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f5e8897-5c43-4f2c-9d55-1ee88bc814bd/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845303/; classtype:trojan-activity;sid:84708403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7c7992cb-e74e-432c-a362-c114365aa9b6/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845301/; classtype:trojan-activity;sid:84708401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7c7992cb-e74e-432c-a362-c114365aa9b6/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845300/; classtype:trojan-activity;sid:84708400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94fb828c-21b3-44a3-a534-63ed1dac98c0/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845299/; classtype:trojan-activity;sid:84708399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94fb828c-21b3-44a3-a534-63ed1dac98c0/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845298/; classtype:trojan-activity;sid:84708398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6091b429-bd30-4571-9ad7-70f6647f73cd/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845296/; classtype:trojan-activity;sid:84708396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6091b429-bd30-4571-9ad7-70f6647f73cd/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845297/; classtype:trojan-activity;sid:84708397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4973fdbf-c83d-4e75-a01e-ee526e8ca1bd/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845295/; classtype:trojan-activity;sid:84708395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4973fdbf-c83d-4e75-a01e-ee526e8ca1bd/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845294/; classtype:trojan-activity;sid:84708394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.13.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845293/; classtype:trojan-activity;sid:84708393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbc6c1d2-b28b-4bc1-a4da-eb58e44d40e1/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845292/; classtype:trojan-activity;sid:84708392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.171.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845291/; classtype:trojan-activity;sid:84708391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbc6c1d2-b28b-4bc1-a4da-eb58e44d40e1/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845290/; classtype:trojan-activity;sid:84708390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/318e7497-2c23-423b-85a8-6bf32c3a3e5f/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845288/; classtype:trojan-activity;sid:84708388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/318e7497-2c23-423b-85a8-6bf32c3a3e5f/google.ct"; depth:47; endswith; nocase; http.host; content:"master-system-data-core-wiki.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845289/; classtype:trojan-activity;sid:84708389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a687fee0-026f-4a0c-9445-da6485dc1b0c/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845287/; classtype:trojan-activity;sid:84708387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.1.80"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845285/; classtype:trojan-activity;sid:84708385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a687fee0-026f-4a0c-9445-da6485dc1b0c/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845286/; classtype:trojan-activity;sid:84708386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.194.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845284/; classtype:trojan-activity;sid:84708384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61625e2b-2964-4a24-b118-517a1530d8a6/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845282/; classtype:trojan-activity;sid:84708382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/61625e2b-2964-4a24-b118-517a1530d8a6/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845283/; classtype:trojan-activity;sid:84708383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f25404cd-c086-49d0-95d6-96cf975a6eb3/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845280/; classtype:trojan-activity;sid:84708380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f25404cd-c086-49d0-95d6-96cf975a6eb3/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845281/; classtype:trojan-activity;sid:84708381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e667cbb7-d23d-48bf-8b35-74ce4ccbdce7/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845279/; classtype:trojan-activity;sid:84708379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e667cbb7-d23d-48bf-8b35-74ce4ccbdce7/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845278/; classtype:trojan-activity;sid:84708378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9074e0da-fae9-44d6-affa-1ee12b819294/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845276/; classtype:trojan-activity;sid:84708376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9074e0da-fae9-44d6-affa-1ee12b819294/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845277/; classtype:trojan-activity;sid:84708377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.146.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845275/; classtype:trojan-activity;sid:84708375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e62163bd-e356-4944-b6d7-3d624d640bd6/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845274/; classtype:trojan-activity;sid:84708374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e62163bd-e356-4944-b6d7-3d624d640bd6/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845273/; classtype:trojan-activity;sid:84708373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76d02749-9e33-4700-b541-3100a6eeb9e2/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845271/; classtype:trojan-activity;sid:84708371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/76d02749-9e33-4700-b541-3100a6eeb9e2/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845272/; classtype:trojan-activity;sid:84708372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f655646-1782-4f56-b81f-d3993a383a7b/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845269/; classtype:trojan-activity;sid:84708369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f655646-1782-4f56-b81f-d3993a383a7b/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845270/; classtype:trojan-activity;sid:84708370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cc531b2c-7b23-4a02-b90c-8585c37fee7e/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845267/; classtype:trojan-activity;sid:84708367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cc531b2c-7b23-4a02-b90c-8585c37fee7e/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845268/; classtype:trojan-activity;sid:84708368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.194.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845266/; classtype:trojan-activity;sid:84708366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5acd3440-d89a-428a-9d3f-5708a5ae944b/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845264/; classtype:trojan-activity;sid:84708364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5acd3440-d89a-428a-9d3f-5708a5ae944b/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845265/; classtype:trojan-activity;sid:84708365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.241.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845263/; classtype:trojan-activity;sid:84708363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/000c158a-7a7d-4ef9-bd1a-c9c9fc2fd6e4/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845262/; classtype:trojan-activity;sid:84708362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/000c158a-7a7d-4ef9-bd1a-c9c9fc2fd6e4/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845261/; classtype:trojan-activity;sid:84708361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3f1449b9-eef4-486e-aa33-c3f2f82894e8/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845260/; classtype:trojan-activity;sid:84708360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3f1449b9-eef4-486e-aa33-c3f2f82894e8/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845259/; classtype:trojan-activity;sid:84708359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.18.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845258/; classtype:trojan-activity;sid:84708358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.36.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845256/; classtype:trojan-activity;sid:84708356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/280ab9b1-2148-4506-b720-12f32fcb9925/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845257/; classtype:trojan-activity;sid:84708357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/280ab9b1-2148-4506-b720-12f32fcb9925/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845255/; classtype:trojan-activity;sid:84708355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/237404ff-8f03-4004-9157-8c9da91fade1/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845253/; classtype:trojan-activity;sid:84708353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/237404ff-8f03-4004-9157-8c9da91fade1/google.ct"; depth:47; endswith; nocase; http.host; content:"tech-script-logic-unit-reference.wiki"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845254/; classtype:trojan-activity;sid:84708354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.36.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845252/; classtype:trojan-activity;sid:84708352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/97079636-ada5-4c31-ad2a-0a93b0cab7ca/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845250/; classtype:trojan-activity;sid:84708350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/97079636-ada5-4c31-ad2a-0a93b0cab7ca/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845251/; classtype:trojan-activity;sid:84708351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.101.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845249/; classtype:trojan-activity;sid:84708349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9f61584-d3b3-49bd-9383-5affa5d4a18c/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845248/; classtype:trojan-activity;sid:84708348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9f61584-d3b3-49bd-9383-5affa5d4a18c/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845247/; classtype:trojan-activity;sid:84708347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc874e6-9d5a-42d5-a4bd-ebbad676093a/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845245/; classtype:trojan-activity;sid:84708345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc874e6-9d5a-42d5-a4bd-ebbad676093a/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845246/; classtype:trojan-activity;sid:84708346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.18.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845244/; classtype:trojan-activity;sid:84708344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2ae71be-342b-456c-a74f-15e7c6acf4bd/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845242/; classtype:trojan-activity;sid:84708342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2ae71be-342b-456c-a74f-15e7c6acf4bd/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845243/; classtype:trojan-activity;sid:84708343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.158.158.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845240/; classtype:trojan-activity;sid:84708340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=wgzsxucuuophktdk"; depth:27; endswith; nocase; http.host; content:"yywyvtur.hor1inka-lonely.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845241/; classtype:trojan-activity;sid:84708341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca67aad4-e3ae-4be9-9e72-0761875c2b9a/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845239/; classtype:trojan-activity;sid:84708339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca67aad4-e3ae-4be9-9e72-0761875c2b9a/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845238/; classtype:trojan-activity;sid:84708338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"188.38.158.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845237/; classtype:trojan-activity;sid:84708337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18af9f4f-2c31-4130-85c8-220bd888e9e7/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845236/; classtype:trojan-activity;sid:84708336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18af9f4f-2c31-4130-85c8-220bd888e9e7/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845235/; classtype:trojan-activity;sid:84708335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845234/; classtype:trojan-activity;sid:84708334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"84.240.11.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845233/; classtype:trojan-activity;sid:84708333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26055b81-2fb6-4807-aa3a-1cfb27175afd/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845231/; classtype:trojan-activity;sid:84708331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26055b81-2fb6-4807-aa3a-1cfb27175afd/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845232/; classtype:trojan-activity;sid:84708332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4cb43a32-241e-45c2-aafe-fe3b578e74e7/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845230/; classtype:trojan-activity;sid:84708330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4cb43a32-241e-45c2-aafe-fe3b578e74e7/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845229/; classtype:trojan-activity;sid:84708329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0127ddd0-5a50-4275-9d1a-4e19ca99d171/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845227/; classtype:trojan-activity;sid:84708327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0127ddd0-5a50-4275-9d1a-4e19ca99d171/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845228/; classtype:trojan-activity;sid:84708328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845226/; classtype:trojan-activity;sid:84708326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.158.158.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845225/; classtype:trojan-activity;sid:84708325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/918c0b84-e5b0-421f-99a1-4f8e89f801cc/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845223/; classtype:trojan-activity;sid:84708323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/918c0b84-e5b0-421f-99a1-4f8e89f801cc/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845224/; classtype:trojan-activity;sid:84708324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb15536a-beb1-4cdc-8e0b-dcae28ed1549/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845222/; classtype:trojan-activity;sid:84708322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb15536a-beb1-4cdc-8e0b-dcae28ed1549/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845221/; classtype:trojan-activity;sid:84708321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845220/; classtype:trojan-activity;sid:84708320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e990fc18-0966-4b52-a667-cd31e6b885ce/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845219/; classtype:trojan-activity;sid:84708319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e990fc18-0966-4b52-a667-cd31e6b885ce/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845218/; classtype:trojan-activity;sid:84708318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.30.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845217/; classtype:trojan-activity;sid:84708317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1174c646-6fac-4a96-814a-648bfa85b4d1/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845216/; classtype:trojan-activity;sid:84708316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1174c646-6fac-4a96-814a-648bfa85b4d1/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845215/; classtype:trojan-activity;sid:84708315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.15.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845214/; classtype:trojan-activity;sid:84708314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00fa3cec-c276-47e1-ba57-3deac1b33b75/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845212/; classtype:trojan-activity;sid:84708312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00fa3cec-c276-47e1-ba57-3deac1b33b75/google.ct"; depth:47; endswith; nocase; http.host; content:"digital-node-cloud-ops-manual.wiki"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845213/; classtype:trojan-activity;sid:84708313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d19fc57b-1376-4869-bff0-8a6130c453a6/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845211/; classtype:trojan-activity;sid:84708311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d19fc57b-1376-4869-bff0-8a6130c453a6/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845210/; classtype:trojan-activity;sid:84708310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.165.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845209/; classtype:trojan-activity;sid:84708309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f53b8e3e-4480-4d7e-92c0-28a362f374c9/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845208/; classtype:trojan-activity;sid:84708308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f53b8e3e-4480-4d7e-92c0-28a362f374c9/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845207/; classtype:trojan-activity;sid:84708307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccc76c59-f07b-4b20-8416-936206895ad4/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845206/; classtype:trojan-activity;sid:84708306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccc76c59-f07b-4b20-8416-936206895ad4/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845205/; classtype:trojan-activity;sid:84708305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.255.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845204/; classtype:trojan-activity;sid:84708304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/38047451-8b12-4f88-85f7-628272d56961/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845202/; classtype:trojan-activity;sid:84708302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/38047451-8b12-4f88-85f7-628272d56961/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845203/; classtype:trojan-activity;sid:84708303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d99221c6-6d95-4d50-a347-19fdb61c6eb6/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845201/; classtype:trojan-activity;sid:84708301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d99221c6-6d95-4d50-a347-19fdb61c6eb6/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845200/; classtype:trojan-activity;sid:84708300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.249.199.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845199/; classtype:trojan-activity;sid:84708299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d69a9aae-dd4a-483e-a720-97ac3d229a59/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845198/; classtype:trojan-activity;sid:84708298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d69a9aae-dd4a-483e-a720-97ac3d229a59/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845197/; classtype:trojan-activity;sid:84708297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.157.47.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845196/; classtype:trojan-activity;sid:84708296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df49db8e-f0cd-4738-81a0-d47774f433cd/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845194/; classtype:trojan-activity;sid:84708294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df49db8e-f0cd-4738-81a0-d47774f433cd/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845195/; classtype:trojan-activity;sid:84708295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11950d60-d756-4479-b6ec-87e4ea33abd9/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845193/; classtype:trojan-activity;sid:84708293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11950d60-d756-4479-b6ec-87e4ea33abd9/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845192/; classtype:trojan-activity;sid:84708292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845191/; classtype:trojan-activity;sid:84708291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6fee7f2-a31b-4dd1-922e-f0a590cd9c6c/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845190/; classtype:trojan-activity;sid:84708290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f6fee7f2-a31b-4dd1-922e-f0a590cd9c6c/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845189/; classtype:trojan-activity;sid:84708289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1c203482-ff45-41b3-915a-a0b9e54ea2a2/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845188/; classtype:trojan-activity;sid:84708288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1c203482-ff45-41b3-915a-a0b9e54ea2a2/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845187/; classtype:trojan-activity;sid:84708287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/949ade46-b51c-48c0-90cd-82ab421b5870/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845185/; classtype:trojan-activity;sid:84708285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/949ade46-b51c-48c0-90cd-82ab421b5870/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845186/; classtype:trojan-activity;sid:84708286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.165.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845184/; classtype:trojan-activity;sid:84708284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cae9b30-7054-4ece-be89-7f724d63d822/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845182/; classtype:trojan-activity;sid:84708282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cae9b30-7054-4ece-be89-7f724d63d822/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845183/; classtype:trojan-activity;sid:84708283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06c86e9c-a0fb-41e5-9d15-b5fec3b489e7/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845181/; classtype:trojan-activity;sid:84708281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/06c86e9c-a0fb-41e5-9d15-b5fec3b489e7/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845180/; classtype:trojan-activity;sid:84708280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.148.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845179/; classtype:trojan-activity;sid:84708279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee23ff70-396f-4ad0-acb9-39b0ac7658f7/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845178/; classtype:trojan-activity;sid:84708278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee23ff70-396f-4ad0-acb9-39b0ac7658f7/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845177/; classtype:trojan-activity;sid:84708277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/977ff74c-13af-455e-a302-e88d747304af/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845176/; classtype:trojan-activity;sid:84708276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/977ff74c-13af-455e-a302-e88d747304af/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845175/; classtype:trojan-activity;sid:84708275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c89c98d6-1e20-452e-b7a5-3f0552f56f6d/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845173/; classtype:trojan-activity;sid:84708273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c89c98d6-1e20-452e-b7a5-3f0552f56f6d/google.ct"; depth:47; endswith; nocase; http.host; content:"infra-point-bits-service-atlas.wiki"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845174/; classtype:trojan-activity;sid:84708274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.231.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845172/; classtype:trojan-activity;sid:84708272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/312b2120-ea67-4f45-bb51-a01fcee8af52/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845170/; classtype:trojan-activity;sid:84708270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/312b2120-ea67-4f45-bb51-a01fcee8af52/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845171/; classtype:trojan-activity;sid:84708271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.221.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845169/; classtype:trojan-activity;sid:84708269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/341b5cb2-ebb4-43f4-a3d3-9ad26c73b10c/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845168/; classtype:trojan-activity;sid:84708268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/341b5cb2-ebb4-43f4-a3d3-9ad26c73b10c/google.ct"; depth:47; endswith; nocase; http.host; content:"web-logic-stack-dev-notebook.wiki"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845167/; classtype:trojan-activity;sid:84708267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.55.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845166/; classtype:trojan-activity;sid:84708266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845165/; classtype:trojan-activity;sid:84708265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.238.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845164/; classtype:trojan-activity;sid:84708264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.245.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845163/; classtype:trojan-activity;sid:84708263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.246.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845162/; classtype:trojan-activity;sid:84708262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.149.206.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845161/; classtype:trojan-activity;sid:84708261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.86.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845160/; classtype:trojan-activity;sid:84708260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.231.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845159/; classtype:trojan-activity;sid:84708259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.115.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845158/; classtype:trojan-activity;sid:84708258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.238.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845157/; classtype:trojan-activity;sid:84708257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.9.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845156/; classtype:trojan-activity;sid:84708256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.200.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845155/; classtype:trojan-activity;sid:84708255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.102.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845154/; classtype:trojan-activity;sid:84708254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.84.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845153/; classtype:trojan-activity;sid:84708253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.237.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845152/; classtype:trojan-activity;sid:84708252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.183.196.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845151/; classtype:trojan-activity;sid:84708251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.115.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845150/; classtype:trojan-activity;sid:84708250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.67.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845149/; classtype:trojan-activity;sid:84708249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.37.125.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845148/; classtype:trojan-activity;sid:84708248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.102.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845147/; classtype:trojan-activity;sid:84708247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.249.199.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845146/; classtype:trojan-activity;sid:84708246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.237.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845145/; classtype:trojan-activity;sid:84708245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.183.196.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845144/; classtype:trojan-activity;sid:84708244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845143/; classtype:trojan-activity;sid:84708243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.9.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845142/; classtype:trojan-activity;sid:84708242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.67.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845141/; classtype:trojan-activity;sid:84708241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.67.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845140/; classtype:trojan-activity;sid:84708240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.249.199.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845139/; classtype:trojan-activity;sid:84708239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.208.157.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845138/; classtype:trojan-activity;sid:84708238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.1.39"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845137/; classtype:trojan-activity;sid:84708237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.119.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845136/; classtype:trojan-activity;sid:84708236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.233.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845135/; classtype:trojan-activity;sid:84708235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845134/; classtype:trojan-activity;sid:84708234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.67.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845133/; classtype:trojan-activity;sid:84708233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845132/; classtype:trojan-activity;sid:84708232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.244.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845131/; classtype:trojan-activity;sid:84708231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.242.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845130/; classtype:trojan-activity;sid:84708230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.242.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845129/; classtype:trojan-activity;sid:84708229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"151.237.28.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845128/; classtype:trojan-activity;sid:84708228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.119.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845127/; classtype:trojan-activity;sid:84708227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.233.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845126/; classtype:trojan-activity;sid:84708226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.125.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845125/; classtype:trojan-activity;sid:84708225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.244.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845124/; classtype:trojan-activity;sid:84708224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.201.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845123/; classtype:trojan-activity;sid:84708223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.47.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845122/; classtype:trojan-activity;sid:84708222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"151.237.28.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845121/; classtype:trojan-activity;sid:84708221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.242.91.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845120/; classtype:trojan-activity;sid:84708220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.119.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845119/; classtype:trojan-activity;sid:84708219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.47.185"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845118/; classtype:trojan-activity;sid:84708218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.183.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845117/; classtype:trojan-activity;sid:84708217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.125.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845116/; classtype:trojan-activity;sid:84708216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.201.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845115/; classtype:trojan-activity;sid:84708215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.157.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845114/; classtype:trojan-activity;sid:84708214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.125.23.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845113/; classtype:trojan-activity;sid:84708213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.242.91.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845112/; classtype:trojan-activity;sid:84708212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toot"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845111/; classtype:trojan-activity;sid:84708211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.4.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845110/; classtype:trojan-activity;sid:84708210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.115.119.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845109/; classtype:trojan-activity;sid:84708209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.183.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845108/; classtype:trojan-activity;sid:84708208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.203.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845107/; classtype:trojan-activity;sid:84708207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.132.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845106/; classtype:trojan-activity;sid:84708206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.125.23.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845105/; classtype:trojan-activity;sid:84708205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.127.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845104/; classtype:trojan-activity;sid:84708204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.4.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845103/; classtype:trojan-activity;sid:84708203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.83.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845102/; classtype:trojan-activity;sid:84708202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845101/; classtype:trojan-activity;sid:84708201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.54.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845100/; classtype:trojan-activity;sid:84708200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.157.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845099/; classtype:trojan-activity;sid:84708199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845098/; classtype:trojan-activity;sid:84708198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.239.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845096/; classtype:trojan-activity;sid:84708196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845097/; classtype:trojan-activity;sid:84708197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.239.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845095/; classtype:trojan-activity;sid:84708195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.168.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845094/; classtype:trojan-activity;sid:84708194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.54.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845093/; classtype:trojan-activity;sid:84708193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.117.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845092/; classtype:trojan-activity;sid:84708192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845091/; classtype:trojan-activity;sid:84708191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845090/; classtype:trojan-activity;sid:84708190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845089/; classtype:trojan-activity;sid:84708189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.47.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845088/; classtype:trojan-activity;sid:84708188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.47.77"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845087/; classtype:trojan-activity;sid:84708187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.181.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845086/; classtype:trojan-activity;sid:84708186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.107.93.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845085/; classtype:trojan-activity;sid:84708185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.132.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845084/; classtype:trojan-activity;sid:84708184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.213.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845083/; classtype:trojan-activity;sid:84708183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845082/; classtype:trojan-activity;sid:84708182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.178.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845081/; classtype:trojan-activity;sid:84708181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845080/; classtype:trojan-activity;sid:84708180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.31.138"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845079/; classtype:trojan-activity;sid:84708179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.86.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845078/; classtype:trojan-activity;sid:84708178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845077/; classtype:trojan-activity;sid:84708177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845076/; classtype:trojan-activity;sid:84708176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845075/; classtype:trojan-activity;sid:84708175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.106.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845074/; classtype:trojan-activity;sid:84708174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.235.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845073/; classtype:trojan-activity;sid:84708173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845072/; classtype:trojan-activity;sid:84708172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845071/; classtype:trojan-activity;sid:84708171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.197.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845068/; classtype:trojan-activity;sid:84708168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.190.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845069/; classtype:trojan-activity;sid:84708169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.108.132.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845070/; classtype:trojan-activity;sid:84708170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.66.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845067/; classtype:trojan-activity;sid:84708167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845066/; classtype:trojan-activity;sid:84708166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.117.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845065/; classtype:trojan-activity;sid:84708165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.227.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845064/; classtype:trojan-activity;sid:84708164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.227.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845063/; classtype:trojan-activity;sid:84708163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.168.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845062/; classtype:trojan-activity;sid:84708162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845061/; classtype:trojan-activity;sid:84708161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845060/; classtype:trojan-activity;sid:84708160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.115.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845059/; classtype:trojan-activity;sid:84708159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.230.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845058/; classtype:trojan-activity;sid:84708158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.170.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845057/; classtype:trojan-activity;sid:84708157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.240.11.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845056/; classtype:trojan-activity;sid:84708156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.39.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845055/; classtype:trojan-activity;sid:84708155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.170.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845053/; classtype:trojan-activity;sid:84708153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.162.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845054/; classtype:trojan-activity;sid:84708154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845051/; classtype:trojan-activity;sid:84708151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.174.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845052/; classtype:trojan-activity;sid:84708152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"88.88.191.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845048/; classtype:trojan-activity;sid:84708148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.108.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845049/; classtype:trojan-activity;sid:84708149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.108.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845050/; classtype:trojan-activity;sid:84708150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.247.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845047/; classtype:trojan-activity;sid:84708147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.168.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845046/; classtype:trojan-activity;sid:84708146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.239.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845044/; classtype:trojan-activity;sid:84708144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.11.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845045/; classtype:trojan-activity;sid:84708145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.111.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845040/; classtype:trojan-activity;sid:84708140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.167.3.66"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845041/; classtype:trojan-activity;sid:84708141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.105.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845042/; classtype:trojan-activity;sid:84708142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.230.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845043/; classtype:trojan-activity;sid:84708143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.60.6.147"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845039/; classtype:trojan-activity;sid:84708139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.247.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845038/; classtype:trojan-activity;sid:84708138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.190.76.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845037/; classtype:trojan-activity;sid:84708137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.89.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845036/; classtype:trojan-activity;sid:84708136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.245.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845035/; classtype:trojan-activity;sid:84708135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.130.18.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845032/; classtype:trojan-activity;sid:84708132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.75.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845033/; classtype:trojan-activity;sid:84708133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.130.18.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845034/; classtype:trojan-activity;sid:84708134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.190.76.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_12; reference:url, urlhaus.abuse.ch/url/3845031/; classtype:trojan-activity;sid:84708131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.75.34"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845030/; classtype:trojan-activity;sid:84708130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.75.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845028/; classtype:trojan-activity;sid:84708128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.67.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845029/; classtype:trojan-activity;sid:84708129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.39.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845027/; classtype:trojan-activity;sid:84708127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.95.171"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845026/; classtype:trojan-activity;sid:84708126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.137.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845025/; classtype:trojan-activity;sid:84708125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.89.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845024/; classtype:trojan-activity;sid:84708124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.219.231.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845023/; classtype:trojan-activity;sid:84708123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.109.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845022/; classtype:trojan-activity;sid:84708122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.47.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845020/; classtype:trojan-activity;sid:84708120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.29.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845021/; classtype:trojan-activity;sid:84708121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.137.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845019/; classtype:trojan-activity;sid:84708119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.197.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845017/; classtype:trojan-activity;sid:84708117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.241.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845018/; classtype:trojan-activity;sid:84708118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.118.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845011/; classtype:trojan-activity;sid:84708111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.111.165"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845012/; classtype:trojan-activity;sid:84708112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.68.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845013/; classtype:trojan-activity;sid:84708113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.67.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845014/; classtype:trojan-activity;sid:84708114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.174.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845015/; classtype:trojan-activity;sid:84708115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.125.122"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845016/; classtype:trojan-activity;sid:84708116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.118.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845010/; classtype:trojan-activity;sid:84708110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.106.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845009/; classtype:trojan-activity;sid:84708109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.73.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845008/; classtype:trojan-activity;sid:84708108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.16.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845007/; classtype:trojan-activity;sid:84708107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.26.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845006/; classtype:trojan-activity;sid:84708106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.26.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845005/; classtype:trojan-activity;sid:84708105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845004/; classtype:trojan-activity;sid:84708104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.87.246"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845003/; classtype:trojan-activity;sid:84708103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.73.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845002/; classtype:trojan-activity;sid:84708102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845001/; classtype:trojan-activity;sid:84708101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3845000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.87.246"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3845000/; classtype:trojan-activity;sid:84708100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.216.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844999/; classtype:trojan-activity;sid:84708099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844998/; classtype:trojan-activity;sid:84708098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm6"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844989/; classtype:trojan-activity;sid:84708089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64el"; depth:14; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844990/; classtype:trojan-activity;sid:84708090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844991/; classtype:trojan-activity;sid:84708091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_hardfloat"; depth:23; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844992/; classtype:trojan-activity;sid:84708092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844993/; classtype:trojan-activity;sid:84708093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64el"; depth:15; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844994/; classtype:trojan-activity;sid:84708094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_softfloat"; depth:21; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844995/; classtype:trojan-activity;sid:84708095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_softfloat"; depth:23; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844996/; classtype:trojan-activity;sid:84708096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_hardfloat"; depth:21; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844997/; classtype:trojan-activity;sid:84708097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844987/; classtype:trojan-activity;sid:84708087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844988/; classtype:trojan-activity;sid:84708088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844985/; classtype:trojan-activity;sid:84708085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_386"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844986/; classtype:trojan-activity;sid:84708086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_aarch64"; depth:14; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844984/; classtype:trojan-activity;sid:84708084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844974/; classtype:trojan-activity;sid:84708074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844975/; classtype:trojan-activity;sid:84708075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844976/; classtype:trojan-activity;sid:84708076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844977/; classtype:trojan-activity;sid:84708077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844978/; classtype:trojan-activity;sid:84708078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844979/; classtype:trojan-activity;sid:84708079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844980/; classtype:trojan-activity;sid:84708080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844981/; classtype:trojan-activity;sid:84708081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844982/; classtype:trojan-activity;sid:84708082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844983/; classtype:trojan-activity;sid:84708083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.dbg"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844962/; classtype:trojan-activity;sid:84708062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844963/; classtype:trojan-activity;sid:84708063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844964/; classtype:trojan-activity;sid:84708064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844965/; classtype:trojan-activity;sid:84708065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844966/; classtype:trojan-activity;sid:84708066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844967/; classtype:trojan-activity;sid:84708067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844968/; classtype:trojan-activity;sid:84708068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.apk"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844969/; classtype:trojan-activity;sid:84708069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844970/; classtype:trojan-activity;sid:84708070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm6"; depth:11; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844971/; classtype:trojan-activity;sid:84708071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844972/; classtype:trojan-activity;sid:84708072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arc"; depth:10; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844973/; classtype:trojan-activity;sid:84708073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ak.sh"; depth:12; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844961/; classtype:trojan-activity;sid:84708061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux.sh"; depth:9; endswith; nocase; http.host; content:"156.238.242.196"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844960/; classtype:trojan-activity;sid:84708060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.228.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844959/; classtype:trojan-activity;sid:84708059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.21.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844958/; classtype:trojan-activity;sid:84708058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.44.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844957/; classtype:trojan-activity;sid:84708057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.1.184"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844956/; classtype:trojan-activity;sid:84708056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844954/; classtype:trojan-activity;sid:84708054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5"; depth:10; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844955/; classtype:trojan-activity;sid:84708055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.android-armv7"; depth:18; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844948/; classtype:trojan-activity;sid:84708048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844949/; classtype:trojan-activity;sid:84708049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844950/; classtype:trojan-activity;sid:84708050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7"; depth:10; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844951/; classtype:trojan-activity;sid:84708051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.android-x86_64"; depth:19; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844952/; classtype:trojan-activity;sid:84708052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.android-aarch64"; depth:20; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844953/; classtype:trojan-activity;sid:84708053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844947/; classtype:trojan-activity;sid:84708047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh"; depth:7; endswith; nocase; http.host; content:"130.78.217.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844946/; classtype:trojan-activity;sid:84708046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.21.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844945/; classtype:trojan-activity;sid:84708045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844944/; classtype:trojan-activity;sid:84708044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"85.239.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844941/; classtype:trojan-activity;sid:84708041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"85.239.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844942/; classtype:trojan-activity;sid:84708042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"85.239.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844943/; classtype:trojan-activity;sid:84708043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.44.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844940/; classtype:trojan-activity;sid:84708040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"85.239.149.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844939/; classtype:trojan-activity;sid:84708039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844938/; classtype:trojan-activity;sid:84708038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.174.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844937/; classtype:trojan-activity;sid:84708037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.250.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844936/; classtype:trojan-activity;sid:84708036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.180.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844934/; classtype:trojan-activity;sid:84708034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.115.174.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844935/; classtype:trojan-activity;sid:84708035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.250.234"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844933/; classtype:trojan-activity;sid:84708033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.110.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844932/; classtype:trojan-activity;sid:84708032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.150.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844931/; classtype:trojan-activity;sid:84708031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.62.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844930/; classtype:trojan-activity;sid:84708030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.94.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844929/; classtype:trojan-activity;sid:84708029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.62.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844928/; classtype:trojan-activity;sid:84708028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.150.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844927/; classtype:trojan-activity;sid:84708027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.110.193"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844926/; classtype:trojan-activity;sid:84708026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.248.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844925/; classtype:trojan-activity;sid:84708025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.94.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844924/; classtype:trojan-activity;sid:84708024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.248.0.110"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844923/; classtype:trojan-activity;sid:84708023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844922/; classtype:trojan-activity;sid:84708022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.31.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844921/; classtype:trojan-activity;sid:84708021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.154.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844920/; classtype:trojan-activity;sid:84708020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.167.86.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844919/; classtype:trojan-activity;sid:84708019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.254.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844918/; classtype:trojan-activity;sid:84708018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.133.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844916/; classtype:trojan-activity;sid:84708016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.31.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844917/; classtype:trojan-activity;sid:84708017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.31.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844915/; classtype:trojan-activity;sid:84708015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.i468"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844911/; classtype:trojan-activity;sid:84708011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.x86_64"; depth:23; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844912/; classtype:trojan-activity;sid:84708012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.arm5"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844913/; classtype:trojan-activity;sid:84708013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844914/; classtype:trojan-activity;sid:84708014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.ppc"; depth:20; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844896/; classtype:trojan-activity;sid:84707996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.mpsl"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844897/; classtype:trojan-activity;sid:84707997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844898/; classtype:trojan-activity;sid:84707998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.mips"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844899/; classtype:trojan-activity;sid:84707999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.i686"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844900/; classtype:trojan-activity;sid:84708000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.x86"; depth:20; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844901/; classtype:trojan-activity;sid:84708001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mpsl"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844902/; classtype:trojan-activity;sid:84708002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844903/; classtype:trojan-activity;sid:84708003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86"; depth:9; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844904/; classtype:trojan-activity;sid:84708004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.arm"; depth:20; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844905/; classtype:trojan-activity;sid:84708005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_sh4"; depth:9; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844906/; classtype:trojan-activity;sid:84708006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844907/; classtype:trojan-activity;sid:84708007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_ppc"; depth:9; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844908/; classtype:trojan-activity;sid:84708008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.arc"; depth:20; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844909/; classtype:trojan-activity;sid:84708009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_m68k"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844910/; classtype:trojan-activity;sid:84708010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.spc"; depth:20; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844895/; classtype:trojan-activity;sid:84707995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm5"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844894/; classtype:trojan-activity;sid:84707994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.sh4"; depth:20; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844892/; classtype:trojan-activity;sid:84707992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.m68k"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844893/; classtype:trojan-activity;sid:84707993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.arm6"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844888/; classtype:trojan-activity;sid:84707988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/asuna.arm7"; depth:21; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844889/; classtype:trojan-activity;sid:84707989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm7"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844890/; classtype:trojan-activity;sid:84707990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844891/; classtype:trojan-activity;sid:84707991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm"; depth:9; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844881/; classtype:trojan-activity;sid:84707981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_mips"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844882/; classtype:trojan-activity;sid:84707982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844883/; classtype:trojan-activity;sid:84707983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844884/; classtype:trojan-activity;sid:84707984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_x86_64"; depth:12; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844885/; classtype:trojan-activity;sid:84707985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844886/; classtype:trojan-activity;sid:84707986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844887/; classtype:trojan-activity;sid:84707987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main_arm6"; depth:10; endswith; nocase; http.host; content:"wefuwegfwefoewofewfweof.snoowy.top"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844880/; classtype:trojan-activity;sid:84707980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.254.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844879/; classtype:trojan-activity;sid:84707979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844867/; classtype:trojan-activity;sid:84707967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844868/; classtype:trojan-activity;sid:84707968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844869/; classtype:trojan-activity;sid:84707969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844870/; classtype:trojan-activity;sid:84707970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844871/; classtype:trojan-activity;sid:84707971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844872/; classtype:trojan-activity;sid:84707972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844873/; classtype:trojan-activity;sid:84707973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844874/; classtype:trojan-activity;sid:84707974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844875/; classtype:trojan-activity;sid:84707975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.140.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844876/; classtype:trojan-activity;sid:84707976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844877/; classtype:trojan-activity;sid:84707977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844878/; classtype:trojan-activity;sid:84707978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844863/; classtype:trojan-activity;sid:84707963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844864/; classtype:trojan-activity;sid:84707964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844865/; classtype:trojan-activity;sid:84707965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844866/; classtype:trojan-activity;sid:84707966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.99.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844862/; classtype:trojan-activity;sid:84707962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.133.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844861/; classtype:trojan-activity;sid:84707961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.102.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844860/; classtype:trojan-activity;sid:84707960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.140.163.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844859/; classtype:trojan-activity;sid:84707959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.208.112.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844858/; classtype:trojan-activity;sid:84707958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.37.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844857/; classtype:trojan-activity;sid:84707957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.242.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844856/; classtype:trojan-activity;sid:84707956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.99.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844855/; classtype:trojan-activity;sid:84707955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.167.3.66"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844854/; classtype:trojan-activity;sid:84707954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.176.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844853/; classtype:trojan-activity;sid:84707953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.235.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844852/; classtype:trojan-activity;sid:84707952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.208.112.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844851/; classtype:trojan-activity;sid:84707951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.254.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844850/; classtype:trojan-activity;sid:84707950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.140.163.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844849/; classtype:trojan-activity;sid:84707949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.254.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844848/; classtype:trojan-activity;sid:84707948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.53.104"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844847/; classtype:trojan-activity;sid:84707947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.31.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844846/; classtype:trojan-activity;sid:84707946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.176.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844845/; classtype:trojan-activity;sid:84707945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.216.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844844/; classtype:trojan-activity;sid:84707944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.30.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844843/; classtype:trojan-activity;sid:84707943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.146.50.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844842/; classtype:trojan-activity;sid:84707942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.106.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844841/; classtype:trojan-activity;sid:84707941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/sl3zs40junolna/"; depth:25; endswith; nocase; http.host; content:"71.179.14.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844840/; classtype:trojan-activity;sid:84707940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/sl3zs40junolna/"; depth:25; endswith; nocase; http.host; content:"biteblob.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844839/; classtype:trojan-activity;sid:84707939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/parm7"; depth:6; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844837/; classtype:trojan-activity;sid:84707937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.106.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844836/; classtype:trojan-activity;sid:84707936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.232.32.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844835/; classtype:trojan-activity;sid:84707935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.232.32.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844834/; classtype:trojan-activity;sid:84707934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.209.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844833/; classtype:trojan-activity;sid:84707933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaws.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844827/; classtype:trojan-activity;sid:84707927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.arc"; depth:8; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844828/; classtype:trojan-activity;sid:84707928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsrouter"; depth:15; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844829/; classtype:trojan-activity;sid:84707929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844830/; classtype:trojan-activity;sid:84707930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844831/; classtype:trojan-activity;sid:84707931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844832/; classtype:trojan-activity;sid:84707932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844819/; classtype:trojan-activity;sid:84707919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844820/; classtype:trojan-activity;sid:84707920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844821/; classtype:trojan-activity;sid:84707921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844822/; classtype:trojan-activity;sid:84707922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844823/; classtype:trojan-activity;sid:84707923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844824/; classtype:trojan-activity;sid:84707924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844825/; classtype:trojan-activity;sid:84707925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.112"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844826/; classtype:trojan-activity;sid:84707926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844818/; classtype:trojan-activity;sid:84707918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844801/; classtype:trojan-activity;sid:84707901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844802/; classtype:trojan-activity;sid:84707902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.20.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844803/; classtype:trojan-activity;sid:84707903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844804/; classtype:trojan-activity;sid:84707904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844805/; classtype:trojan-activity;sid:84707905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844806/; classtype:trojan-activity;sid:84707906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844807/; classtype:trojan-activity;sid:84707907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844808/; classtype:trojan-activity;sid:84707908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844809/; classtype:trojan-activity;sid:84707909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844810/; classtype:trojan-activity;sid:84707910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844811/; classtype:trojan-activity;sid:84707911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kla.sh"; depth:12; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844812/; classtype:trojan-activity;sid:84707912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844813/; classtype:trojan-activity;sid:84707913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844814/; classtype:trojan-activity;sid:84707914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844815/; classtype:trojan-activity;sid:84707915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844816/; classtype:trojan-activity;sid:84707916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/a.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844817/; classtype:trojan-activity;sid:84707917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844798/; classtype:trojan-activity;sid:84707898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dns"; depth:4; endswith; nocase; http.host; content:"176.65.139.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844799/; classtype:trojan-activity;sid:84707899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844800/; classtype:trojan-activity;sid:84707900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844796/; classtype:trojan-activity;sid:84707896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844797/; classtype:trojan-activity;sid:84707897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.20.93.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844795/; classtype:trojan-activity;sid:84707895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844794/; classtype:trojan-activity;sid:84707894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.226.238.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844793/; classtype:trojan-activity;sid:84707893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.20.93.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844792/; classtype:trojan-activity;sid:84707892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.27.193"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844791/; classtype:trojan-activity;sid:84707891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.22.237"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844790/; classtype:trojan-activity;sid:84707890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.20.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844789/; classtype:trojan-activity;sid:84707889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.108.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844788/; classtype:trojan-activity;sid:84707888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.246.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844787/; classtype:trojan-activity;sid:84707887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.108.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844786/; classtype:trojan-activity;sid:84707886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.22.237"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844785/; classtype:trojan-activity;sid:84707885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.179.74.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844784/; classtype:trojan-activity;sid:84707884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=iitxclsvszwpdyif"; depth:27; endswith; nocase; http.host; content:"xty75g4b.encryption5hadow.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844783/; classtype:trojan-activity;sid:84707883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.107.93.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844782/; classtype:trojan-activity;sid:84707882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.130.40.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844781/; classtype:trojan-activity;sid:84707881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.31.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844780/; classtype:trojan-activity;sid:84707880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.27.193"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844779/; classtype:trojan-activity;sid:84707879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.179.74.111"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844777/; classtype:trojan-activity;sid:84707877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844778/; classtype:trojan-activity;sid:84707878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.74.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844776/; classtype:trojan-activity;sid:84707876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.31.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844775/; classtype:trojan-activity;sid:84707875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.213.38.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844774/; classtype:trojan-activity;sid:84707874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.130.40.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844773/; classtype:trojan-activity;sid:84707873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.215.207.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844772/; classtype:trojan-activity;sid:84707872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.68.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844771/; classtype:trojan-activity;sid:84707871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.215.207.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844770/; classtype:trojan-activity;sid:84707870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.27.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844769/; classtype:trojan-activity;sid:84707869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.68.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844768/; classtype:trojan-activity;sid:84707868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.27.74"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844767/; classtype:trojan-activity;sid:84707867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.16.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844766/; classtype:trojan-activity;sid:84707866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.146.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844765/; classtype:trojan-activity;sid:84707865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.213.38.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844764/; classtype:trojan-activity;sid:84707864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.244.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844763/; classtype:trojan-activity;sid:84707863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.232.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844762/; classtype:trojan-activity;sid:84707862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.217.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844761/; classtype:trojan-activity;sid:84707861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c34bc13-1256-4e09-845e-9ea583fbef65/google.ct"; depth:47; endswith; nocase; http.host; content:"glokchapigui.co"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844760/; classtype:trojan-activity;sid:84707860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.252.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844759/; classtype:trojan-activity;sid:84707859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yurunphantom.png"; depth:17; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844758/; classtype:trojan-activity;sid:84707858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.244.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844757/; classtype:trojan-activity;sid:84707857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.232.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844755/; classtype:trojan-activity;sid:84707855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.132.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844756/; classtype:trojan-activity;sid:84707856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.6.219"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844754/; classtype:trojan-activity;sid:84707854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c34bc13-1256-4e09-845e-9ea583fbef65/google.ct"; depth:47; endswith; nocase; http.host; content:"techapiguard.co"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844753/; classtype:trojan-activity;sid:84707853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.217.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844752/; classtype:trojan-activity;sid:84707852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c34bc13-1256-4e09-845e-9ea583fbef65/google.ct"; depth:47; endswith; nocase; http.host; content:"httpsfewapi.surf"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844751/; classtype:trojan-activity;sid:84707851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.170.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844750/; classtype:trojan-activity;sid:84707850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.252.239"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844749/; classtype:trojan-activity;sid:84707849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"194.156.79.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844748/; classtype:trojan-activity;sid:84707848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"194.156.79.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844747/; classtype:trojan-activity;sid:84707847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.170.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844746/; classtype:trojan-activity;sid:84707846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.44.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844745/; classtype:trojan-activity;sid:84707845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.8.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844744/; classtype:trojan-activity;sid:84707844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.156.126.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844743/; classtype:trojan-activity;sid:84707843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c34bc13-1256-4e09-845e-9ea583fbef65/google.ct"; depth:47; endswith; nocase; http.host; content:"argvlidcheck.co"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844742/; classtype:trojan-activity;sid:84707842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.156.126.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844741/; classtype:trojan-activity;sid:84707841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9c34bc13-1256-4e09-845e-9ea583fbef65/google.ct"; depth:47; endswith; nocase; http.host; content:"authshellverif.co"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844740/; classtype:trojan-activity;sid:84707840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.220.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844739/; classtype:trojan-activity;sid:84707839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.220.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844738/; classtype:trojan-activity;sid:84707838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.84.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844737/; classtype:trojan-activity;sid:84707837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.49.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844736/; classtype:trojan-activity;sid:84707836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.49.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844735/; classtype:trojan-activity;sid:84707835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.110.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844734/; classtype:trojan-activity;sid:84707834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.73.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844733/; classtype:trojan-activity;sid:84707833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844732/; classtype:trojan-activity;sid:84707832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.12.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844731/; classtype:trojan-activity;sid:84707831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.73.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844730/; classtype:trojan-activity;sid:84707830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.77.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844729/; classtype:trojan-activity;sid:84707829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.182.248.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844728/; classtype:trojan-activity;sid:84707828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.178.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844727/; classtype:trojan-activity;sid:84707827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.232.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844726/; classtype:trojan-activity;sid:84707826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.233.88.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844725/; classtype:trojan-activity;sid:84707825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"157.66.146.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844724/; classtype:trojan-activity;sid:84707824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.233.88.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844723/; classtype:trojan-activity;sid:84707823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"157.66.146.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844722/; classtype:trojan-activity;sid:84707822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844721/; classtype:trojan-activity;sid:84707821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.74.66"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844720/; classtype:trojan-activity;sid:84707820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844719/; classtype:trojan-activity;sid:84707819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.74.66"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844718/; classtype:trojan-activity;sid:84707818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.76.57.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844717/; classtype:trojan-activity;sid:84707817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.72.9.252"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844716/; classtype:trojan-activity;sid:84707816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gzos"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844709/; classtype:trojan-activity;sid:84707809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35t"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844710/; classtype:trojan-activity;sid:84707810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob9f"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844711/; classtype:trojan-activity;sid:84707811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pabc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844712/; classtype:trojan-activity;sid:84707812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m9s"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844713/; classtype:trojan-activity;sid:84707813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0uc4"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844714/; classtype:trojan-activity;sid:84707814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojh"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844715/; classtype:trojan-activity;sid:84707815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844708/; classtype:trojan-activity;sid:84707808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.103.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844707/; classtype:trojan-activity;sid:84707807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.52.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844706/; classtype:trojan-activity;sid:84707806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.31.180.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844705/; classtype:trojan-activity;sid:84707805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.89.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844704/; classtype:trojan-activity;sid:84707804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.103.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844703/; classtype:trojan-activity;sid:84707803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.31.180.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844702/; classtype:trojan-activity;sid:84707802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.52.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844701/; classtype:trojan-activity;sid:84707801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.89.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844700/; classtype:trojan-activity;sid:84707800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.234.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844699/; classtype:trojan-activity;sid:84707799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k2vc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844685/; classtype:trojan-activity;sid:84707785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cmxi"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844686/; classtype:trojan-activity;sid:84707786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a2f"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844687/; classtype:trojan-activity;sid:84707787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xhrf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844688/; classtype:trojan-activity;sid:84707788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vzpx"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844689/; classtype:trojan-activity;sid:84707789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lfyp"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844690/; classtype:trojan-activity;sid:84707790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z47t"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844691/; classtype:trojan-activity;sid:84707791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844692/; classtype:trojan-activity;sid:84707792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jw3"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844693/; classtype:trojan-activity;sid:84707793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mh3m"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844694/; classtype:trojan-activity;sid:84707794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uibe"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844695/; classtype:trojan-activity;sid:84707795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2w"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844696/; classtype:trojan-activity;sid:84707796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w0g"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844697/; classtype:trojan-activity;sid:84707797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5fl"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844698/; classtype:trojan-activity;sid:84707798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtpp"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844659/; classtype:trojan-activity;sid:84707759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdoc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844660/; classtype:trojan-activity;sid:84707760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u0qb"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844661/; classtype:trojan-activity;sid:84707761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xuh"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844662/; classtype:trojan-activity;sid:84707762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rsvw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844663/; classtype:trojan-activity;sid:84707763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsb"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844664/; classtype:trojan-activity;sid:84707764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l30"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844665/; classtype:trojan-activity;sid:84707765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xerx"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844666/; classtype:trojan-activity;sid:84707766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0gj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844667/; classtype:trojan-activity;sid:84707767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ysw"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844668/; classtype:trojan-activity;sid:84707768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7at"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844669/; classtype:trojan-activity;sid:84707769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vdz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844670/; classtype:trojan-activity;sid:84707770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zz1m"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844671/; classtype:trojan-activity;sid:84707771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syo"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844672/; classtype:trojan-activity;sid:84707772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lora"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844673/; classtype:trojan-activity;sid:84707773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lvqb"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844674/; classtype:trojan-activity;sid:84707774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/udya"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844675/; classtype:trojan-activity;sid:84707775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wj8"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844676/; classtype:trojan-activity;sid:84707776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aoe"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844677/; classtype:trojan-activity;sid:84707777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bqs"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844678/; classtype:trojan-activity;sid:84707778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adua"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844679/; classtype:trojan-activity;sid:84707779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rjtm"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844680/; classtype:trojan-activity;sid:84707780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bjuc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844681/; classtype:trojan-activity;sid:84707781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/purj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844682/; classtype:trojan-activity;sid:84707782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dyr"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844683/; classtype:trojan-activity;sid:84707783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3y7"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844684/; classtype:trojan-activity;sid:84707784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nqx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844645/; classtype:trojan-activity;sid:84707745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wach"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844646/; classtype:trojan-activity;sid:84707746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rhs"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844647/; classtype:trojan-activity;sid:84707747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5hfb"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844648/; classtype:trojan-activity;sid:84707748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is1b"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844649/; classtype:trojan-activity;sid:84707749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844650/; classtype:trojan-activity;sid:84707750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b7lm"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844651/; classtype:trojan-activity;sid:84707751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4gwc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844652/; classtype:trojan-activity;sid:84707752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voqq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844653/; classtype:trojan-activity;sid:84707753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iom"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844654/; classtype:trojan-activity;sid:84707754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fdn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844655/; classtype:trojan-activity;sid:84707755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lhm"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844656/; classtype:trojan-activity;sid:84707756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/29fw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844657/; classtype:trojan-activity;sid:84707757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844658/; classtype:trojan-activity;sid:84707758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0aa"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844605/; classtype:trojan-activity;sid:84707705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tkf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844606/; classtype:trojan-activity;sid:84707706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tbnu"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844607/; classtype:trojan-activity;sid:84707707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844608/; classtype:trojan-activity;sid:84707708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h8e"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844609/; classtype:trojan-activity;sid:84707709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i5g"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844610/; classtype:trojan-activity;sid:84707710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844611/; classtype:trojan-activity;sid:84707711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m9oh"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844612/; classtype:trojan-activity;sid:84707712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y9k9"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844613/; classtype:trojan-activity;sid:84707713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dgb"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844614/; classtype:trojan-activity;sid:84707714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ky9x"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844615/; classtype:trojan-activity;sid:84707715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngl"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844616/; classtype:trojan-activity;sid:84707716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cbj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844617/; classtype:trojan-activity;sid:84707717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kgze"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844618/; classtype:trojan-activity;sid:84707718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mxr"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844619/; classtype:trojan-activity;sid:84707719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0rw"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844620/; classtype:trojan-activity;sid:84707720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4oro"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844621/; classtype:trojan-activity;sid:84707721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noyi"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844622/; classtype:trojan-activity;sid:84707722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bqd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844623/; classtype:trojan-activity;sid:84707723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eikw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844624/; classtype:trojan-activity;sid:84707724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ionf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844625/; classtype:trojan-activity;sid:84707725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n1bq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844626/; classtype:trojan-activity;sid:84707726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zvr"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844627/; classtype:trojan-activity;sid:84707727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ila"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844628/; classtype:trojan-activity;sid:84707728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844629/; classtype:trojan-activity;sid:84707729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zsw"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844630/; classtype:trojan-activity;sid:84707730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844631/; classtype:trojan-activity;sid:84707731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fek"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844632/; classtype:trojan-activity;sid:84707732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ant9"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844633/; classtype:trojan-activity;sid:84707733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jwd0"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844634/; classtype:trojan-activity;sid:84707734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rfmd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844635/; classtype:trojan-activity;sid:84707735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z9c8"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844636/; classtype:trojan-activity;sid:84707736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcv"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844637/; classtype:trojan-activity;sid:84707737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dsq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844638/; classtype:trojan-activity;sid:84707738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9n8"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844639/; classtype:trojan-activity;sid:84707739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auy9"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844640/; classtype:trojan-activity;sid:84707740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qua"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844641/; classtype:trojan-activity;sid:84707741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2rm9"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844642/; classtype:trojan-activity;sid:84707742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fpt"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844643/; classtype:trojan-activity;sid:84707743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1ic"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844644/; classtype:trojan-activity;sid:84707744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0nw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844599/; classtype:trojan-activity;sid:84707699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rbk"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844600/; classtype:trojan-activity;sid:84707700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h2l"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844601/; classtype:trojan-activity;sid:84707701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8zz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844602/; classtype:trojan-activity;sid:84707702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ckj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844603/; classtype:trojan-activity;sid:84707703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nvt"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844604/; classtype:trojan-activity;sid:84707704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dakc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844582/; classtype:trojan-activity;sid:84707682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sjfx"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844583/; classtype:trojan-activity;sid:84707683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ksn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844584/; classtype:trojan-activity;sid:84707684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hfm8"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844585/; classtype:trojan-activity;sid:84707685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ymkj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844586/; classtype:trojan-activity;sid:84707686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ida"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844587/; classtype:trojan-activity;sid:84707687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojmw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844588/; classtype:trojan-activity;sid:84707688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clw4"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844589/; classtype:trojan-activity;sid:84707689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q8hm"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844590/; classtype:trojan-activity;sid:84707690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ucun"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844591/; classtype:trojan-activity;sid:84707691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uef"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844592/; classtype:trojan-activity;sid:84707692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrfo"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844593/; classtype:trojan-activity;sid:84707693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u1l"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844594/; classtype:trojan-activity;sid:84707694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/08c"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844595/; classtype:trojan-activity;sid:84707695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kecs"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844596/; classtype:trojan-activity;sid:84707696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844597/; classtype:trojan-activity;sid:84707697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktk"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844598/; classtype:trojan-activity;sid:84707698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d5um"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844542/; classtype:trojan-activity;sid:84707642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uxtj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844543/; classtype:trojan-activity;sid:84707643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rgja"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844544/; classtype:trojan-activity;sid:84707644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qx6x"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844545/; classtype:trojan-activity;sid:84707645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gg5r"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844546/; classtype:trojan-activity;sid:84707646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844547/; classtype:trojan-activity;sid:84707647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b9a"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844548/; classtype:trojan-activity;sid:84707648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j11"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844549/; classtype:trojan-activity;sid:84707649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ecq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844550/; classtype:trojan-activity;sid:84707650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eaa"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844551/; classtype:trojan-activity;sid:84707651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feb4"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844552/; classtype:trojan-activity;sid:84707652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hhp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844553/; classtype:trojan-activity;sid:84707653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q4e"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844554/; classtype:trojan-activity;sid:84707654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3ec"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844555/; classtype:trojan-activity;sid:84707655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kv6m"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844556/; classtype:trojan-activity;sid:84707656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/531"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844557/; classtype:trojan-activity;sid:84707657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vu7"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844558/; classtype:trojan-activity;sid:84707658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tr0"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844559/; classtype:trojan-activity;sid:84707659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h7p"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844560/; classtype:trojan-activity;sid:84707660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ue"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844561/; classtype:trojan-activity;sid:84707661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bxsi"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844562/; classtype:trojan-activity;sid:84707662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ecz9"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844563/; classtype:trojan-activity;sid:84707663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/esuu"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844564/; classtype:trojan-activity;sid:84707664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o8r"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844565/; classtype:trojan-activity;sid:84707665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xqx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844566/; classtype:trojan-activity;sid:84707666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ylk"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844567/; classtype:trojan-activity;sid:84707667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o6bn"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844568/; classtype:trojan-activity;sid:84707668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uu6"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844569/; classtype:trojan-activity;sid:84707669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k8d"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844570/; classtype:trojan-activity;sid:84707670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1bz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844571/; classtype:trojan-activity;sid:84707671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j5k"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844572/; classtype:trojan-activity;sid:84707672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ikj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844573/; classtype:trojan-activity;sid:84707673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uyo"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844574/; classtype:trojan-activity;sid:84707674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9ce"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844575/; classtype:trojan-activity;sid:84707675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vbfl"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844576/; classtype:trojan-activity;sid:84707676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dri"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844577/; classtype:trojan-activity;sid:84707677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lm7"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844578/; classtype:trojan-activity;sid:84707678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e5zf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844579/; classtype:trojan-activity;sid:84707679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ehl1"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844580/; classtype:trojan-activity;sid:84707680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xalp"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844581/; classtype:trojan-activity;sid:84707681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i7vn"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844510/; classtype:trojan-activity;sid:84707610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvd7"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844511/; classtype:trojan-activity;sid:84707611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yhp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844512/; classtype:trojan-activity;sid:84707612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z0j"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844513/; classtype:trojan-activity;sid:84707613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mafd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844514/; classtype:trojan-activity;sid:84707614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ker"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844515/; classtype:trojan-activity;sid:84707615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lip"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844516/; classtype:trojan-activity;sid:84707616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hqb"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844517/; classtype:trojan-activity;sid:84707617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4pwj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844518/; classtype:trojan-activity;sid:84707618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t644"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844519/; classtype:trojan-activity;sid:84707619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aijh"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844520/; classtype:trojan-activity;sid:84707620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzbg"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844521/; classtype:trojan-activity;sid:84707621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xiq8"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844522/; classtype:trojan-activity;sid:84707622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ik8d"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844523/; classtype:trojan-activity;sid:84707623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844524/; classtype:trojan-activity;sid:84707624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ju1x"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844525/; classtype:trojan-activity;sid:84707625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rezt"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844526/; classtype:trojan-activity;sid:84707626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sia"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844527/; classtype:trojan-activity;sid:84707627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bn6o"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844528/; classtype:trojan-activity;sid:84707628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba05"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844529/; classtype:trojan-activity;sid:84707629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9kqq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844530/; classtype:trojan-activity;sid:84707630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qlk"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844531/; classtype:trojan-activity;sid:84707631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nul0"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844532/; classtype:trojan-activity;sid:84707632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5jx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844533/; classtype:trojan-activity;sid:84707633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frv"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844534/; classtype:trojan-activity;sid:84707634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zx23"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844535/; classtype:trojan-activity;sid:84707635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3nhm"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844536/; classtype:trojan-activity;sid:84707636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rdg"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844537/; classtype:trojan-activity;sid:84707637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/27vp"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844538/; classtype:trojan-activity;sid:84707638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgo"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844539/; classtype:trojan-activity;sid:84707639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emy4"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844540/; classtype:trojan-activity;sid:84707640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdvg"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844541/; classtype:trojan-activity;sid:84707641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hsal"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844509/; classtype:trojan-activity;sid:84707609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g1g"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844492/; classtype:trojan-activity;sid:84707592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q6p"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844493/; classtype:trojan-activity;sid:84707593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ftqf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844494/; classtype:trojan-activity;sid:84707594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lix"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844495/; classtype:trojan-activity;sid:84707595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p5b"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844496/; classtype:trojan-activity;sid:84707596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jyuy"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844497/; classtype:trojan-activity;sid:84707597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kxao"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844498/; classtype:trojan-activity;sid:84707598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omi"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844499/; classtype:trojan-activity;sid:84707599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsm"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844500/; classtype:trojan-activity;sid:84707600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844501/; classtype:trojan-activity;sid:84707601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/riv"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844502/; classtype:trojan-activity;sid:84707602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hac"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844503/; classtype:trojan-activity;sid:84707603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hlw"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844504/; classtype:trojan-activity;sid:84707604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xjn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844505/; classtype:trojan-activity;sid:84707605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v99g"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844506/; classtype:trojan-activity;sid:84707606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wvn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844507/; classtype:trojan-activity;sid:84707607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3tbq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844508/; classtype:trojan-activity;sid:84707608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ktlt"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844470/; classtype:trojan-activity;sid:84707570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjr1"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844471/; classtype:trojan-activity;sid:84707571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844472/; classtype:trojan-activity;sid:84707572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d9e"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844473/; classtype:trojan-activity;sid:84707573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orlt"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844474/; classtype:trojan-activity;sid:84707574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lr3l"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844475/; classtype:trojan-activity;sid:84707575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qayq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844476/; classtype:trojan-activity;sid:84707576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vhx1"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844477/; classtype:trojan-activity;sid:84707577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b2j"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844478/; classtype:trojan-activity;sid:84707578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sd2"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844479/; classtype:trojan-activity;sid:84707579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rhge"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844480/; classtype:trojan-activity;sid:84707580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuhr"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844481/; classtype:trojan-activity;sid:84707581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sfw"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844482/; classtype:trojan-activity;sid:84707582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lhmq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844483/; classtype:trojan-activity;sid:84707583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc4"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844484/; classtype:trojan-activity;sid:84707584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwpc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844485/; classtype:trojan-activity;sid:84707585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbwi"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844486/; classtype:trojan-activity;sid:84707586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imms"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844487/; classtype:trojan-activity;sid:84707587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p9e"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844488/; classtype:trojan-activity;sid:84707588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nb0"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844489/; classtype:trojan-activity;sid:84707589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8cv"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844490/; classtype:trojan-activity;sid:84707590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vcy"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844491/; classtype:trojan-activity;sid:84707591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.i468"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844469/; classtype:trojan-activity;sid:84707569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qsj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844439/; classtype:trojan-activity;sid:84707539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7o9m"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844440/; classtype:trojan-activity;sid:84707540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844441/; classtype:trojan-activity;sid:84707541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844442/; classtype:trojan-activity;sid:84707542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7agj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844443/; classtype:trojan-activity;sid:84707543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oj3t"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844444/; classtype:trojan-activity;sid:84707544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zq4m"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844445/; classtype:trojan-activity;sid:84707545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6bar"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844446/; classtype:trojan-activity;sid:84707546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vlvd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844447/; classtype:trojan-activity;sid:84707547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2kc"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844448/; classtype:trojan-activity;sid:84707548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gmii"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844449/; classtype:trojan-activity;sid:84707549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwk"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844450/; classtype:trojan-activity;sid:84707550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bq8c"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844451/; classtype:trojan-activity;sid:84707551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844452/; classtype:trojan-activity;sid:84707552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844453/; classtype:trojan-activity;sid:84707553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fx1s"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844454/; classtype:trojan-activity;sid:84707554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nppd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844455/; classtype:trojan-activity;sid:84707555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d9h"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844456/; classtype:trojan-activity;sid:84707556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kdq1"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844457/; classtype:trojan-activity;sid:84707557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gwx7"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844458/; classtype:trojan-activity;sid:84707558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcdp"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844459/; classtype:trojan-activity;sid:84707559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7tk"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844460/; classtype:trojan-activity;sid:84707560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l9s"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844461/; classtype:trojan-activity;sid:84707561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a8o"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844462/; classtype:trojan-activity;sid:84707562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzs"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844463/; classtype:trojan-activity;sid:84707563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ezx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844464/; classtype:trojan-activity;sid:84707564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lcbd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844465/; classtype:trojan-activity;sid:84707565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o32h"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844466/; classtype:trojan-activity;sid:84707566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/om0"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844467/; classtype:trojan-activity;sid:84707567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tyo"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844468/; classtype:trojan-activity;sid:84707568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l9fh"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844424/; classtype:trojan-activity;sid:84707524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x5d"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844425/; classtype:trojan-activity;sid:84707525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pa14"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844426/; classtype:trojan-activity;sid:84707526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m6my"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844427/; classtype:trojan-activity;sid:84707527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qd0s"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844428/; classtype:trojan-activity;sid:84707528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xjyv"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844429/; classtype:trojan-activity;sid:84707529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssr"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844430/; classtype:trojan-activity;sid:84707530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmxr"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844431/; classtype:trojan-activity;sid:84707531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vv0"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844432/; classtype:trojan-activity;sid:84707532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o4bn"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844433/; classtype:trojan-activity;sid:84707533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swbd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844434/; classtype:trojan-activity;sid:84707534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rtyq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844435/; classtype:trojan-activity;sid:84707535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bom"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844436/; classtype:trojan-activity;sid:84707536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x3a"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844437/; classtype:trojan-activity;sid:84707537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r7hc"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844438/; classtype:trojan-activity;sid:84707538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gwxj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844399/; classtype:trojan-activity;sid:84707499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844400/; classtype:trojan-activity;sid:84707500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/09h"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844401/; classtype:trojan-activity;sid:84707501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fown"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844402/; classtype:trojan-activity;sid:84707502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jlli"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844403/; classtype:trojan-activity;sid:84707503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ra8s"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844404/; classtype:trojan-activity;sid:84707504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifb"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844405/; classtype:trojan-activity;sid:84707505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4b9"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844406/; classtype:trojan-activity;sid:84707506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kmq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844407/; classtype:trojan-activity;sid:84707507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844408/; classtype:trojan-activity;sid:84707508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ges"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844409/; classtype:trojan-activity;sid:84707509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggur"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844410/; classtype:trojan-activity;sid:84707510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6jpw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844411/; classtype:trojan-activity;sid:84707511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gato"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844412/; classtype:trojan-activity;sid:84707512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1fm"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844413/; classtype:trojan-activity;sid:84707513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tzj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844414/; classtype:trojan-activity;sid:84707514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dwa"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844415/; classtype:trojan-activity;sid:84707515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7igs"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844416/; classtype:trojan-activity;sid:84707516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1ot"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844417/; classtype:trojan-activity;sid:84707517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844418/; classtype:trojan-activity;sid:84707518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0jw5"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844419/; classtype:trojan-activity;sid:84707519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvnk"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844420/; classtype:trojan-activity;sid:84707520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k4e"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844421/; classtype:trojan-activity;sid:84707521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qilu"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844422/; classtype:trojan-activity;sid:84707522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5cdd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844423/; classtype:trojan-activity;sid:84707523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/os0y"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844372/; classtype:trojan-activity;sid:84707472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auc"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844373/; classtype:trojan-activity;sid:84707473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a6j"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844374/; classtype:trojan-activity;sid:84707474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ce6"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844375/; classtype:trojan-activity;sid:84707475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3fd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844376/; classtype:trojan-activity;sid:84707476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhhg"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844377/; classtype:trojan-activity;sid:84707477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lsmw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844378/; classtype:trojan-activity;sid:84707478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plv"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844379/; classtype:trojan-activity;sid:84707479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jszf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844380/; classtype:trojan-activity;sid:84707480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9p74"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844381/; classtype:trojan-activity;sid:84707481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dqp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844382/; classtype:trojan-activity;sid:84707482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x5e0"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844383/; classtype:trojan-activity;sid:84707483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b3xs"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844384/; classtype:trojan-activity;sid:84707484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/709"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844385/; classtype:trojan-activity;sid:84707485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/st6h"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844386/; classtype:trojan-activity;sid:84707486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kgzk"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844387/; classtype:trojan-activity;sid:84707487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f4m"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844388/; classtype:trojan-activity;sid:84707488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1bqw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844389/; classtype:trojan-activity;sid:84707489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ecz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844390/; classtype:trojan-activity;sid:84707490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cuah"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844391/; classtype:trojan-activity;sid:84707491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heej"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844392/; classtype:trojan-activity;sid:84707492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sngv"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844393/; classtype:trojan-activity;sid:84707493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdkh"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844394/; classtype:trojan-activity;sid:84707494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1og"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844395/; classtype:trojan-activity;sid:84707495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3fvx"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844396/; classtype:trojan-activity;sid:84707496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r4op"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844397/; classtype:trojan-activity;sid:84707497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/id9h"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844398/; classtype:trojan-activity;sid:84707498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2k"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844362/; classtype:trojan-activity;sid:84707462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sfp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844363/; classtype:trojan-activity;sid:84707463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844364/; classtype:trojan-activity;sid:84707464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uvh"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844365/; classtype:trojan-activity;sid:84707465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844366/; classtype:trojan-activity;sid:84707466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ual"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844367/; classtype:trojan-activity;sid:84707467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a7y"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844368/; classtype:trojan-activity;sid:84707468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d3tx"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844369/; classtype:trojan-activity;sid:84707469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ezy"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844370/; classtype:trojan-activity;sid:84707470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ge8"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844371/; classtype:trojan-activity;sid:84707471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laf"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844360/; classtype:trojan-activity;sid:84707460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hrt"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844361/; classtype:trojan-activity;sid:84707461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xait"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844322/; classtype:trojan-activity;sid:84707422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dw38"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844323/; classtype:trojan-activity;sid:84707423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ees"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844324/; classtype:trojan-activity;sid:84707424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l7u"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844325/; classtype:trojan-activity;sid:84707425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6dku"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844326/; classtype:trojan-activity;sid:84707426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gt7d"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844327/; classtype:trojan-activity;sid:84707427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ndsr"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844328/; classtype:trojan-activity;sid:84707428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvi"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844329/; classtype:trojan-activity;sid:84707429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdg"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844330/; classtype:trojan-activity;sid:84707430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dgjb"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844331/; classtype:trojan-activity;sid:84707431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2lnw"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844332/; classtype:trojan-activity;sid:84707432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ulhn"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844333/; classtype:trojan-activity;sid:84707433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a7pl"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844334/; classtype:trojan-activity;sid:84707434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umes"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844335/; classtype:trojan-activity;sid:84707435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lj3"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844336/; classtype:trojan-activity;sid:84707436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2as"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844337/; classtype:trojan-activity;sid:84707437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oc6"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844338/; classtype:trojan-activity;sid:84707438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3myb"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844339/; classtype:trojan-activity;sid:84707439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lpb"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844340/; classtype:trojan-activity;sid:84707440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x0ri"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844341/; classtype:trojan-activity;sid:84707441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pplt"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844342/; classtype:trojan-activity;sid:84707442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51ez"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844343/; classtype:trojan-activity;sid:84707443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9xu"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844344/; classtype:trojan-activity;sid:84707444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844345/; classtype:trojan-activity;sid:84707445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uiwg"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844346/; classtype:trojan-activity;sid:84707446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56u"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844347/; classtype:trojan-activity;sid:84707447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kpq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844348/; classtype:trojan-activity;sid:84707448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q69w"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844349/; classtype:trojan-activity;sid:84707449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qf2"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844350/; classtype:trojan-activity;sid:84707450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tln"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844351/; classtype:trojan-activity;sid:84707451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avd"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844352/; classtype:trojan-activity;sid:84707452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cap"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844353/; classtype:trojan-activity;sid:84707453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nd6h"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844354/; classtype:trojan-activity;sid:84707454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pezf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844355/; classtype:trojan-activity;sid:84707455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n6c"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844356/; classtype:trojan-activity;sid:84707456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56t"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844357/; classtype:trojan-activity;sid:84707457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tzu"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844358/; classtype:trojan-activity;sid:84707458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63x"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844359/; classtype:trojan-activity;sid:84707459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evo"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844320/; classtype:trojan-activity;sid:84707420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kpj7"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844321/; classtype:trojan-activity;sid:84707421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwfl"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844280/; classtype:trojan-activity;sid:84707380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844281/; classtype:trojan-activity;sid:84707381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15ex"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844282/; classtype:trojan-activity;sid:84707382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qjh"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844283/; classtype:trojan-activity;sid:84707383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btlu"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844284/; classtype:trojan-activity;sid:84707384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agmy"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844285/; classtype:trojan-activity;sid:84707385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bkvd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844286/; classtype:trojan-activity;sid:84707386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844287/; classtype:trojan-activity;sid:84707387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/554"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844288/; classtype:trojan-activity;sid:84707388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r51"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844289/; classtype:trojan-activity;sid:84707389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8gt"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844290/; classtype:trojan-activity;sid:84707390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j9r5"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844291/; classtype:trojan-activity;sid:84707391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zhtm"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844292/; classtype:trojan-activity;sid:84707392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puhh"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844293/; classtype:trojan-activity;sid:84707393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jujt"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844294/; classtype:trojan-activity;sid:84707394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4zb"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844295/; classtype:trojan-activity;sid:84707395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e6av"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844296/; classtype:trojan-activity;sid:84707396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y0pg"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844297/; classtype:trojan-activity;sid:84707397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wgb"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844298/; classtype:trojan-activity;sid:84707398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36n"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844299/; classtype:trojan-activity;sid:84707399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z54a"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844300/; classtype:trojan-activity;sid:84707400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1x"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844301/; classtype:trojan-activity;sid:84707401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lig2"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844302/; classtype:trojan-activity;sid:84707402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cax"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844303/; classtype:trojan-activity;sid:84707403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hin9"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844304/; classtype:trojan-activity;sid:84707404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqc2"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844305/; classtype:trojan-activity;sid:84707405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pfg"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844306/; classtype:trojan-activity;sid:84707406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pi6b"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844307/; classtype:trojan-activity;sid:84707407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/98j"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844308/; classtype:trojan-activity;sid:84707408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yas"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844309/; classtype:trojan-activity;sid:84707409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cz4"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844310/; classtype:trojan-activity;sid:84707410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ehy5"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844311/; classtype:trojan-activity;sid:84707411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d86f"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844312/; classtype:trojan-activity;sid:84707412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mri"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844313/; classtype:trojan-activity;sid:84707413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/47o7"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844314/; classtype:trojan-activity;sid:84707414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vax"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844315/; classtype:trojan-activity;sid:84707415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bddg"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844316/; classtype:trojan-activity;sid:84707416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rmfq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844317/; classtype:trojan-activity;sid:84707417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pfx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844318/; classtype:trojan-activity;sid:84707418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wezd"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844319/; classtype:trojan-activity;sid:84707419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.234.14"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844279/; classtype:trojan-activity;sid:84707379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.126.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844278/; classtype:trojan-activity;sid:84707378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844276/; classtype:trojan-activity;sid:84707376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.231.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844277/; classtype:trojan-activity;sid:84707377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.126.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844275/; classtype:trojan-activity;sid:84707375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.31.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844274/; classtype:trojan-activity;sid:84707374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.52.255.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844273/; classtype:trojan-activity;sid:84707373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.184.56.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844272/; classtype:trojan-activity;sid:84707372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.184.56.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844271/; classtype:trojan-activity;sid:84707371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.100.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844270/; classtype:trojan-activity;sid:84707370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.234.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844269/; classtype:trojan-activity;sid:84707369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.52.255.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844268/; classtype:trojan-activity;sid:84707368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.110.10"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844267/; classtype:trojan-activity;sid:84707367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.18.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844266/; classtype:trojan-activity;sid:84707366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844265/; classtype:trojan-activity;sid:84707365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.85.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844264/; classtype:trojan-activity;sid:84707364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.100.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844263/; classtype:trojan-activity;sid:84707363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.110.10"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844262/; classtype:trojan-activity;sid:84707362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.234.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844261/; classtype:trojan-activity;sid:84707361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.18.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844260/; classtype:trojan-activity;sid:84707360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_11; reference:url, urlhaus.abuse.ch/url/3844259/; classtype:trojan-activity;sid:84707359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.144.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844258/; classtype:trojan-activity;sid:84707358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.15.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844257/; classtype:trojan-activity;sid:84707357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.230.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844256/; classtype:trojan-activity;sid:84707356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.180.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844255/; classtype:trojan-activity;sid:84707355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844254/; classtype:trojan-activity;sid:84707354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.190.11"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844253/; classtype:trojan-activity;sid:84707353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.140.231.73"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844252/; classtype:trojan-activity;sid:84707352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.180.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844251/; classtype:trojan-activity;sid:84707351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.111.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844250/; classtype:trojan-activity;sid:84707350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.155.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844249/; classtype:trojan-activity;sid:84707349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844248/; classtype:trojan-activity;sid:84707348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.207.128.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844247/; classtype:trojan-activity;sid:84707347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.155.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844246/; classtype:trojan-activity;sid:84707346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844245/; classtype:trojan-activity;sid:84707345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.109.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844244/; classtype:trojan-activity;sid:84707344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"71.207.128.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844243/; classtype:trojan-activity;sid:84707343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.150.204"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844242/; classtype:trojan-activity;sid:84707342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.152.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844241/; classtype:trojan-activity;sid:84707341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.109.159"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844240/; classtype:trojan-activity;sid:84707340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844232/; classtype:trojan-activity;sid:84707332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844233/; classtype:trojan-activity;sid:84707333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844234/; classtype:trojan-activity;sid:84707334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844235/; classtype:trojan-activity;sid:84707335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844236/; classtype:trojan-activity;sid:84707336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844237/; classtype:trojan-activity;sid:84707337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844238/; classtype:trojan-activity;sid:84707338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844239/; classtype:trojan-activity;sid:84707339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844228/; classtype:trojan-activity;sid:84707328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844229/; classtype:trojan-activity;sid:84707329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844230/; classtype:trojan-activity;sid:84707330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844231/; classtype:trojan-activity;sid:84707331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.86.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844227/; classtype:trojan-activity;sid:84707327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i486"; depth:9; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844226/; classtype:trojan-activity;sid:84707326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.142.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844225/; classtype:trojan-activity;sid:84707325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.86.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844224/; classtype:trojan-activity;sid:84707324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.100.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844223/; classtype:trojan-activity;sid:84707323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.112.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844222/; classtype:trojan-activity;sid:84707322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"104.236.37.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844221/; classtype:trojan-activity;sid:84707321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/masscan"; depth:8; endswith; nocase; http.host; content:"104.236.37.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844220/; classtype:trojan-activity;sid:84707320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844219/; classtype:trojan-activity;sid:84707319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.25.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844218/; classtype:trojan-activity;sid:84707318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.111.43"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844217/; classtype:trojan-activity;sid:84707317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.25.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844216/; classtype:trojan-activity;sid:84707316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug/loader.sh"; depth:16; endswith; nocase; http.host; content:"bernasibutuwqu2.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844215/; classtype:trojan-activity;sid:84707315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug/payload.applescript"; depth:26; endswith; nocase; http.host; content:"bernasibutuwqu2.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844214/; classtype:trojan-activity;sid:84707314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.70.186.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844212/; classtype:trojan-activity;sid:84707312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"rubbermax.xyz"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844213/; classtype:trojan-activity;sid:84707313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"photo-02-05.vercel.app"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844210/; classtype:trojan-activity;sid:84707310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"we-max-photo.vercel.app"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844211/; classtype:trojan-activity;sid:84707311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/rvctx33.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844208/; classtype:trojan-activity;sid:84707308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/float-client.jar"; depth:27; endswith; nocase; http.host; content:"donutsmpcheat.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844209/; classtype:trojan-activity;sid:84707309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/kia910k.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844206/; classtype:trojan-activity;sid:84707306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/zna6qzg.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844207/; classtype:trojan-activity;sid:84707307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/6ttnsh7.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844199/; classtype:trojan-activity;sid:84707299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/kipkifh.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844200/; classtype:trojan-activity;sid:84707300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/3hdycii.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844201/; classtype:trojan-activity;sid:84707301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/aytwblz.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844202/; classtype:trojan-activity;sid:84707302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/k9ygjlp.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844203/; classtype:trojan-activity;sid:84707303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/uiiihfd.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844204/; classtype:trojan-activity;sid:84707304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/dbrmzfk.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844205/; classtype:trojan-activity;sid:84707305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"avaria102dtponlaine.vercel.app"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844197/; classtype:trojan-activity;sid:84707297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/kryptonite-cracked.jar"; depth:33; endswith; nocase; http.host; content:"donutsmpcheat.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844198/; classtype:trojan-activity;sid:84707298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"vk-video-dtp.vercel.app"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844190/; classtype:trojan-activity;sid:84707290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/xenon-cracked.jar"; depth:28; endswith; nocase; http.host; content:"donutsmpcheat.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844191/; classtype:trojan-activity;sid:84707291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/solar-client.jar"; depth:27; endswith; nocase; http.host; content:"donutsmpcheat.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844192/; classtype:trojan-activity;sid:84707292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"wephoto.vercel.app"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844193/; classtype:trojan-activity;sid:84707293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"video-files-24.cfd"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844194/; classtype:trojan-activity;sid:84707294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"videosdtpr.vercel.app"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844195/; classtype:trojan-activity;sid:84707295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/meteor-client.jar"; depth:28; endswith; nocase; http.host; content:"donutsmpcheat.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844196/; classtype:trojan-activity;sid:84707296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"kameraruonlaine.vercel.app"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844189/; classtype:trojan-activity;sid:84707289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; endswith; nocase; http.host; content:"downloadmaxfile.digital"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844186/; classtype:trojan-activity;sid:84707286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"102policeonlainedtp.vercel.app"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844187/; classtype:trojan-activity;sid:84707287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"2026policedtp.vercel.app"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844188/; classtype:trojan-activity;sid:84707288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|download=1"; depth:15; endswith; nocase; http.host; content:"photojopik.vercel.app"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844185/; classtype:trojan-activity;sid:84707285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/0yktjef.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844175/; classtype:trojan-activity;sid:84707275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/ewsuxox.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844176/; classtype:trojan-activity;sid:84707276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/bwjpsd5.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844177/; classtype:trojan-activity;sid:84707277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/9lrzblj.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844178/; classtype:trojan-activity;sid:84707278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/exidgxs.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844179/; classtype:trojan-activity;sid:84707279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/9tylaum.msi"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844180/; classtype:trojan-activity;sid:84707280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/lwjjein.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844181/; classtype:trojan-activity;sid:84707281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/6ttnsh7.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844182/; classtype:trojan-activity;sid:84707282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/715644737/xv72alj.exe"; depth:28; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844183/; classtype:trojan-activity;sid:84707283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/brot051.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844184/; classtype:trojan-activity;sid:84707284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/efgbs2q.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844168/; classtype:trojan-activity;sid:84707268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/dpslke1.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844169/; classtype:trojan-activity;sid:84707269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/qgeunem.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844170/; classtype:trojan-activity;sid:84707270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/nmwyfww.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844171/; classtype:trojan-activity;sid:84707271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/1x8ty42.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844172/; classtype:trojan-activity;sid:84707272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/377fvul.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844173/; classtype:trojan-activity;sid:84707273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/jmztd18.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844174/; classtype:trojan-activity;sid:84707274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/zyv8iuy.msi"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844143/; classtype:trojan-activity;sid:84707243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/tng8nf2.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844144/; classtype:trojan-activity;sid:84707244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/xrbwqmi.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844145/; classtype:trojan-activity;sid:84707245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/4xhy0ua.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844146/; classtype:trojan-activity;sid:84707246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/kikvpv3.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844147/; classtype:trojan-activity;sid:84707247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/ma2i83j.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844148/; classtype:trojan-activity;sid:84707248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/jxcrwvd.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844149/; classtype:trojan-activity;sid:84707249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/klca9rk.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844150/; classtype:trojan-activity;sid:84707250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/9tylaum.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844151/; classtype:trojan-activity;sid:84707251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/4kludhr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844152/; classtype:trojan-activity;sid:84707252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/awb1ryt.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844153/; classtype:trojan-activity;sid:84707253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/8rujxmr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844154/; classtype:trojan-activity;sid:84707254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/xs3aqc0.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844155/; classtype:trojan-activity;sid:84707255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/uwxixwf.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844156/; classtype:trojan-activity;sid:84707256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/towtzpl.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844157/; classtype:trojan-activity;sid:84707257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6077499728/iqw9iq7.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844158/; classtype:trojan-activity;sid:84707258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/erlpoq5.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844159/; classtype:trojan-activity;sid:84707259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/cb0v8v5.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844160/; classtype:trojan-activity;sid:84707260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/ugid4pl.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844161/; classtype:trojan-activity;sid:84707261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/qekymha.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844162/; classtype:trojan-activity;sid:84707262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/czwmjn5.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844163/; classtype:trojan-activity;sid:84707263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/sb9ud3f.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844164/; classtype:trojan-activity;sid:84707264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/sn4rvoi.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844165/; classtype:trojan-activity;sid:84707265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/ncvf8vj.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844166/; classtype:trojan-activity;sid:84707266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/nvt8bmp.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844167/; classtype:trojan-activity;sid:84707267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cyrex_3.2.zip"; depth:14; endswith; nocase; http.host; content:"cyrex-cheats.net"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844142/; classtype:trojan-activity;sid:84707242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/hdyq1rb.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844139/; classtype:trojan-activity;sid:84707239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/wprb475.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844140/; classtype:trojan-activity;sid:84707240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/r5f7meo.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844141/; classtype:trojan-activity;sid:84707241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/3032ike.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844136/; classtype:trojan-activity;sid:84707236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/vz0cxxy.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844137/; classtype:trojan-activity;sid:84707237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/budksm4.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844138/; classtype:trojan-activity;sid:84707238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sauxobwy.exe"; depth:13; endswith; nocase; http.host; content:"digiztechllc.co"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844135/; classtype:trojan-activity;sid:84707235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paperrig/paperrigofficial/refs/heads/main/downloads/paperrig-v2.jar"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844134/; classtype:trojan-activity;sid:84707234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8212392349/0alosyh.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844130/; classtype:trojan-activity;sid:84707230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7382018045/3urahpr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844131/; classtype:trojan-activity;sid:84707231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/qiket39.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844132/; classtype:trojan-activity;sid:84707232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8212392349/2n2vb1v.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844133/; classtype:trojan-activity;sid:84707233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.141.233.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844129/; classtype:trojan-activity;sid:84707229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.70.186.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844128/; classtype:trojan-activity;sid:84707228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.29.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844127/; classtype:trojan-activity;sid:84707227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.127.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844126/; classtype:trojan-activity;sid:84707226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86"; depth:10; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844124/; classtype:trojan-activity;sid:84707224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/debug"; depth:9; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844125/; classtype:trojan-activity;sid:84707225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mips"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844120/; classtype:trojan-activity;sid:84707220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arc"; depth:10; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844121/; classtype:trojan-activity;sid:84707221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz.sh"; depth:6; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844122/; classtype:trojan-activity;sid:84707222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.sh4"; depth:10; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844123/; classtype:trojan-activity;sid:84707223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm"; depth:10; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844115/; classtype:trojan-activity;sid:84707215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.x86_64"; depth:13; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844116/; classtype:trojan-activity;sid:84707216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.i686"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844117/; classtype:trojan-activity;sid:84707217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.m68k"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844118/; classtype:trojan-activity;sid:84707218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm5"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844119/; classtype:trojan-activity;sid:84707219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.ppc"; depth:10; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844110/; classtype:trojan-activity;sid:84707210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm6"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844111/; classtype:trojan-activity;sid:84707211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.arm7"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844112/; classtype:trojan-activity;sid:84707212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.spc"; depth:10; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844113/; classtype:trojan-activity;sid:84707213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nz/nz.mpsl"; depth:11; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844114/; classtype:trojan-activity;sid:84707214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"extnetprox.devharbor.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844109/; classtype:trojan-activity;sid:84707209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"extnetprox.devharbor.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844108/; classtype:trojan-activity;sid:84707208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"pkgrunstat.devharbor.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844107/; classtype:trojan-activity;sid:84707207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"modbusdata.devharbor.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844106/; classtype:trojan-activity;sid:84707206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"srcgetproc.devharbor.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844105/; classtype:trojan-activity;sid:84707205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"ftpsrv.pixelmesh.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844104/; classtype:trojan-activity;sid:84707204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.193.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844103/; classtype:trojan-activity;sid:84707203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"libsyspathview.pixelmesh.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844102/; classtype:trojan-activity;sid:84707202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"libsyspathview.pixelmesh.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844101/; classtype:trojan-activity;sid:84707201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"jobadm.pixelmesh.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844100/; classtype:trojan-activity;sid:84707200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.148.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844099/; classtype:trojan-activity;sid:84707199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"zipark.pixelmesh.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844098/; classtype:trojan-activity;sid:84707198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"metaltscfgmgr.logicframe.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844097/; classtype:trojan-activity;sid:84707197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"ftpsrv.framevector.ink"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844096/; classtype:trojan-activity;sid:84707196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"libsyspathview.framevector.ink"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844095/; classtype:trojan-activity;sid:84707195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"libsyspathview.framevector.ink"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844094/; classtype:trojan-activity;sid:84707194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"apidocserv.logicframe.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844093/; classtype:trojan-activity;sid:84707193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"jobadm.framevector.ink"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844092/; classtype:trojan-activity;sid:84707192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"apidocserv.logicframe.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844091/; classtype:trojan-activity;sid:84707191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"dbinst.logicframe.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844090/; classtype:trojan-activity;sid:84707190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"rawdatamapping.framevector.ink"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844089/; classtype:trojan-activity;sid:84707189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.148.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844088/; classtype:trojan-activity;sid:84707188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"skyvpnnodehub.logicframe.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844087/; classtype:trojan-activity;sid:84707187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"zipark.framevector.ink"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844086/; classtype:trojan-activity;sid:84707186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"metaltscfgmgr.systemforge.ink"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844084/; classtype:trojan-activity;sid:84707184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.60.190.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844085/; classtype:trojan-activity;sid:84707185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"cmdset.logicframe.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844082/; classtype:trojan-activity;sid:84707182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"cmdset.logicframe.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844083/; classtype:trojan-activity;sid:84707183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"metaltscfgmgr.systemforge.ink"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844081/; classtype:trojan-activity;sid:84707181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"sshbin.cloudstack.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844080/; classtype:trojan-activity;sid:84707180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.116.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844079/; classtype:trojan-activity;sid:84707179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"apidocserv.systemforge.ink"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844078/; classtype:trojan-activity;sid:84707178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"sslkeybasepoint.cloudstack.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844077/; classtype:trojan-activity;sid:84707177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"dbinst.systemforge.ink"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844076/; classtype:trojan-activity;sid:84707176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"getcfghub.cloudstack.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844075/; classtype:trojan-activity;sid:84707175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.127.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844074/; classtype:trojan-activity;sid:84707174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"skyvpnnodehub.systemforge.ink"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844073/; classtype:trojan-activity;sid:84707173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"ipnodeclisys.cloudstack.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844072/; classtype:trojan-activity;sid:84707172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"cmdset.systemforge.ink"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844071/; classtype:trojan-activity;sid:84707171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"hotfix.cloudstack.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844070/; classtype:trojan-activity;sid:84707170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"sshbin.cryptowave.ink"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844069/; classtype:trojan-activity;sid:84707169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"sshbin.cryptowave.ink"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844068/; classtype:trojan-activity;sid:84707168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"topsvc.bytevector.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844067/; classtype:trojan-activity;sid:84707167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"sslkeybasepoint.cryptowave.ink"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844066/; classtype:trojan-activity;sid:84707166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"opsmgr.bytevector.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844065/; classtype:trojan-activity;sid:84707165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"getcfghub.cryptowave.ink"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844064/; classtype:trojan-activity;sid:84707164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"getcfghub.cryptowave.ink"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844063/; classtype:trojan-activity;sid:84707163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"cpuprocessormgr.bytevector.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844062/; classtype:trojan-activity;sid:84707162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.88.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844061/; classtype:trojan-activity;sid:84707161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"ipnodeclisys.cryptowave.ink"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844060/; classtype:trojan-activity;sid:84707160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.88.140"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844059/; classtype:trojan-activity;sid:84707159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"run.bytevector.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844058/; classtype:trojan-activity;sid:84707158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"run.bytevector.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844057/; classtype:trojan-activity;sid:84707157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"cpuprocessormgr.bytevector.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844056/; classtype:trojan-activity;sid:84707156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"vpsrun.bytevector.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844055/; classtype:trojan-activity;sid:84707155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"dnswebsrvs.bytevector.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844054/; classtype:trojan-activity;sid:84707154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"devbits.kernelshift.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844053/; classtype:trojan-activity;sid:84707153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"logmanagementsys.kernelshift.pics"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844052/; classtype:trojan-activity;sid:84707152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"api.kernelshift.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844051/; classtype:trojan-activity;sid:84707151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.190.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844050/; classtype:trojan-activity;sid:84707150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.125.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844049/; classtype:trojan-activity;sid:84707149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"webcdnstat.kernelshift.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844048/; classtype:trojan-activity;sid:84707148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"webcdnstat.kernelshift.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844047/; classtype:trojan-activity;sid:84707147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844046/; classtype:trojan-activity;sid:84707146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"srvnode.kernelshift.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844045/; classtype:trojan-activity;sid:84707145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.97.113.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844044/; classtype:trojan-activity;sid:84707144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"optirni-cast.scriptmesh.ink"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844043/; classtype:trojan-activity;sid:84707143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.190.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844042/; classtype:trojan-activity;sid:84707142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.251.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844041/; classtype:trojan-activity;sid:84707141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"civicvehicl.scriptmesh.ink"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844040/; classtype:trojan-activity;sid:84707140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"designdepot.scriptmesh.ink"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844039/; classtype:trojan-activity;sid:84707139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"vita-not.scriptmesh.ink"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844038/; classtype:trojan-activity;sid:84707138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.251.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844037/; classtype:trojan-activity;sid:84707137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"n0df7.kernelgrid.ink"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844036/; classtype:trojan-activity;sid:84707136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.65.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844035/; classtype:trojan-activity;sid:84707135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"dynmark0on.kernelgrid.ink"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844034/; classtype:trojan-activity;sid:84707134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.223.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844033/; classtype:trojan-activity;sid:84707133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.125.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844032/; classtype:trojan-activity;sid:84707132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.204.227.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844031/; classtype:trojan-activity;sid:84707131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"sol-tideen.kernelgrid.ink"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844030/; classtype:trojan-activity;sid:84707130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.66.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844029/; classtype:trojan-activity;sid:84707129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"v1si-sync.kernelgrid.ink"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844028/; classtype:trojan-activity;sid:84707128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.102.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844027/; classtype:trojan-activity;sid:84707127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"njrwmhh.cyberframe.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844026/; classtype:trojan-activity;sid:84707126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.204.227.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844025/; classtype:trojan-activity;sid:84707125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"2784kns.kernelgrid.ink"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844024/; classtype:trojan-activity;sid:84707124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"2qjub.logicstack.ink"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844023/; classtype:trojan-activity;sid:84707123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"macroloop.logicstack.ink"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844022/; classtype:trojan-activity;sid:84707122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"192.109.200.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844017/; classtype:trojan-activity;sid:84707117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"192.109.200.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844018/; classtype:trojan-activity;sid:84707118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"192.109.200.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844019/; classtype:trojan-activity;sid:84707119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"192.109.200.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844020/; classtype:trojan-activity;sid:84707120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"192.109.200.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844021/; classtype:trojan-activity;sid:84707121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844015/; classtype:trojan-activity;sid:84707115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"14.205.104.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844016/; classtype:trojan-activity;sid:84707116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"ftscfs.logicstack.ink"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844014/; classtype:trojan-activity;sid:84707114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.23.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844013/; classtype:trojan-activity;sid:84707113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.104.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844012/; classtype:trojan-activity;sid:84707112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"beartrend.logicstack.ink"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844011/; classtype:trojan-activity;sid:84707111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"beartrend.logicstack.ink"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844010/; classtype:trojan-activity;sid:84707110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.148.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844009/; classtype:trojan-activity;sid:84707109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"wamemd.logicstack.ink"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844008/; classtype:trojan-activity;sid:84707108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"wamemd.logicstack.ink"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844007/; classtype:trojan-activity;sid:84707107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"velmeshix.cyberframe.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844006/; classtype:trojan-activity;sid:84707106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"tal-valeum.cyberframe.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844005/; classtype:trojan-activity;sid:84707105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"solnex3et.cybernode.ink"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844004/; classtype:trojan-activity;sid:84707104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"solnex3et.cybernode.ink"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844003/; classtype:trojan-activity;sid:84707103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.148.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844002/; classtype:trojan-activity;sid:84707102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"netvvork-hinge.cybernode.ink"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844001/; classtype:trojan-activity;sid:84707101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3844000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"netvvork-hinge.cybernode.ink"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3844000/; classtype:trojan-activity;sid:84707100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.188.135.20"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843999/; classtype:trojan-activity;sid:84707099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05heil6c5-49ds-4764-abb59-368f34ad4245/auth.dll"; depth:48; endswith; nocase; http.host; content:"swanresolver.cybernode.ink"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843998/; classtype:trojan-activity;sid:84707098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.23.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843997/; classtype:trojan-activity;sid:84707097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"h04c.kernelwave.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843996/; classtype:trojan-activity;sid:84707096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"vorcore2ix.kernelwave.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843995/; classtype:trojan-activity;sid:84707095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"networ2-forge.scriptmesh.ink"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843994/; classtype:trojan-activity;sid:84707094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jjp"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843992/; classtype:trojan-activity;sid:84707092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843993/; classtype:trojan-activity;sid:84707093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ib"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843976/; classtype:trojan-activity;sid:84707076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0vug"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843977/; classtype:trojan-activity;sid:84707077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x6yo"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843978/; classtype:trojan-activity;sid:84707078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytqo"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843979/; classtype:trojan-activity;sid:84707079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0rc"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843980/; classtype:trojan-activity;sid:84707080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r6x"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843981/; classtype:trojan-activity;sid:84707081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zh4k"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843982/; classtype:trojan-activity;sid:84707082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h4h"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843983/; classtype:trojan-activity;sid:84707083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mkdy"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843984/; classtype:trojan-activity;sid:84707084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jwv"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843985/; classtype:trojan-activity;sid:84707085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ne4"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843986/; classtype:trojan-activity;sid:84707086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vga"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843987/; classtype:trojan-activity;sid:84707087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tvq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843988/; classtype:trojan-activity;sid:84707088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vqx"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843989/; classtype:trojan-activity;sid:84707089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ozse"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843990/; classtype:trojan-activity;sid:84707090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843991/; classtype:trojan-activity;sid:84707091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843975/; classtype:trojan-activity;sid:84707075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.190.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843974/; classtype:trojan-activity;sid:84707074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yg4k"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843970/; classtype:trojan-activity;sid:84707070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dh.sh"; depth:6; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843971/; classtype:trojan-activity;sid:84707071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/duq"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843972/; classtype:trojan-activity;sid:84707072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hk.sh"; depth:6; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843973/; classtype:trojan-activity;sid:84707073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zy.sh"; depth:6; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843968/; classtype:trojan-activity;sid:84707068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tpl.sh"; depth:7; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843969/; classtype:trojan-activity;sid:84707069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"vvh3el-crest.cloudvector.ink"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843967/; classtype:trojan-activity;sid:84707067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.190.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843966/; classtype:trojan-activity;sid:84707066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"tracke-signal.cryptostack.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843965/; classtype:trojan-activity;sid:84707065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.233.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843964/; classtype:trojan-activity;sid:84707064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vthh"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843963/; classtype:trojan-activity;sid:84707063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"heathergent.cloudvector.ink"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843962/; classtype:trojan-activity;sid:84707062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nrud"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843961/; classtype:trojan-activity;sid:84707061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"conv-wagon.cryptostack.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843960/; classtype:trojan-activity;sid:84707060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"tre75.cryptostack.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843959/; classtype:trojan-activity;sid:84707059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"67.102.7.106"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843958/; classtype:trojan-activity;sid:84707058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"wlr33mz.cloudvector.ink"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843957/; classtype:trojan-activity;sid:84707057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh.sh"; depth:6; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843956/; classtype:trojan-activity;sid:84707056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.38.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843955/; classtype:trojan-activity;sid:84707055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"7dml.netstack.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843954/; classtype:trojan-activity;sid:84707054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"5md3.netstack.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843953/; classtype:trojan-activity;sid:84707053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"5md3.netstack.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843952/; classtype:trojan-activity;sid:84707052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"thornbanner.cryptostack.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843951/; classtype:trojan-activity;sid:84707051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"thornbanner.cryptostack.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843950/; classtype:trojan-activity;sid:84707050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.192.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843949/; classtype:trojan-activity;sid:84707049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"5ccj6.netstack.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843948/; classtype:trojan-activity;sid:84707048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"5ccj6.netstack.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843947/; classtype:trojan-activity;sid:84707047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"trimark5ar.cryptostack.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843946/; classtype:trojan-activity;sid:84707046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"trimark5ar.cryptostack.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843945/; classtype:trojan-activity;sid:84707045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"forefern.pixelnode.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843944/; classtype:trojan-activity;sid:84707044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"forefern.pixelnode.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843943/; classtype:trojan-activity;sid:84707043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"lkkgv50r.logicbyte.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843942/; classtype:trojan-activity;sid:84707042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.237.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843941/; classtype:trojan-activity;sid:84707041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.237.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843940/; classtype:trojan-activity;sid:84707040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.38.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843939/; classtype:trojan-activity;sid:84707039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"coreshield.pixelnode.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843938/; classtype:trojan-activity;sid:84707038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"hyper-c0ra.logicbyte.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843937/; classtype:trojan-activity;sid:84707037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"aghw.pixelnode.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843936/; classtype:trojan-activity;sid:84707036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"aghw.pixelnode.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843935/; classtype:trojan-activity;sid:84707035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.30.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843934/; classtype:trojan-activity;sid:84707034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"curio-garde.logicbyte.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843933/; classtype:trojan-activity;sid:84707033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"2t1ridv.logicbyte.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843932/; classtype:trojan-activity;sid:84707032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.112.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843931/; classtype:trojan-activity;sid:84707031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"vocalpro.pixelnode.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843930/; classtype:trojan-activity;sid:84707030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.252.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843929/; classtype:trojan-activity;sid:84707029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_riscv64"; depth:15; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843928/; classtype:trojan-activity;sid:84707028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_amd64"; depth:13; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843925/; classtype:trojan-activity;sid:84707025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_s390x"; depth:13; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843926/; classtype:trojan-activity;sid:84707026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_ppc64le"; depth:15; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843927/; classtype:trojan-activity;sid:84707027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_386"; depth:11; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843922/; classtype:trojan-activity;sid:84707022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mips64le"; depth:16; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843923/; classtype:trojan-activity;sid:84707023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm7"; depth:12; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843924/; classtype:trojan-activity;sid:84707024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mipsle"; depth:14; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843917/; classtype:trojan-activity;sid:84707017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm64"; depth:13; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843918/; classtype:trojan-activity;sid:84707018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mips"; depth:12; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843919/; classtype:trojan-activity;sid:84707019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_mips64"; depth:14; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843920/; classtype:trojan-activity;sid:84707020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vulcan_arm5"; depth:12; endswith; nocase; http.host; content:"176.65.139.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843921/; classtype:trojan-activity;sid:84707021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.191.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843916/; classtype:trojan-activity;sid:84707016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843913/; classtype:trojan-activity;sid:84707013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843914/; classtype:trojan-activity;sid:84707014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843915/; classtype:trojan-activity;sid:84707015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polld"; depth:16; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843911/; classtype:trojan-activity;sid:84707011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xfsaild_sda"; depth:17; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843912/; classtype:trojan-activity;sid:84707012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843905/; classtype:trojan-activity;sid:84707005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843906/; classtype:trojan-activity;sid:84707006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843907/; classtype:trojan-activity;sid:84707007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843908/; classtype:trojan-activity;sid:84707008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843909/; classtype:trojan-activity;sid:84707009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scsi_tmf_0"; depth:16; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843910/; classtype:trojan-activity;sid:84707010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vision.sh"; depth:10; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843901/; classtype:trojan-activity;sid:84707001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843902/; classtype:trojan-activity;sid:84707002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843903/; classtype:trojan-activity;sid:84707003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"45.153.34.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843904/; classtype:trojan-activity;sid:84707004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"dynven3um.pixelnode.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843900/; classtype:trojan-activity;sid:84707000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"vornexal5.logicbyte.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843899/; classtype:trojan-activity;sid:84706999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"quortideis.cloudmesh.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843898/; classtype:trojan-activity;sid:84706998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.255.10.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843897/; classtype:trojan-activity;sid:84706997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843894/; classtype:trojan-activity;sid:84706994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843895/; classtype:trojan-activity;sid:84706995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843896/; classtype:trojan-activity;sid:84706996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843893/; classtype:trojan-activity;sid:84706993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843891/; classtype:trojan-activity;sid:84706991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysd_mipsle"; depth:12; endswith; nocase; http.host; content:"176.65.139.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843892/; classtype:trojan-activity;sid:84706992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysd_mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843888/; classtype:trojan-activity;sid:84706988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysd_arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843889/; classtype:trojan-activity;sid:84706989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.178.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843890/; classtype:trojan-activity;sid:84706990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843887/; classtype:trojan-activity;sid:84706987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843886/; classtype:trojan-activity;sid:84706986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysd_arm64"; depth:11; endswith; nocase; http.host; content:"176.65.139.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843881/; classtype:trojan-activity;sid:84706981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysd_amd64"; depth:11; endswith; nocase; http.host; content:"176.65.139.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843882/; classtype:trojan-activity;sid:84706982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843883/; classtype:trojan-activity;sid:84706983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843884/; classtype:trojan-activity;sid:84706984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysd_x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843885/; classtype:trojan-activity;sid:84706985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"northglyp.devmatrix.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843880/; classtype:trojan-activity;sid:84706980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"videosparrow.cloudmesh.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843879/; classtype:trojan-activity;sid:84706979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"videosparrow.cloudmesh.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843878/; classtype:trojan-activity;sid:84706978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"offermedia.devmatrix.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843877/; classtype:trojan-activity;sid:84706977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.10.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843876/; classtype:trojan-activity;sid:84706976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"bay-loyal.cloudmesh.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843875/; classtype:trojan-activity;sid:84706975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"bay-loyal.cloudmesh.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843874/; classtype:trojan-activity;sid:84706974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.mpsl"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843872/; classtype:trojan-activity;sid:84706972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.mips"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843873/; classtype:trojan-activity;sid:84706973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.x86"; depth:8; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843871/; classtype:trojan-activity;sid:84706971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"woodcora.devmatrix.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843870/; classtype:trojan-activity;sid:84706970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.arm7"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843869/; classtype:trojan-activity;sid:84706969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843865/; classtype:trojan-activity;sid:84706965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.ppc"; depth:8; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843866/; classtype:trojan-activity;sid:84706966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.arm6"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843867/; classtype:trojan-activity;sid:84706967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.arm"; depth:8; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843868/; classtype:trojan-activity;sid:84706968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.arm5"; depth:9; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843863/; classtype:trojan-activity;sid:84706963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xtc.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843864/; classtype:trojan-activity;sid:84706964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843862/; classtype:trojan-activity;sid:84706962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"proto-s0uth.cloudmesh.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843861/; classtype:trojan-activity;sid:84706961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.252.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843860/; classtype:trojan-activity;sid:84706960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"hyper-w4ve.cloudmesh.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843859/; classtype:trojan-activity;sid:84706959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shl86c5-49ae-4854-a5b9-368f88ad4245/auth.check"; depth:48; endswith; nocase; http.host; content:"hyper-w4ve.cloudmesh.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843858/; classtype:trojan-activity;sid:84706958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843857/; classtype:trojan-activity;sid:84706957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.191.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843856/; classtype:trojan-activity;sid:84706956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"protecttar.bytegrid.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843854/; classtype:trojan-activity;sid:84706954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"torrentlabel.devmatrix.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843855/; classtype:trojan-activity;sid:84706955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.150.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843853/; classtype:trojan-activity;sid:84706953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.178.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843852/; classtype:trojan-activity;sid:84706952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"lfmfi.bytegrid.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843851/; classtype:trojan-activity;sid:84706951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"ht7sq.devmatrix.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843850/; classtype:trojan-activity;sid:84706950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"narr-isl.bytegrid.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843849/; classtype:trojan-activity;sid:84706949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"sercresta.mongofixcore.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843847/; classtype:trojan-activity;sid:84706947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.20.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843848/; classtype:trojan-activity;sid:84706948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.20.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843846/; classtype:trojan-activity;sid:84706946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"aligalpha.mongofixcore.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843845/; classtype:trojan-activity;sid:84706945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.22.192.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843844/; classtype:trojan-activity;sid:84706944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"dynmarkal.codeflux.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843843/; classtype:trojan-activity;sid:84706943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.242.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843842/; classtype:trojan-activity;sid:84706942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"kelven7or.mongofixcore.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843841/; classtype:trojan-activity;sid:84706941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"cryptovault.codeflux.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843840/; classtype:trojan-activity;sid:84706940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.200.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843839/; classtype:trojan-activity;sid:84706939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"pway7.mongofixcore.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843838/; classtype:trojan-activity;sid:84706938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.10.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843837/; classtype:trojan-activity;sid:84706937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"zirviss9.codeflux.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843836/; classtype:trojan-activity;sid:84706936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"zirviss9.codeflux.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843835/; classtype:trojan-activity;sid:84706935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.143.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843834/; classtype:trojan-activity;sid:84706934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"5tone-mesh.mongofixcore.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843833/; classtype:trojan-activity;sid:84706933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"5tone-mesh.mongofixcore.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843832/; classtype:trojan-activity;sid:84706932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"queu-scan.codeflux.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843831/; classtype:trojan-activity;sid:84706931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"gentletide.setqueueat.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843830/; classtype:trojan-activity;sid:84706930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"lvbj1i51.codeflux.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843829/; classtype:trojan-activity;sid:84706929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"bloom7-hinge.setqueueat.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843828/; classtype:trojan-activity;sid:84706928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"shipdem.lipshellcore.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843827/; classtype:trojan-activity;sid:84706927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.100.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843826/; classtype:trojan-activity;sid:84706926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"si1e-branch.setqueueat.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843825/; classtype:trojan-activity;sid:84706925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"script1-gate.lipshellcore.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843824/; classtype:trojan-activity;sid:84706924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"oakbalancer.setqueueat.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843823/; classtype:trojan-activity;sid:84706923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"boosmars.lipshellcore.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843822/; classtype:trojan-activity;sid:84706922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"anchorfreigh.setqueueat.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843821/; classtype:trojan-activity;sid:84706921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"98ykbe5.lipshellcore.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843820/; classtype:trojan-activity;sid:84706920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"solspireex3.queuedimsys.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843819/; classtype:trojan-activity;sid:84706919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.184.42.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843818/; classtype:trojan-activity;sid:84706918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.209.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843817/; classtype:trojan-activity;sid:84706917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"quer-graph.lipshellcore.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843816/; classtype:trojan-activity;sid:84706916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"assetprotect.queuedimsys.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843815/; classtype:trojan-activity;sid:84706915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"r3age8-index.lipshellcore.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843814/; classtype:trojan-activity;sid:84706914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"sub-vit4.queuedimsys.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843813/; classtype:trojan-activity;sid:84706913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.214.161.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843812/; classtype:trojan-activity;sid:84706912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"casual-trail.mixzipcore64.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843811/; classtype:trojan-activity;sid:84706911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843810/; classtype:trojan-activity;sid:84706910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.209.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843809/; classtype:trojan-activity;sid:84706909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"warmhar.mixzipcore64.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843808/; classtype:trojan-activity;sid:84706908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"arktide8ex.queuedimsys.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843807/; classtype:trojan-activity;sid:84706907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"not1fie-mesh.mixzipcore64.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843806/; classtype:trojan-activity;sid:84706906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"209id.queuedimsys.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843805/; classtype:trojan-activity;sid:84706905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"rainstudio.userssawtone.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843804/; classtype:trojan-activity;sid:84706904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"bandwid-route.mixzipcore64.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843803/; classtype:trojan-activity;sid:84706903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"talnex5on.userssawtone.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843802/; classtype:trojan-activity;sid:84706902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"talnex5on.userssawtone.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843801/; classtype:trojan-activity;sid:84706901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.190.38"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843800/; classtype:trojan-activity;sid:84706900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"granitebroad.mixzipcore64.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843799/; classtype:trojan-activity;sid:84706899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"gxyuad.userssawtone.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843798/; classtype:trojan-activity;sid:84706898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"tide6-well.mixzipcore64.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843797/; classtype:trojan-activity;sid:84706897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.230.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843796/; classtype:trojan-activity;sid:84706896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"cry5t4-stream.wetshardauth.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843795/; classtype:trojan-activity;sid:84706895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"mervaleet.userssawtone.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843794/; classtype:trojan-activity;sid:84706894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"gr1m-mark.userssawtone.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843793/; classtype:trojan-activity;sid:84706893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"quormark2et.wetshardauth.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843792/; classtype:trojan-activity;sid:84706892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.230.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843791/; classtype:trojan-activity;sid:84706891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"channe-grid.wetshardauth.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843790/; classtype:trojan-activity;sid:84706890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"optwebnode.softnetworkset.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843789/; classtype:trojan-activity;sid:84706889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"5pr0-span.wetshardauth.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843788/; classtype:trojan-activity;sid:84706888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.190.38"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843787/; classtype:trojan-activity;sid:84706887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843786/; classtype:trojan-activity;sid:84706886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"usrgrpstat.softnetworkset.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843785/; classtype:trojan-activity;sid:84706885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"banb3.wetshardauth.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843784/; classtype:trojan-activity;sid:84706884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"banb3.wetshardauth.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843783/; classtype:trojan-activity;sid:84706883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"vmlistview.softnetworkset.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843782/; classtype:trojan-activity;sid:84706882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"honestshape.wetshardauth.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843781/; classtype:trojan-activity;sid:84706881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"sshproserv.softnetworkset.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843780/; classtype:trojan-activity;sid:84706880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"sshproserv.softnetworkset.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843779/; classtype:trojan-activity;sid:84706879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"vel-fluxix.didoprotecauth.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843778/; classtype:trojan-activity;sid:84706878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"tcpconpath.softnetworkset.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843777/; classtype:trojan-activity;sid:84706877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"sens-ring.didoprotecauth.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843776/; classtype:trojan-activity;sid:84706876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.148.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843775/; classtype:trojan-activity;sid:84706875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"netmanproc.softnetworkset.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843774/; classtype:trojan-activity;sid:84706874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"gey5-reach.didoprotecauth.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843773/; classtype:trojan-activity;sid:84706873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"hz1v.didoprotecauth.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843772/; classtype:trojan-activity;sid:84706872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"syskeypath.logicstackhub.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843771/; classtype:trojan-activity;sid:84706871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"webdocserv.logicstackhub.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843770/; classtype:trojan-activity;sid:84706870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.107.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843769/; classtype:trojan-activity;sid:84706869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"sermesh7um.didoprotecauth.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843768/; classtype:trojan-activity;sid:84706868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0shll3eb-5bc6-4f5a-aac4-96cb0296157a/auth.review"; depth:49; endswith; nocase; http.host; content:"ujkj.didoprotecauth.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843767/; classtype:trojan-activity;sid:84706867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"appsrchcli.logicstackhub.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843766/; classtype:trojan-activity;sid:84706866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"logbinnode.logicstackhub.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843765/; classtype:trojan-activity;sid:84706865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"apiopsstat.logicstackhub.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843764/; classtype:trojan-activity;sid:84706864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so7f5fa6-c8d5-4c28-9e4a-c9fb43ca0d86/verify.check"; depth:50; endswith; nocase; http.host; content:"gitlabhubs.logicstackhub.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843763/; classtype:trojan-activity;sid:84706863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"proxysserv.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843762/; classtype:trojan-activity;sid:84706862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.208.249.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843761/; classtype:trojan-activity;sid:84706861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"lanhoppath.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843760/; classtype:trojan-activity;sid:84706860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"lanhoppath.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843759/; classtype:trojan-activity;sid:84706859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"subclidata.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843758/; classtype:trojan-activity;sid:84706858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.131.107.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843757/; classtype:trojan-activity;sid:84706857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.33.110.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843756/; classtype:trojan-activity;sid:84706856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bitkitmaps.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843755/; classtype:trojan-activity;sid:84706855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.21.28.213"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843754/; classtype:trojan-activity;sid:84706854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.21.28.213"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843753/; classtype:trojan-activity;sid:84706853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"envsetproc.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843752/; classtype:trojan-activity;sid:84706852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"envsetproc.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843751/; classtype:trojan-activity;sid:84706851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.208.249.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843750/; classtype:trojan-activity;sid:84706850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"doclabutil.infrapointbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843749/; classtype:trojan-activity;sid:84706849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.133.140.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843748/; classtype:trojan-activity;sid:84706848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"syncitnode.cloudprocmgr.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843747/; classtype:trojan-activity;sid:84706847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"36.33.110.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843746/; classtype:trojan-activity;sid:84706846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ioflowpath.cloudprocmgr.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843745/; classtype:trojan-activity;sid:84706845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"taskidview.cloudprocmgr.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843744/; classtype:trojan-activity;sid:84706844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"cmd.cloudflowops.co"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843742/; classtype:trojan-activity;sid:84706842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"cmd.cloudflowops.co"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843743/; classtype:trojan-activity;sid:84706843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"comwebstat.cloudprocmgr.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843741/; classtype:trojan-activity;sid:84706841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"metaviewhub.cloudflowops.co"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843739/; classtype:trojan-activity;sid:84706839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"metaviewhub.cloudflowops.co"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843740/; classtype:trojan-activity;sid:84706840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"refidcorex.cloudprocmgr.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843738/; classtype:trojan-activity;sid:84706838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"refidcorex.cloudprocmgr.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843737/; classtype:trojan-activity;sid:84706837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"sync.cloudflowops.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843735/; classtype:trojan-activity;sid:84706835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"sync.cloudflowops.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843736/; classtype:trojan-activity;sid:84706836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"flowmaster.cloudflowops.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843733/; classtype:trojan-activity;sid:84706833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"flowmaster.cloudflowops.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843734/; classtype:trojan-activity;sid:84706834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.57.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843732/; classtype:trojan-activity;sid:84706832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.133.140.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843731/; classtype:trojan-activity;sid:84706831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"autboxserv.cloudprocmgr.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843730/; classtype:trojan-activity;sid:84706830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"cloud.cloudflowops.co"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843728/; classtype:trojan-activity;sid:84706828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"cloud.cloudflowops.co"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843729/; classtype:trojan-activity;sid:84706829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"domregutil.datalinkservice.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843727/; classtype:trojan-activity;sid:84706827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pwrlogview.datalinkservice.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843726/; classtype:trojan-activity;sid:84706826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"topsvc.cloudflowops.co"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843724/; classtype:trojan-activity;sid:84706824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"topsvc.cloudflowops.co"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843725/; classtype:trojan-activity;sid:84706825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"extnetprox.datalinkservice.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843723/; classtype:trojan-activity;sid:84706823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.109.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843722/; classtype:trojan-activity;sid:84706822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"opsmgr.cloudflowops.co"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843720/; classtype:trojan-activity;sid:84706820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"opsmgr.cloudflowops.co"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843721/; classtype:trojan-activity;sid:84706821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.238.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843719/; classtype:trojan-activity;sid:84706819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.203.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843718/; classtype:trojan-activity;sid:84706818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pkgrunstat.datalinkservice.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843717/; classtype:trojan-activity;sid:84706817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pkgrunstat.datalinkservice.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843716/; classtype:trojan-activity;sid:84706816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843715/; classtype:trojan-activity;sid:84706815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.203.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843714/; classtype:trojan-activity;sid:84706814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"modbusdata.datalinkservice.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843713/; classtype:trojan-activity;sid:84706813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"srcgetproc.datalinkservice.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843712/; classtype:trojan-activity;sid:84706812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"dnswebsrvs.cloudflowops.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843710/; classtype:trojan-activity;sid:84706810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"dnswebsrvs.cloudflowops.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843711/; classtype:trojan-activity;sid:84706811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.132.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843709/; classtype:trojan-activity;sid:84706809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843708/; classtype:trojan-activity;sid:84706808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"uidmapbits.webstackengine.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843707/; classtype:trojan-activity;sid:84706807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.109.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843706/; classtype:trojan-activity;sid:84706806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"xmlbase.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843704/; classtype:trojan-activity;sid:84706804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"xmlbase.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843705/; classtype:trojan-activity;sid:84706805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ftpsrvnode.webstackengine.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843703/; classtype:trojan-activity;sid:84706803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ftpsrvnode.webstackengine.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843702/; classtype:trojan-activity;sid:84706802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"git.netlogicstack.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843701/; classtype:trojan-activity;sid:84706801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"git.netlogicstack.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843700/; classtype:trojan-activity;sid:84706800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"libsyspath.webstackengine.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843699/; classtype:trojan-activity;sid:84706799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"proxyservmgr.netlogicstack.co"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843697/; classtype:trojan-activity;sid:84706797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"proxyservmgr.netlogicstack.co"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843698/; classtype:trojan-activity;sid:84706798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"jobadmmgrs.webstackengine.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843696/; classtype:trojan-activity;sid:84706796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"rawdatamap.webstackengine.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843695/; classtype:trojan-activity;sid:84706795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"vpsentry.netlogicstack.co"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843693/; classtype:trojan-activity;sid:84706793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"vpsentry.netlogicstack.co"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843694/; classtype:trojan-activity;sid:84706794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.214.225.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843692/; classtype:trojan-activity;sid:84706792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ziparkview.webstackengine.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843691/; classtype:trojan-activity;sid:84706791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.131.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843690/; classtype:trojan-activity;sid:84706790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"osbasesyst.nodesystemcore.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843689/; classtype:trojan-activity;sid:84706789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"metaltscfg.nodesystemcore.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843688/; classtype:trojan-activity;sid:84706788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843687/; classtype:trojan-activity;sid:84706787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843684/; classtype:trojan-activity;sid:84706784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_aarch64"; depth:14; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843685/; classtype:trojan-activity;sid:84706785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64"; depth:12; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843686/; classtype:trojan-activity;sid:84706786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64el"; depth:14; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843672/; classtype:trojan-activity;sid:84706772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_386"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843673/; classtype:trojan-activity;sid:84706773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_hardfloat"; depth:21; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843674/; classtype:trojan-activity;sid:84706774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843675/; classtype:trojan-activity;sid:84706775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843676/; classtype:trojan-activity;sid:84706776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_softfloat"; depth:21; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843677/; classtype:trojan-activity;sid:84706777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arc"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843678/; classtype:trojan-activity;sid:84706778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//arm5"; depth:6; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843679/; classtype:trojan-activity;sid:84706779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843680/; classtype:trojan-activity;sid:84706780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64el"; depth:15; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843681/; classtype:trojan-activity;sid:84706781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_hardfloat"; depth:23; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843682/; classtype:trojan-activity;sid:84706782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843683/; classtype:trojan-activity;sid:84706783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goth.sh"; depth:8; endswith; nocase; http.host; content:"45.156.87.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843671/; classtype:trojan-activity;sid:84706771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"apidocserv.nodesystemcore.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843669/; classtype:trojan-activity;sid:84706769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"devbits.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843670/; classtype:trojan-activity;sid:84706770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"devbits.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843668/; classtype:trojan-activity;sid:84706768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843667/; classtype:trojan-activity;sid:84706767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843666/; classtype:trojan-activity;sid:84706766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843652/; classtype:trojan-activity;sid:84706752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64el"; depth:14; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843653/; classtype:trojan-activity;sid:84706753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_386"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843654/; classtype:trojan-activity;sid:84706754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_aarch64"; depth:14; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843655/; classtype:trojan-activity;sid:84706755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843656/; classtype:trojan-activity;sid:84706756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843657/; classtype:trojan-activity;sid:84706757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ppc64"; depth:12; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843658/; classtype:trojan-activity;sid:84706758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_hardfloat"; depth:21; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843659/; classtype:trojan-activity;sid:84706759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843660/; classtype:trojan-activity;sid:84706760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_softfloat"; depth:23; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843661/; classtype:trojan-activity;sid:84706761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64el"; depth:15; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843662/; classtype:trojan-activity;sid:84706762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843663/; classtype:trojan-activity;sid:84706763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips_softfloat"; depth:21; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843664/; classtype:trojan-activity;sid:84706764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mipsel_hardfloat"; depth:23; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843665/; classtype:trojan-activity;sid:84706765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843651/; classtype:trojan-activity;sid:84706751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843645/; classtype:trojan-activity;sid:84706745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arc"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843646/; classtype:trojan-activity;sid:84706746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccc.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843647/; classtype:trojan-activity;sid:84706747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.dbg"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843648/; classtype:trojan-activity;sid:84706748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_ak.sh"; depth:12; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843649/; classtype:trojan-activity;sid:84706749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843650/; classtype:trojan-activity;sid:84706750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843644/; classtype:trojan-activity;sid:84706744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.apk"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843642/; classtype:trojan-activity;sid:84706742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843643/; classtype:trojan-activity;sid:84706743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"logmanagementsys.netlogicstack.co"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843641/; classtype:trojan-activity;sid:84706741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dbinstlist.nodesystemcore.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843640/; classtype:trojan-activity;sid:84706740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.131.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843639/; classtype:trojan-activity;sid:84706739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"api.netlogicstack.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843637/; classtype:trojan-activity;sid:84706737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"skyvpnnode.nodesystemcore.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843638/; classtype:trojan-activity;sid:84706738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.214.225.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843636/; classtype:trojan-activity;sid:84706736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"webcdnstat.netlogicstack.co"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843635/; classtype:trojan-activity;sid:84706735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cmdsetproc.nodesystemcore.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843634/; classtype:trojan-activity;sid:84706734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggl.ocx"; depth:8; endswith; nocase; http.host; content:"srvnode.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843633/; classtype:trojan-activity;sid:84706733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.26.82.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843632/; classtype:trojan-activity;sid:84706732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tmpdirsets.techopsruntime.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843631/; classtype:trojan-activity;sid:84706731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.88.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843630/; classtype:trojan-activity;sid:84706730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.216.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843629/; classtype:trojan-activity;sid:84706729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.216.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843628/; classtype:trojan-activity;sid:84706728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sshbinpath.techopsruntime.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843627/; classtype:trojan-activity;sid:84706727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.88.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843626/; classtype:trojan-activity;sid:84706726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.43.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843625/; classtype:trojan-activity;sid:84706725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.43.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843624/; classtype:trojan-activity;sid:84706724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.38.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843623/; classtype:trojan-activity;sid:84706723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sslkeybase.techopsruntime.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843622/; classtype:trojan-activity;sid:84706722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cmd.cloudflowops.co"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843621/; classtype:trojan-activity;sid:84706721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"metaviewhub.cloudflowops.co"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843620/; classtype:trojan-activity;sid:84706720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.52.128.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843618/; classtype:trojan-activity;sid:84706718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"getcfghubs.techopsruntime.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843619/; classtype:trojan-activity;sid:84706719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"140.237.38.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843617/; classtype:trojan-activity;sid:84706717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sync.cloudflowops.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843616/; classtype:trojan-activity;sid:84706716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.26.82.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843615/; classtype:trojan-activity;sid:84706715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ipnodeclis.techopsruntime.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843614/; classtype:trojan-activity;sid:84706714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.88.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843613/; classtype:trojan-activity;sid:84706713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.52.128.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843612/; classtype:trojan-activity;sid:84706712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"hotfixpack.techopsruntime.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843610/; classtype:trojan-activity;sid:84706710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"flowmaster.cloudflowops.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843611/; classtype:trojan-activity;sid:84706711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bitfoxcore.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843609/; classtype:trojan-activity;sid:84706709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bitfoxcore.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843608/; classtype:trojan-activity;sid:84706708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cloud.cloudflowops.co"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843607/; classtype:trojan-activity;sid:84706707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"198.2.100.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843606/; classtype:trojan-activity;sid:84706706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bitfoxcoreunit.cloudflowops.co"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843605/; classtype:trojan-activity;sid:84706705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"topsvcutil.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843604/; classtype:trojan-activity;sid:84706704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"opsmgrsvcs.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843603/; classtype:trojan-activity;sid:84706703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"topsvc.cloudflowops.co"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843602/; classtype:trojan-activity;sid:84706702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cpuprosmgr.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843601/; classtype:trojan-activity;sid:84706701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"opsmgr.cloudflowops.co"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843600/; classtype:trojan-activity;sid:84706700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cpuprosmgr.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843599/; classtype:trojan-activity;sid:84706699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.88.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843598/; classtype:trojan-activity;sid:84706698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.59.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843597/; classtype:trojan-activity;sid:84706697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"vpsrunproc.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843596/; classtype:trojan-activity;sid:84706696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cpuprocessormgr.cloudflowops.co"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843595/; classtype:trojan-activity;sid:84706695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vpsrun.cloudflowops.co"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843594/; classtype:trojan-activity;sid:84706694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dnswebsrvs.coderworkflow.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843593/; classtype:trojan-activity;sid:84706693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dnswebsrvs.cloudflowops.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843592/; classtype:trojan-activity;sid:84706692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"198.2.100.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843591/; classtype:trojan-activity;sid:84706691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dnswebsrvs.cloudflowops.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843590/; classtype:trojan-activity;sid:84706690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"appboxdata.devlogicmaster.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843589/; classtype:trojan-activity;sid:84706689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"xmlbase.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843587/; classtype:trojan-activity;sid:84706687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"xmlbase.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843588/; classtype:trojan-activity;sid:84706688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"devbitscfg.devlogicmaster.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843586/; classtype:trojan-activity;sid:84706686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"logviewsys.devlogicmaster.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843585/; classtype:trojan-activity;sid:84706685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.148.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843584/; classtype:trojan-activity;sid:84706684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"git.netlogicstack.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843583/; classtype:trojan-activity;sid:84706683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"netapiprot.devlogicmaster.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843582/; classtype:trojan-activity;sid:84706682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"proxyservmgr.netlogicstack.co"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843581/; classtype:trojan-activity;sid:84706681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.87.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843580/; classtype:trojan-activity;sid:84706680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.199.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843579/; classtype:trojan-activity;sid:84706679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.198.227.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843578/; classtype:trojan-activity;sid:84706678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.38.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843577/; classtype:trojan-activity;sid:84706677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"webcdnstat.devlogicmaster.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843576/; classtype:trojan-activity;sid:84706676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"webcdnstat.devlogicmaster.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843575/; classtype:trojan-activity;sid:84706675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"net.netlogicstack.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843574/; classtype:trojan-activity;sid:84706674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vpsentry.netlogicstack.co"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843573/; classtype:trojan-activity;sid:84706673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vpsentry.netlogicstack.co"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843572/; classtype:trojan-activity;sid:84706672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"srvnodehub.devlogicmaster.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843571/; classtype:trojan-activity;sid:84706671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"corestack.netlogicstack.co"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843570/; classtype:trojan-activity;sid:84706670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"gitlabhubs.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843568/; classtype:trojan-activity;sid:84706668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"gitlabhubs.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843569/; classtype:trojan-activity;sid:84706669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goth.sh"; depth:8; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843567/; classtype:trojan-activity;sid:84706667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"appboxdatacent.netlogicstack.co"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843566/; classtype:trojan-activity;sid:84706666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"apiopsstat.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843565/; classtype:trojan-activity;sid:84706665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"apiopsstat.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843564/; classtype:trojan-activity;sid:84706664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.x"; depth:3; endswith; nocase; http.host; content:"212.162.155.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843563/; classtype:trojan-activity;sid:84706663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.148.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843562/; classtype:trojan-activity;sid:84706662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.38.69"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843561/; classtype:trojan-activity;sid:84706661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"devbits.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843560/; classtype:trojan-activity;sid:84706660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"logbinnode.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843559/; classtype:trojan-activity;sid:84706659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.198.227.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843558/; classtype:trojan-activity;sid:84706658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"appsrchcli.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843557/; classtype:trojan-activity;sid:84706657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logmanagementsys.netlogicstack.co"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843556/; classtype:trojan-activity;sid:84706656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843555/; classtype:trojan-activity;sid:84706655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"webdocserv.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843554/; classtype:trojan-activity;sid:84706654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.netlogicstack.co"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843553/; classtype:trojan-activity;sid:84706653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"23.92.130.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843552/; classtype:trojan-activity;sid:84706652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.94.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843551/; classtype:trojan-activity;sid:84706651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"syskeypath.coderlogicbase.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843550/; classtype:trojan-activity;sid:84706650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"webcdnstat.netlogicstack.co"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843549/; classtype:trojan-activity;sid:84706649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srvnode.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843548/; classtype:trojan-activity;sid:84706648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srvnode.netlogicstack.co"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843547/; classtype:trojan-activity;sid:84706647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"netmanproc.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843546/; classtype:trojan-activity;sid:84706646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"proxys.infrasettopview.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843545/; classtype:trojan-activity;sid:84706645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tcpconpath.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843544/; classtype:trojan-activity;sid:84706644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tcpconpath.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843543/; classtype:trojan-activity;sid:84706643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"lanhoppathsys.infrasettopview.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843542/; classtype:trojan-activity;sid:84706642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sshproserv.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843541/; classtype:trojan-activity;sid:84706641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sshproserv.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843540/; classtype:trojan-activity;sid:84706640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"subcli.infrasettopview.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843539/; classtype:trojan-activity;sid:84706639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.72.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843538/; classtype:trojan-activity;sid:84706638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"vmlistview.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843537/; classtype:trojan-activity;sid:84706637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.180.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843536/; classtype:trojan-activity;sid:84706636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"usrgrpstat.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843535/; classtype:trojan-activity;sid:84706635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"usrgrpstat.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843533/; classtype:trojan-activity;sid:84706633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bitkitmapsmgr.infrasettopview.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843534/; classtype:trojan-activity;sid:84706634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.180.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843532/; classtype:trojan-activity;sid:84706632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"envset.infrasettopview.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843531/; classtype:trojan-activity;sid:84706631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"doclabutil.infrasettopview.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843529/; classtype:trojan-activity;sid:84706629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"doclabutil.infrasettopview.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843530/; classtype:trojan-activity;sid:84706630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"optwebnode.infraworkspace.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843528/; classtype:trojan-activity;sid:84706628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843527/; classtype:trojan-activity;sid:84706627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843521/; classtype:trojan-activity;sid:84706621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843522/; classtype:trojan-activity;sid:84706622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843523/; classtype:trojan-activity;sid:84706623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843524/; classtype:trojan-activity;sid:84706624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843525/; classtype:trojan-activity;sid:84706625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843526/; classtype:trojan-activity;sid:84706626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843517/; classtype:trojan-activity;sid:84706617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843518/; classtype:trojan-activity;sid:84706618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843519/; classtype:trojan-activity;sid:84706619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843520/; classtype:trojan-activity;sid:84706620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.55.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843516/; classtype:trojan-activity;sid:84706616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.185.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843515/; classtype:trojan-activity;sid:84706615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"proxysserv.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843514/; classtype:trojan-activity;sid:84706614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syncitnodesys.globtechnodebase.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843513/; classtype:trojan-activity;sid:84706613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"lanhoppath.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843512/; classtype:trojan-activity;sid:84706612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.182.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843511/; classtype:trojan-activity;sid:84706611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.116.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843510/; classtype:trojan-activity;sid:84706610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ioflow.globtechnodebase.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843509/; classtype:trojan-activity;sid:84706609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.208.157.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843508/; classtype:trojan-activity;sid:84706608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ioflow.globtechnodebase.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843507/; classtype:trojan-activity;sid:84706607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"subclidata.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843506/; classtype:trojan-activity;sid:84706606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"subclidata.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843505/; classtype:trojan-activity;sid:84706605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"taskidviewhub.globtechnodebase.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843504/; classtype:trojan-activity;sid:84706604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bitkitmaps.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843503/; classtype:trojan-activity;sid:84706603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.97.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843502/; classtype:trojan-activity;sid:84706602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"comweb.globtechnodebase.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843501/; classtype:trojan-activity;sid:84706601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"envsetproc.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843500/; classtype:trojan-activity;sid:84706600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843499/; classtype:trojan-activity;sid:84706599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"refidcorex.globtechnodebase.pics"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843498/; classtype:trojan-activity;sid:84706598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"doclabutil.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843497/; classtype:trojan-activity;sid:84706597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"doclabutil.openapiservicex.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843496/; classtype:trojan-activity;sid:84706596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"94.26.106.49"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843495/; classtype:trojan-activity;sid:84706595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"autbox.globtechnodebase.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843494/; classtype:trojan-activity;sid:84706594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"syncitnode.fastnetgatehub.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843493/; classtype:trojan-activity;sid:84706593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"syncitnode.fastnetgatehub.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843492/; classtype:trojan-activity;sid:84706592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"domreg.openapiservicedata.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843491/; classtype:trojan-activity;sid:84706591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ioflowpath.fastnetgatehub.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843490/; classtype:trojan-activity;sid:84706590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"pwrlogviewsys.openapiservicedata.pics"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843489/; classtype:trojan-activity;sid:84706589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"taskidview.fastnetgatehub.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843488/; classtype:trojan-activity;sid:84706588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"extnet.openapiservicedata.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843486/; classtype:trojan-activity;sid:84706586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"extnet.openapiservicedata.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843487/; classtype:trojan-activity;sid:84706587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"comwebstat.fastnetgatehub.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843485/; classtype:trojan-activity;sid:84706585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843484/; classtype:trojan-activity;sid:84706584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"pkgrunstatlog.openapiservicedata.pics"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843483/; classtype:trojan-activity;sid:84706583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"pkgrunstatlog.openapiservicedata.pics"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843482/; classtype:trojan-activity;sid:84706582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"refidcorex.fastnetgatehub.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843481/; classtype:trojan-activity;sid:84706581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.97.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843480/; classtype:trojan-activity;sid:84706580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"modbus.openapiservicedata.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843479/; classtype:trojan-activity;sid:84706579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srcgetproc.openapiservicedata.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843478/; classtype:trojan-activity;sid:84706578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srcgetproc.openapiservicedata.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843477/; classtype:trojan-activity;sid:84706577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"autboxserv.fastnetgatehub.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843476/; classtype:trojan-activity;sid:84706576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"domregutil.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843475/; classtype:trojan-activity;sid:84706575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"domregutil.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843474/; classtype:trojan-activity;sid:84706574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"uidmapbitsys.fastnetgateview.pics"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843473/; classtype:trojan-activity;sid:84706573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.96.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843472/; classtype:trojan-activity;sid:84706572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pwrlogview.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843471/; classtype:trojan-activity;sid:84706571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ftpsrv.fastnetgateview.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843470/; classtype:trojan-activity;sid:84706570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"extnetprox.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843469/; classtype:trojan-activity;sid:84706569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"extnetprox.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843468/; classtype:trojan-activity;sid:84706568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.82.84"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843467/; classtype:trojan-activity;sid:84706567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"libsyspathview.fastnetgateview.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843466/; classtype:trojan-activity;sid:84706566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"libsyspathview.fastnetgateview.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843465/; classtype:trojan-activity;sid:84706565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.96.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843464/; classtype:trojan-activity;sid:84706564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.135.223.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843463/; classtype:trojan-activity;sid:84706563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pkgrunstat.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843462/; classtype:trojan-activity;sid:84706562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"jobadm.fastnetgateview.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843461/; classtype:trojan-activity;sid:84706561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.19.27.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843460/; classtype:trojan-activity;sid:84706560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"modbusdata.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843459/; classtype:trojan-activity;sid:84706559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"rawdatamapping.fastnetgateview.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843458/; classtype:trojan-activity;sid:84706558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.71.200.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843457/; classtype:trojan-activity;sid:84706557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"zipark.fastnetgateview.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843456/; classtype:trojan-activity;sid:84706556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"srcgetproc.systemcoreunit.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843455/; classtype:trojan-activity;sid:84706555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"uidmapbits.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843454/; classtype:trojan-activity;sid:84706554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"uidmapbits.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843453/; classtype:trojan-activity;sid:84706553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"osbase.systemcorelinkx.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843452/; classtype:trojan-activity;sid:84706552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.19.27.29"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843451/; classtype:trojan-activity;sid:84706551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ftpsrvnode.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843450/; classtype:trojan-activity;sid:84706550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miner.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843449/; classtype:trojan-activity;sid:84706549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"metaltscfgmgr.systemcorelinkx.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_10; reference:url, urlhaus.abuse.ch/url/3843448/; classtype:trojan-activity;sid:84706548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"libsyspath.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843447/; classtype:trojan-activity;sid:84706547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"libsyspath.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843446/; classtype:trojan-activity;sid:84706546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.143.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843445/; classtype:trojan-activity;sid:84706545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"apidocserv.systemcorelinkx.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843444/; classtype:trojan-activity;sid:84706544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.143.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843443/; classtype:trojan-activity;sid:84706543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"jobadmmgrs.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843442/; classtype:trojan-activity;sid:84706542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dbinst.systemcorelinkx.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843441/; classtype:trojan-activity;sid:84706541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"rawdatamap.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843440/; classtype:trojan-activity;sid:84706540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ziparkview.datalinkcenter.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843439/; classtype:trojan-activity;sid:84706539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"skyvpnnodehub.systemcorelinkx.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843438/; classtype:trojan-activity;sid:84706538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"osbasesyst.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843437/; classtype:trojan-activity;sid:84706537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cmdset.systemcorelinkx.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843436/; classtype:trojan-activity;sid:84706536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tmpdirsetsys.cloudstacklogic.pics"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843435/; classtype:trojan-activity;sid:84706535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"metaltscfg.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843434/; classtype:trojan-activity;sid:84706534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"apidocserv.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843433/; classtype:trojan-activity;sid:84706533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"apidocserv.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843432/; classtype:trojan-activity;sid:84706532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sshbin.cloudstacklogic.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843431/; classtype:trojan-activity;sid:84706531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dbinstlist.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843430/; classtype:trojan-activity;sid:84706530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.236.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843429/; classtype:trojan-activity;sid:84706529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843423/; classtype:trojan-activity;sid:84706523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm64"; depth:14; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843424/; classtype:trojan-activity;sid:84706524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843425/; classtype:trojan-activity;sid:84706525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843426/; classtype:trojan-activity;sid:84706526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843427/; classtype:trojan-activity;sid:84706527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843428/; classtype:trojan-activity;sid:84706528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843419/; classtype:trojan-activity;sid:84706519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843420/; classtype:trojan-activity;sid:84706520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843421/; classtype:trojan-activity;sid:84706521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843422/; classtype:trojan-activity;sid:84706522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sslkeybasepoint.cloudstacklogic.pics"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843417/; classtype:trojan-activity;sid:84706517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843418/; classtype:trojan-activity;sid:84706518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"getcfghub.cloudstacklogic.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843416/; classtype:trojan-activity;sid:84706516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"skyvpnnode.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843415/; classtype:trojan-activity;sid:84706515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cmdsetproc.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843414/; classtype:trojan-activity;sid:84706514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ipnodeclisys.cloudstacklogic.pics"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843413/; classtype:trojan-activity;sid:84706513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cmdsetproc.cloudstackproc.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843412/; classtype:trojan-activity;sid:84706512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843406/; classtype:trojan-activity;sid:84706506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843407/; classtype:trojan-activity;sid:84706507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843408/; classtype:trojan-activity;sid:84706508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843409/; classtype:trojan-activity;sid:84706509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843410/; classtype:trojan-activity;sid:84706510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843411/; classtype:trojan-activity;sid:84706511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843404/; classtype:trojan-activity;sid:84706504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"94.156.152.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843405/; classtype:trojan-activity;sid:84706505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"hotfix.cloudstacklogic.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843403/; classtype:trojan-activity;sid:84706503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tmpdirsets.webcfgmanager.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843402/; classtype:trojan-activity;sid:84706502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.247.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843401/; classtype:trojan-activity;sid:84706501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bitfoxcoreunit.webdataprocunit.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843400/; classtype:trojan-activity;sid:84706500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sshbinpath.webcfgmanager.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843399/; classtype:trojan-activity;sid:84706499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843398/; classtype:trojan-activity;sid:84706498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.247.218"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843397/; classtype:trojan-activity;sid:84706497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843394/; classtype:trojan-activity;sid:84706494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843395/; classtype:trojan-activity;sid:84706495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843396/; classtype:trojan-activity;sid:84706496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843390/; classtype:trojan-activity;sid:84706490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843391/; classtype:trojan-activity;sid:84706491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843392/; classtype:trojan-activity;sid:84706492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843393/; classtype:trojan-activity;sid:84706493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.127.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843389/; classtype:trojan-activity;sid:84706489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"topsvc.webdataprocunit.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843388/; classtype:trojan-activity;sid:84706488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sslkeybase.webcfgmanager.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843387/; classtype:trojan-activity;sid:84706487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sslkeybase.webcfgmanager.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843386/; classtype:trojan-activity;sid:84706486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"opsmgr.webdataprocunit.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843385/; classtype:trojan-activity;sid:84706485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"opsmgr.webdataprocunit.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843384/; classtype:trojan-activity;sid:84706484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"getcfghubs.webcfgmanager.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843383/; classtype:trojan-activity;sid:84706483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ipnodeclis.webcfgmanager.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843382/; classtype:trojan-activity;sid:84706482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cpuprocessormgr.webdataprocunit.pics"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843381/; classtype:trojan-activity;sid:84706481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"hotfixpack.webcfgmanager.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843380/; classtype:trojan-activity;sid:84706480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vpsrun.webdataprocunit.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843379/; classtype:trojan-activity;sid:84706479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bitfoxcore.technodesupply.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843378/; classtype:trojan-activity;sid:84706478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dnswebsrvs.webdataprocunit.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843377/; classtype:trojan-activity;sid:84706477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.35.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843376/; classtype:trojan-activity;sid:84706476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.35.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843375/; classtype:trojan-activity;sid:84706475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"appboxdatacent.netinfrahubsys.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843374/; classtype:trojan-activity;sid:84706474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"appboxdatacent.netinfrahubsys.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843373/; classtype:trojan-activity;sid:84706473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"topsvcutil.technodesupply.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843372/; classtype:trojan-activity;sid:84706472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.242.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843371/; classtype:trojan-activity;sid:84706471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"devbits.netinfrahubsys.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843370/; classtype:trojan-activity;sid:84706470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"devbits.netinfrahubsys.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843369/; classtype:trojan-activity;sid:84706469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"opsmgrsvcs.technodesupply.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843368/; classtype:trojan-activity;sid:84706468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logmanagementsys.netinfrahubsys.pics"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843367/; classtype:trojan-activity;sid:84706467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843355/; classtype:trojan-activity;sid:84706455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843356/; classtype:trojan-activity;sid:84706456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843357/; classtype:trojan-activity;sid:84706457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843358/; classtype:trojan-activity;sid:84706458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843359/; classtype:trojan-activity;sid:84706459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843360/; classtype:trojan-activity;sid:84706460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843361/; classtype:trojan-activity;sid:84706461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843362/; classtype:trojan-activity;sid:84706462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843363/; classtype:trojan-activity;sid:84706463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843364/; classtype:trojan-activity;sid:84706464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843365/; classtype:trojan-activity;sid:84706465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843366/; classtype:trojan-activity;sid:84706466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843354/; classtype:trojan-activity;sid:84706454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cpuprosmgr.technodesupply.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843353/; classtype:trojan-activity;sid:84706453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/bwjpsd5.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843352/; classtype:trojan-activity;sid:84706452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.netinfrahubsys.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843351/; classtype:trojan-activity;sid:84706451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"vpsrunproc.technodesupply.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843350/; classtype:trojan-activity;sid:84706450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"webcdnstat.netinfrahubsys.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843349/; classtype:trojan-activity;sid:84706449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dnswebsrvs.technodesupply.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843348/; classtype:trojan-activity;sid:84706448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"webcdnstat.netinfrahubsys.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843347/; classtype:trojan-activity;sid:84706447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"appboxdata.globalnetviewer.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843346/; classtype:trojan-activity;sid:84706446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srvnode.netinfrahubsys.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843345/; classtype:trojan-activity;sid:84706445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"devbitscfg.globalnetviewer.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843344/; classtype:trojan-activity;sid:84706444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.21.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843343/; classtype:trojan-activity;sid:84706443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"main.coderlaptechnical.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843342/; classtype:trojan-activity;sid:84706442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.coderlaptechnical.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843341/; classtype:trojan-activity;sid:84706441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"logviewsys.globalnetviewer.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843340/; classtype:trojan-activity;sid:84706440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.21.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843339/; classtype:trojan-activity;sid:84706439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"web.coderlaptechnical.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843338/; classtype:trojan-activity;sid:84706438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"netapiprot.globalnetviewer.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843337/; classtype:trojan-activity;sid:84706437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843336/; classtype:trojan-activity;sid:84706436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"run.coderlaptechnical.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843335/; classtype:trojan-activity;sid:84706435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"webcdnstat.globalnetviewer.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843334/; classtype:trojan-activity;sid:84706434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"srvnodehub.globalnetviewer.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843333/; classtype:trojan-activity;sid:84706433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.24.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843332/; classtype:trojan-activity;sid:84706432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tech.coderlaptechnical.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843331/; classtype:trojan-activity;sid:84706431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"code.coderlaptechnical.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843330/; classtype:trojan-activity;sid:84706430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"core.infrastructurerun.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843329/; classtype:trojan-activity;sid:84706429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cache.flushgot.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843328/; classtype:trojan-activity;sid:84706428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843327/; classtype:trojan-activity;sid:84706427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.20.31.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843326/; classtype:trojan-activity;sid:84706426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"out.flushgot.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843325/; classtype:trojan-activity;sid:84706425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"flush.flushgot.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843324/; classtype:trojan-activity;sid:84706424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"base.infrastructurerun.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843323/; classtype:trojan-activity;sid:84706423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"setup.infrastructurerun.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843322/; classtype:trojan-activity;sid:84706422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sync.flushgot.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843321/; classtype:trojan-activity;sid:84706421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843320/; classtype:trojan-activity;sid:84706420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.90.59"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843319/; classtype:trojan-activity;sid:84706419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"net.infrastructurerun.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843318/; classtype:trojan-activity;sid:84706418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"io.flushgot.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843317/; classtype:trojan-activity;sid:84706417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"io.flushgot.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843316/; classtype:trojan-activity;sid:84706416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.24.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843315/; classtype:trojan-activity;sid:84706415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"get.flushgot.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843314/; classtype:trojan-activity;sid:84706414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843312/; classtype:trojan-activity;sid:84706412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sys.infrastructurerun.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843313/; classtype:trojan-activity;sid:84706413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"175.107.221.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843311/; classtype:trojan-activity;sid:84706411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"io.intelcar.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843310/; classtype:trojan-activity;sid:84706410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"infra.infrastructurerun.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843309/; classtype:trojan-activity;sid:84706409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.246.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843307/; classtype:trojan-activity;sid:84706407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.179.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843308/; classtype:trojan-activity;sid:84706408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dns.globalnodeviewset.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843306/; classtype:trojan-activity;sid:84706406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"car.intelcar.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843305/; classtype:trojan-activity;sid:84706405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"map.globalnodeviewset.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843304/; classtype:trojan-activity;sid:84706404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.96.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843303/; classtype:trojan-activity;sid:84706403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bus.intelcar.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843302/; classtype:trojan-activity;sid:84706402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"hub.globalnodeviewset.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843301/; classtype:trojan-activity;sid:84706401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.20.31.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843300/; classtype:trojan-activity;sid:84706400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"hub.globalnodeviewset.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843299/; classtype:trojan-activity;sid:84706399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"proc.intelcar.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843298/; classtype:trojan-activity;sid:84706398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"proc.intelcar.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843297/; classtype:trojan-activity;sid:84706397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.96.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843296/; classtype:trojan-activity;sid:84706396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.113.71"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843295/; classtype:trojan-activity;sid:84706395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.11.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843294/; classtype:trojan-activity;sid:84706394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"chip.intelcar.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843293/; classtype:trojan-activity;sid:84706393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cpu.intelcar.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843292/; classtype:trojan-activity;sid:84706392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"node.globalnodeviewset.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843291/; classtype:trojan-activity;sid:84706391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=envseijhpvbifgfl"; depth:27; endswith; nocase; http.host; content:"6uifuv9c.radio-legitdown.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843290/; classtype:trojan-activity;sid:84706390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.237.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843288/; classtype:trojan-activity;sid:84706388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843289/; classtype:trojan-activity;sid:84706389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"glob.globalnodeviewset.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843287/; classtype:trojan-activity;sid:84706387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"box.mailban.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843286/; classtype:trojan-activity;sid:84706386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"call.openapiservicehub.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843285/; classtype:trojan-activity;sid:84706385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"imap.mailban.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843284/; classtype:trojan-activity;sid:84706384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"json.openapiservicehub.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843283/; classtype:trojan-activity;sid:84706383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pop.mailban.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843282/; classtype:trojan-activity;sid:84706382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"rest.openapiservicehub.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843281/; classtype:trojan-activity;sid:84706381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.11.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843280/; classtype:trojan-activity;sid:84706380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"serv.openapiservicehub.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843279/; classtype:trojan-activity;sid:84706379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"smtp.mailban.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843278/; classtype:trojan-activity;sid:84706378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"open.openapiservicehub.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843277/; classtype:trojan-activity;sid:84706377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.87.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843276/; classtype:trojan-activity;sid:84706376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"mail.mailban.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843275/; classtype:trojan-activity;sid:84706375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.165.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843273/; classtype:trojan-activity;sid:84706373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.158.154.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843274/; classtype:trojan-activity;sid:84706374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"next.looprim.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843272/; classtype:trojan-activity;sid:84706372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"next.looprim.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843271/; classtype:trojan-activity;sid:84706371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.openapiservicehub.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843270/; classtype:trojan-activity;sid:84706370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.190.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843268/; classtype:trojan-activity;sid:84706368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.95.54.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843269/; classtype:trojan-activity;sid:84706369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"flow.looprim.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843267/; classtype:trojan-activity;sid:84706367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"path.fastlinkprovider.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843265/; classtype:trojan-activity;sid:84706365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"path.fastlinkprovider.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843266/; classtype:trojan-activity;sid:84706366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.165.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843264/; classtype:trojan-activity;sid:84706364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"url.fastlinkprovider.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843263/; classtype:trojan-activity;sid:84706363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"back.looprim.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843262/; classtype:trojan-activity;sid:84706362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"run.fastlinkprovider.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843261/; classtype:trojan-activity;sid:84706361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"run.fastlinkprovider.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843260/; classtype:trojan-activity;sid:84706360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.87.187"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843259/; classtype:trojan-activity;sid:84706359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cycle.looprim.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843258/; classtype:trojan-activity;sid:84706358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843257/; classtype:trojan-activity;sid:84706357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"base.fastlinkprovider.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843256/; classtype:trojan-activity;sid:84706356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"loop.looprim.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843255/; classtype:trojan-activity;sid:84706355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.158.154.151"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843254/; classtype:trojan-activity;sid:84706354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.87.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843253/; classtype:trojan-activity;sid:84706353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"link.fastlinkprovider.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843252/; classtype:trojan-activity;sid:84706352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.230.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843251/; classtype:trojan-activity;sid:84706351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"rim.looprim.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843250/; classtype:trojan-activity;sid:84706350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"rim.looprim.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843249/; classtype:trojan-activity;sid:84706349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.229.217"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843248/; classtype:trojan-activity;sid:84706348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.190.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843247/; classtype:trojan-activity;sid:84706347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tab.rowlocks.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843246/; classtype:trojan-activity;sid:84706346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tab.rowlocks.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843245/; classtype:trojan-activity;sid:84706345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.191.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843244/; classtype:trojan-activity;sid:84706344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"fast.fastlinkprovider.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843243/; classtype:trojan-activity;sid:84706343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.108.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843242/; classtype:trojan-activity;sid:84706342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"fast.fastlinkprovider.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843241/; classtype:trojan-activity;sid:84706341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.121.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843240/; classtype:trojan-activity;sid:84706340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843239/; classtype:trojan-activity;sid:84706339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"key.rowlocks.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843238/; classtype:trojan-activity;sid:84706338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"json.webdataprocess.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843237/; classtype:trojan-activity;sid:84706337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"idx.rowlocks.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843236/; classtype:trojan-activity;sid:84706336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"xml.webdataprocess.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843235/; classtype:trojan-activity;sid:84706335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.79.160.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843234/; classtype:trojan-activity;sid:84706334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"base.webdataprocess.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843233/; classtype:trojan-activity;sid:84706333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dbms.rowlocks.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843232/; classtype:trojan-activity;sid:84706332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"proc.webdataprocess.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843231/; classtype:trojan-activity;sid:84706331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"lock.rowlocks.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843230/; classtype:trojan-activity;sid:84706330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"row.rowlocks.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843229/; classtype:trojan-activity;sid:84706329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"data.webdataprocess.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843227/; classtype:trojan-activity;sid:84706327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.191.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843228/; classtype:trojan-activity;sid:84706328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.108.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843226/; classtype:trojan-activity;sid:84706326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"val.argsleg.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843225/; classtype:trojan-activity;sid:84706325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"val.argsleg.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843224/; classtype:trojan-activity;sid:84706324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.102.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843223/; classtype:trojan-activity;sid:84706323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"web.webdataprocess.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843222/; classtype:trojan-activity;sid:84706322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.118.147.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843221/; classtype:trojan-activity;sid:84706321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"test.argsleg.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843219/; classtype:trojan-activity;sid:84706319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843220/; classtype:trojan-activity;sid:84706320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"proc.systemlogicops.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843218/; classtype:trojan-activity;sid:84706318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"main.argsleg.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843217/; classtype:trojan-activity;sid:84706317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"main.systemlogicops.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843216/; classtype:trojan-activity;sid:84706316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"main.systemlogicops.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843215/; classtype:trojan-activity;sid:84706315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"proc.argsleg.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843214/; classtype:trojan-activity;sid:84706314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logic.systemlogicops.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843213/; classtype:trojan-activity;sid:84706313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"list.argsleg.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843212/; classtype:trojan-activity;sid:84706312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"list.argsleg.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843211/; classtype:trojan-activity;sid:84706311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.96.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843210/; classtype:trojan-activity;sid:84706310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"core.systemlogicops.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843209/; classtype:trojan-activity;sid:84706309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"arg.argsleg.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843208/; classtype:trojan-activity;sid:84706308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.118.147.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843207/; classtype:trojan-activity;sid:84706307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"log.systemlogicops.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843206/; classtype:trojan-activity;sid:84706306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"path.fielddie.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843205/; classtype:trojan-activity;sid:84706305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sys.systemlogicops.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843204/; classtype:trojan-activity;sid:84706304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"core.fielddie.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843203/; classtype:trojan-activity;sid:84706303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"link.cloudproxyserv.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843202/; classtype:trojan-activity;sid:84706302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"edge.cloudproxyserv.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843201/; classtype:trojan-activity;sid:84706301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"node.fielddie.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843200/; classtype:trojan-activity;sid:84706300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.96.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843199/; classtype:trojan-activity;sid:84706299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"meta.fielddie.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843198/; classtype:trojan-activity;sid:84706298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"meta.fielddie.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843197/; classtype:trojan-activity;sid:84706297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cloud.cloudproxyserv.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843196/; classtype:trojan-activity;sid:84706296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.89.133.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843195/; classtype:trojan-activity;sid:84706295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"run.fielddie.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843194/; classtype:trojan-activity;sid:84706294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"proxy.cloudproxyserv.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843193/; classtype:trojan-activity;sid:84706293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"fld.fielddie.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843192/; classtype:trojan-activity;sid:84706292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"xml.docsbed.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843191/; classtype:trojan-activity;sid:84706291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"host.cloudproxyserv.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843190/; classtype:trojan-activity;sid:84706290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.134.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843189/; classtype:trojan-activity;sid:84706289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"host.cloudproxyserv.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843188/; classtype:trojan-activity;sid:84706288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843187/; classtype:trojan-activity;sid:84706287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"set.docsbed.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843186/; classtype:trojan-activity;sid:84706286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"set.docsbed.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843185/; classtype:trojan-activity;sid:84706285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cdn.cloudproxyserv.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843184/; classtype:trojan-activity;sid:84706284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.186.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843183/; classtype:trojan-activity;sid:84706283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843181/; classtype:trojan-activity;sid:84706281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.103.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843182/; classtype:trojan-activity;sid:84706282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"layer.networkstackmgr.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843180/; classtype:trojan-activity;sid:84706280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sys.docsbed.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843179/; classtype:trojan-activity;sid:84706279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"vps.docsbed.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843178/; classtype:trojan-activity;sid:84706278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.113.186.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843177/; classtype:trojan-activity;sid:84706277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ipv.networkstackmgr.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843176/; classtype:trojan-activity;sid:84706276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"base.docsbed.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843175/; classtype:trojan-activity;sid:84706275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"stack.networkstackmgr.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843174/; classtype:trojan-activity;sid:84706274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843173/; classtype:trojan-activity;sid:84706273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"doc.docsbed.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843172/; classtype:trojan-activity;sid:84706272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.186.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843171/; classtype:trojan-activity;sid:84706271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.158.158.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843170/; classtype:trojan-activity;sid:84706270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tcp.networkstackmgr.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843169/; classtype:trojan-activity;sid:84706269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"data.textits.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843168/; classtype:trojan-activity;sid:84706268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"net.networkstackmgr.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843167/; classtype:trojan-activity;sid:84706267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.134.129"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843166/; classtype:trojan-activity;sid:84706266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"hub.textits.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843165/; classtype:trojan-activity;sid:84706265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"git.serverdatahub.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843164/; classtype:trojan-activity;sid:84706264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.113.186.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843163/; classtype:trojan-activity;sid:84706263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.252.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843162/; classtype:trojan-activity;sid:84706262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dev.serverdatahub.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843161/; classtype:trojan-activity;sid:84706261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"info.textits.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843160/; classtype:trojan-activity;sid:84706260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cdn.textits.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843159/; classtype:trojan-activity;sid:84706259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.224.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843158/; classtype:trojan-activity;sid:84706258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cdn.textits.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843157/; classtype:trojan-activity;sid:84706257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logs.serverdatahub.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843156/; classtype:trojan-activity;sid:84706256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logs.serverdatahub.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843155/; classtype:trojan-activity;sid:84706255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"web.textits.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843154/; classtype:trojan-activity;sid:84706254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.serverdatahub.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843152/; classtype:trojan-activity;sid:84706252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.serverdatahub.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843153/; classtype:trojan-activity;sid:84706253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"txt.textits.pics"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843151/; classtype:trojan-activity;sid:84706251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bin.serverdatahub.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843150/; classtype:trojan-activity;sid:84706250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bin.serverdatahub.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843149/; classtype:trojan-activity;sid:84706249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.158.158.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843148/; classtype:trojan-activity;sid:84706248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srv.serverdatahub.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843147/; classtype:trojan-activity;sid:84706247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"git.coderlap.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843146/; classtype:trojan-activity;sid:84706246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.194.42.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843145/; classtype:trojan-activity;sid:84706245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.30.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843144/; classtype:trojan-activity;sid:84706244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dev.coderlap.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843143/; classtype:trojan-activity;sid:84706243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"logs.coderlap.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843142/; classtype:trojan-activity;sid:84706242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.90.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843141/; classtype:trojan-activity;sid:84706241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"api.coderlap.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843140/; classtype:trojan-activity;sid:84706240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.194.42.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843139/; classtype:trojan-activity;sid:84706239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.48.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843138/; classtype:trojan-activity;sid:84706238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bin.coderlap.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843137/; classtype:trojan-activity;sid:84706237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"srv.coderlap.pics"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843136/; classtype:trojan-activity;sid:84706236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.90.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843135/; classtype:trojan-activity;sid:84706235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843134/; classtype:trojan-activity;sid:84706234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ion-rich.adi8hesplayer.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843133/; classtype:trojan-activity;sid:84706233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ion-rich.adi8hesplayer.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843132/; classtype:trojan-activity;sid:84706232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.239.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843131/; classtype:trojan-activity;sid:84706231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"major-pur.adi8hesplayer.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843130/; classtype:trojan-activity;sid:84706230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.89.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843129/; classtype:trojan-activity;sid:84706229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"nimbleshoal.adi8hesplayer.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843128/; classtype:trojan-activity;sid:84706228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.228.109.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843127/; classtype:trojan-activity;sid:84706227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"quorlithix3.adi8hesplayer.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843126/; classtype:trojan-activity;sid:84706226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"target1-loop.frostmirelens.life"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843125/; classtype:trojan-activity;sid:84706225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.69.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843124/; classtype:trojan-activity;sid:84706224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843123/; classtype:trojan-activity;sid:84706223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843122/; classtype:trojan-activity;sid:84706222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843115/; classtype:trojan-activity;sid:84706215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843116/; classtype:trojan-activity;sid:84706216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm64"; depth:6; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843117/; classtype:trojan-activity;sid:84706217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843118/; classtype:trojan-activity;sid:84706218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i386"; depth:5; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843119/; classtype:trojan-activity;sid:84706219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843120/; classtype:trojan-activity;sid:84706220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm64"; depth:14; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843121/; classtype:trojan-activity;sid:84706221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miner.sh"; depth:9; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843114/; classtype:trojan-activity;sid:84706214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"quooasis.adi8hesplayer.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843113/; classtype:trojan-activity;sid:84706213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843110/; classtype:trojan-activity;sid:84706210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843111/; classtype:trojan-activity;sid:84706211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843112/; classtype:trojan-activity;sid:84706212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843108/; classtype:trojan-activity;sid:84706208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/android_arm"; depth:12; endswith; nocase; http.host; content:"81.29.156.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843109/; classtype:trojan-activity;sid:84706209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"arkcoreos4.frostmirelens.life"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843107/; classtype:trojan-activity;sid:84706207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.80.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843105/; classtype:trojan-activity;sid:84706205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.45.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843106/; classtype:trojan-activity;sid:84706206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.73.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843104/; classtype:trojan-activity;sid:84706204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"klhadsd.adi8hesplayer.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843101/; classtype:trojan-activity;sid:84706201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"klhadsd.adi8hesplayer.pics"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843102/; classtype:trojan-activity;sid:84706202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.80.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843103/; classtype:trojan-activity;sid:84706203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"utf28.frostmirelens.life"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843100/; classtype:trojan-activity;sid:84706200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"92vm44.qu2ntitative-tenero.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843098/; classtype:trojan-activity;sid:84706198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"92vm44.qu2ntitative-tenero.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843099/; classtype:trojan-activity;sid:84706199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vrml.frostmirelens.life"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843097/; classtype:trojan-activity;sid:84706197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.228.109.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843096/; classtype:trojan-activity;sid:84706196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"5dc3.frostmirelens.life"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843095/; classtype:trojan-activity;sid:84706195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.227.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843094/; classtype:trojan-activity;sid:84706194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"llm325.qu2ntitative-tenero.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843093/; classtype:trojan-activity;sid:84706193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"harvestultr.qu2ntitative-tenero.pics"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843092/; classtype:trojan-activity;sid:84706192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.60.190.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843091/; classtype:trojan-activity;sid:84706191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"twdhpaua.frostmirelens.life"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843090/; classtype:trojan-activity;sid:84706190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"wildmemory.frostmirelens.life"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843089/; classtype:trojan-activity;sid:84706189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"wildmemory.frostmirelens.life"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843088/; classtype:trojan-activity;sid:84706188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.3.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843087/; classtype:trojan-activity;sid:84706187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"d35ign4-vault.qu2ntitative-tenero.pics"; depth:38; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843086/; classtype:trojan-activity;sid:84706186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.116.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843085/; classtype:trojan-activity;sid:84706185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.44.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843084/; classtype:trojan-activity;sid:84706184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.89.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843083/; classtype:trojan-activity;sid:84706183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.116.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843082/; classtype:trojan-activity;sid:84706182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"compi-canva.zen-5lora.life"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843081/; classtype:trojan-activity;sid:84706181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pipelin6-crest.qu2ntitative-tenero.pics"; depth:39; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843080/; classtype:trojan-activity;sid:84706180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.74.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843079/; classtype:trojan-activity;sid:84706179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"xmbf.zen-5lora.life"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843078/; classtype:trojan-activity;sid:84706178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"canvas-port.qu2ntitative-tenero.pics"; depth:36; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843077/; classtype:trojan-activity;sid:84706177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.159.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843076/; classtype:trojan-activity;sid:84706176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.227.226"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843075/; classtype:trojan-activity;sid:84706175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.48.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843074/; classtype:trojan-activity;sid:84706174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.111.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843073/; classtype:trojan-activity;sid:84706173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"reagentshield.zen-5lora.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843072/; classtype:trojan-activity;sid:84706172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dynamicregi.great-insue.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843071/; classtype:trojan-activity;sid:84706171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"manifestvita.great-insue.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843070/; classtype:trojan-activity;sid:84706170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.48.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843069/; classtype:trojan-activity;sid:84706169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"manifestvita.great-insue.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843068/; classtype:trojan-activity;sid:84706168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"3xtend7-node.zen-5lora.life"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843067/; classtype:trojan-activity;sid:84706167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"3xtend7-node.zen-5lora.life"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843066/; classtype:trojan-activity;sid:84706166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.3.19"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843065/; classtype:trojan-activity;sid:84706165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.119.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843064/; classtype:trojan-activity;sid:84706164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.44.159"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843063/; classtype:trojan-activity;sid:84706163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"loaddesign.zen-5lora.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843062/; classtype:trojan-activity;sid:84706162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"6sluw.great-insue.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843061/; classtype:trojan-activity;sid:84706161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ubiywot.zen-5lora.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843060/; classtype:trojan-activity;sid:84706160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tzqmbji.great-insue.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843059/; classtype:trojan-activity;sid:84706159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.74.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843058/; classtype:trojan-activity;sid:84706158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"emberpetal.zen-5lora.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843057/; classtype:trojan-activity;sid:84706157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ulks.great-insue.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843056/; classtype:trojan-activity;sid:84706156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.64.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843055/; classtype:trojan-activity;sid:84706155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.159.13"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843054/; classtype:trojan-activity;sid:84706154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.102.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843053/; classtype:trojan-activity;sid:84706153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"quor-meshos.qorivault.life"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843052/; classtype:trojan-activity;sid:84706152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"truepartner.great-insue.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843051/; classtype:trojan-activity;sid:84706151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.119.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843050/; classtype:trojan-activity;sid:84706150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.187.82.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843049/; classtype:trojan-activity;sid:84706149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cppzbrx.qorivault.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843048/; classtype:trojan-activity;sid:84706148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"azwxo.narrownessoutri8ht.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843047/; classtype:trojan-activity;sid:84706147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.34.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843046/; classtype:trojan-activity;sid:84706146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"proto-qu4rr.narrownessoutri8ht.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843045/; classtype:trojan-activity;sid:84706145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"zfjlna0p.qorivault.life"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843044/; classtype:trojan-activity;sid:84706144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"deepion.narrownessoutri8ht.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843043/; classtype:trojan-activity;sid:84706143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"jcko.qorivault.life"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843042/; classtype:trojan-activity;sid:84706142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.45.52"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843041/; classtype:trojan-activity;sid:84706141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.88.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843040/; classtype:trojan-activity;sid:84706140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"covcalm.narrownessoutri8ht.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843039/; classtype:trojan-activity;sid:84706139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tran5m0-phase.qorivault.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843038/; classtype:trojan-activity;sid:84706138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tran5m0-phase.qorivault.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843037/; classtype:trojan-activity;sid:84706137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.34.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843036/; classtype:trojan-activity;sid:84706136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.64.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843035/; classtype:trojan-activity;sid:84706135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"kelnexet4.qorivault.life"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843034/; classtype:trojan-activity;sid:84706134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"v0cal-hold.narrownessoutri8ht.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843033/; classtype:trojan-activity;sid:84706133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"crawlerhidden.qorivault.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843032/; classtype:trojan-activity;sid:84706132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cell1-line.narrownessoutri8ht.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843031/; classtype:trojan-activity;sid:84706131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cell1-line.narrownessoutri8ht.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843030/; classtype:trojan-activity;sid:84706130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"trimarkex6.mirelax9.life"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843029/; classtype:trojan-activity;sid:84706129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"trimarkex6.mirelax9.life"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843028/; classtype:trojan-activity;sid:84706128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"352xm1.biograph-discoball.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843026/; classtype:trojan-activity;sid:84706126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"352xm1.biograph-discoball.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843027/; classtype:trojan-activity;sid:84706127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.31.189.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843025/; classtype:trojan-activity;sid:84706125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"rur4-vector.mirelax9.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843024/; classtype:trojan-activity;sid:84706124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"organideman.biograph-discoball.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843023/; classtype:trojan-activity;sid:84706123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"z07gqmv.mirelax9.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843022/; classtype:trojan-activity;sid:84706122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"u8813.biograph-discoball.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843021/; classtype:trojan-activity;sid:84706121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.101.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843020/; classtype:trojan-activity;sid:84706120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.187.82.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843019/; classtype:trojan-activity;sid:84706119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"stri7-leaf.biograph-discoball.pics"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843018/; classtype:trojan-activity;sid:84706118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"falconnorth.mirelax9.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843017/; classtype:trojan-activity;sid:84706117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"alt-cu1ture.biograph-discoball.pics"; depth:35; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843016/; classtype:trojan-activity;sid:84706116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.24.130"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843015/; classtype:trojan-activity;sid:84706115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"velvetstream.mirelax9.life"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843014/; classtype:trojan-activity;sid:84706114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.194.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843013/; classtype:trojan-activity;sid:84706113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.101.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843012/; classtype:trojan-activity;sid:84706112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syncdusk.mirelax9.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843011/; classtype:trojan-activity;sid:84706111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.240.253.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843010/; classtype:trojan-activity;sid:84706110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syncdusk.mirelax9.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843009/; classtype:trojan-activity;sid:84706109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.69.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843008/; classtype:trojan-activity;sid:84706108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.31.189.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843007/; classtype:trojan-activity;sid:84706107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"spesurv.biograph-discoball.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843006/; classtype:trojan-activity;sid:84706106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tallithix9.mirelax9.life"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843005/; classtype:trojan-activity;sid:84706105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"80ro65f.div0rceskis5ing.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843004/; classtype:trojan-activity;sid:84706104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"u1tr6-drive.3lunavex.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843003/; classtype:trojan-activity;sid:84706103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.240.253.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843002/; classtype:trojan-activity;sid:84706102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"drivescrip.div0rceskis5ing.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843001/; classtype:trojan-activity;sid:84706101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3843000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.194.122"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3843000/; classtype:trojan-activity;sid:84706100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.217.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842999/; classtype:trojan-activity;sid:84706099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.209.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842998/; classtype:trojan-activity;sid:84706098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"mjgbgt.3lunavex.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842997/; classtype:trojan-activity;sid:84706097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.109.227.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842995/; classtype:trojan-activity;sid:84706095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.69.122"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842996/; classtype:trojan-activity;sid:84706096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"kbyoix.div0rceskis5ing.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842994/; classtype:trojan-activity;sid:84706094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"clusterend.3lunavex.life"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842993/; classtype:trojan-activity;sid:84706093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.209.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842992/; classtype:trojan-activity;sid:84706092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"bindspru.div0rceskis5ing.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842991/; classtype:trojan-activity;sid:84706091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"quorven5a.3lunavex.life"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842990/; classtype:trojan-activity;sid:84706090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"arkcrestex1.div0rceskis5ing.pics"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842989/; classtype:trojan-activity;sid:84706089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.217.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842988/; classtype:trojan-activity;sid:84706088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"arkcrestex1.div0rceskis5ing.pics"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842987/; classtype:trojan-activity;sid:84706087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"jjn76gwl.3lunavex.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842986/; classtype:trojan-activity;sid:84706086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"jjn76gwl.3lunavex.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842985/; classtype:trojan-activity;sid:84706085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docx/show/pnscan-1.14.1.tar.gz"; depth:31; endswith; nocase; http.host; content:"tutorial.clashverge.space"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842984/; classtype:trojan-activity;sid:84706084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842983/; classtype:trojan-activity;sid:84706083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docx/show/cr.sh"; depth:16; endswith; nocase; http.host; content:"tutorial.clashverge.space"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842980/; classtype:trojan-activity;sid:84706080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842981/; classtype:trojan-activity;sid:84706081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842982/; classtype:trojan-activity;sid:84706082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docx/show/1.0.5.tar.gz"; depth:23; endswith; nocase; http.host; content:"tutorial.clashverge.space"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842979/; classtype:trojan-activity;sid:84706079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docx/show/javae"; depth:16; endswith; nocase; http.host; content:"tutorial.clashverge.space"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842978/; classtype:trojan-activity;sid:84706078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842976/; classtype:trojan-activity;sid:84706076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docx/show/cb.txt"; depth:17; endswith; nocase; http.host; content:"tutorial.clashverge.space"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842977/; classtype:trojan-activity;sid:84706077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i686"; depth:9; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842975/; classtype:trojan-activity;sid:84706075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mips"; depth:9; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842974/; classtype:trojan-activity;sid:84706074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.aarch64"; depth:12; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842965/; classtype:trojan-activity;sid:84706065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842966/; classtype:trojan-activity;sid:84706066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.riscv64"; depth:12; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842967/; classtype:trojan-activity;sid:84706067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842968/; classtype:trojan-activity;sid:84706068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.s390x"; depth:10; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842969/; classtype:trojan-activity;sid:84706069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i586"; depth:9; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842970/; classtype:trojan-activity;sid:84706070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842971/; classtype:trojan-activity;sid:84706071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842972/; classtype:trojan-activity;sid:84706072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.mipsel"; depth:11; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842973/; classtype:trojan-activity;sid:84706073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"dynnex9os.div0rceskis5ing.pics"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842964/; classtype:trojan-activity;sid:84706064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"82.26.104.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842963/; classtype:trojan-activity;sid:84706063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"192.109.200.228"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842962/; classtype:trojan-activity;sid:84706062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docx/show/kworker"; depth:18; endswith; nocase; http.host; content:"tutorial.clashverge.space"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842961/; classtype:trojan-activity;sid:84706061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.154.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842960/; classtype:trojan-activity;sid:84706060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ve5j.cloak-custody.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842959/; classtype:trojan-activity;sid:84706059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ve5j.cloak-custody.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842958/; classtype:trojan-activity;sid:84706058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"qxaeex.3lunavex.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842957/; classtype:trojan-activity;sid:84706057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"190.109.227.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842956/; classtype:trojan-activity;sid:84706056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.109.211.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842955/; classtype:trojan-activity;sid:84706055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"stilabel.cloak-custody.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842954/; classtype:trojan-activity;sid:84706054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"lum-forgeon.3lunavex.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842953/; classtype:trojan-activity;sid:84706053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"microb3-layer.cloak-custody.pics"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842952/; classtype:trojan-activity;sid:84706052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"oasis1-span.pixel-harbor.life"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842951/; classtype:trojan-activity;sid:84706051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"p1ne-track.pixel-harbor.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842950/; classtype:trojan-activity;sid:84706050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"cl1n0-mark.cloak-custody.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842949/; classtype:trojan-activity;sid:84706049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"brook-mesh.pixel-harbor.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842948/; classtype:trojan-activity;sid:84706048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"hill-forge.cloak-custody.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842947/; classtype:trojan-activity;sid:84706047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"iyneagxn.cloak-custody.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842946/; classtype:trojan-activity;sid:84706046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"zenline1al.pixel-harbor.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842945/; classtype:trojan-activity;sid:84706045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"layoutoptics.currencysn0ut.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842944/; classtype:trojan-activity;sid:84706044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"layoutoptics.currencysn0ut.pics"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842942/; classtype:trojan-activity;sid:84706042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"zenlineon3.pixel-harbor.life"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842943/; classtype:trojan-activity;sid:84706043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ultra-r3c0r.pixel-harbor.life"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842941/; classtype:trojan-activity;sid:84706041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"zenline2ar.currencysn0ut.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842940/; classtype:trojan-activity;sid:84706040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.244.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842939/; classtype:trojan-activity;sid:84706039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"suddenhar.currencysn0ut.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842938/; classtype:trojan-activity;sid:84706038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cqrsjc6.pixel-harbor.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842937/; classtype:trojan-activity;sid:84706037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cqrsjc6.pixel-harbor.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842936/; classtype:trojan-activity;sid:84706036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"laye-zone.nova7frame.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842935/; classtype:trojan-activity;sid:84706035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"laye-zone.nova7frame.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842934/; classtype:trojan-activity;sid:84706034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=xecmeutvfkrxtuyl"; depth:27; endswith; nocase; http.host; content:"r26pytag.ama1gamb1ast.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842933/; classtype:trojan-activity;sid:84706033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"vel-tideal.currencysn0ut.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842932/; classtype:trojan-activity;sid:84706032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.28.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842931/; classtype:trojan-activity;sid:84706031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.146.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842930/; classtype:trojan-activity;sid:84706030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.138.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842929/; classtype:trojan-activity;sid:84706029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sol-venor.currencysn0ut.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842928/; classtype:trojan-activity;sid:84706028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"buffervoice.nova7frame.life"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842927/; classtype:trojan-activity;sid:84706027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842926/; classtype:trojan-activity;sid:84706026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"taltideis8.currencysn0ut.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842925/; classtype:trojan-activity;sid:84706025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"taltideis8.currencysn0ut.pics"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842924/; classtype:trojan-activity;sid:84706024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"optic-ivor.nova7frame.life"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842923/; classtype:trojan-activity;sid:84706023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.223.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842922/; classtype:trojan-activity;sid:84706022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.28.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842921/; classtype:trojan-activity;sid:84706021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sub-wo1f.messy-zamai.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842918/; classtype:trojan-activity;sid:84706018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"fundverify.nova7frame.life"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842919/; classtype:trojan-activity;sid:84706019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"fundverify.nova7frame.life"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842920/; classtype:trojan-activity;sid:84706020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.73.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842917/; classtype:trojan-activity;sid:84706017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.138.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842916/; classtype:trojan-activity;sid:84706016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.146.43"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842915/; classtype:trojan-activity;sid:84706015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"pal3t8-loop.messy-zamai.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842914/; classtype:trojan-activity;sid:84706014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.86.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842913/; classtype:trojan-activity;sid:84706013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"voicemacro.nova7frame.life"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842912/; classtype:trojan-activity;sid:84706012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.86.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842911/; classtype:trojan-activity;sid:84706011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"voyagefroz.messy-zamai.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842910/; classtype:trojan-activity;sid:84706010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.82.84"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842909/; classtype:trojan-activity;sid:84706009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"03f7.nova7frame.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842908/; classtype:trojan-activity;sid:84706008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"fcbxn.nova7frame.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842907/; classtype:trojan-activity;sid:84706007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"gene-track.messy-zamai.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842906/; classtype:trojan-activity;sid:84706006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.203.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842905/; classtype:trojan-activity;sid:84706005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.163.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842904/; classtype:trojan-activity;sid:84706004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"74l3it.messy-zamai.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842903/; classtype:trojan-activity;sid:84706003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.81.106.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842902/; classtype:trojan-activity;sid:84706002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"74l3it.messy-zamai.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842901/; classtype:trojan-activity;sid:84706001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.209.178.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842900/; classtype:trojan-activity;sid:84706000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.215.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842899/; classtype:trojan-activity;sid:84705999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"3e30omav.velorix.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842898/; classtype:trojan-activity;sid:84705998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842897/; classtype:trojan-activity;sid:84705997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"98yn.messy-zamai.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842896/; classtype:trojan-activity;sid:84705996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"98yn.messy-zamai.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842895/; classtype:trojan-activity;sid:84705995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.186.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842894/; classtype:trojan-activity;sid:84705994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"meta-1nspect.velorix.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842893/; classtype:trojan-activity;sid:84705993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.163.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842892/; classtype:trojan-activity;sid:84705992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.55.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842891/; classtype:trojan-activity;sid:84705991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"67b0njwj.velorix.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842890/; classtype:trojan-activity;sid:84705990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"steri-data.nanovo5kull.pics"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842889/; classtype:trojan-activity;sid:84705989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.55.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842888/; classtype:trojan-activity;sid:84705988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.203.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842887/; classtype:trojan-activity;sid:84705987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"162.255.251.91"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842886/; classtype:trojan-activity;sid:84705986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"wildmerg.nanovo5kull.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842885/; classtype:trojan-activity;sid:84705985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"iscx3.velorix.life"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842884/; classtype:trojan-activity;sid:84705984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.186.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842883/; classtype:trojan-activity;sid:84705983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"fox-glow.nanovo5kull.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842882/; classtype:trojan-activity;sid:84705982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"geo-gu1d3.velorix.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842881/; classtype:trojan-activity;sid:84705981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"fllegi2j.nanovo5kull.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842880/; classtype:trojan-activity;sid:84705980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"mramn.velorix.life"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842879/; classtype:trojan-activity;sid:84705979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.98.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842878/; classtype:trojan-activity;sid:84705978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.215.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842877/; classtype:trojan-activity;sid:84705977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.155.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842876/; classtype:trojan-activity;sid:84705976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.85.73"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842875/; classtype:trojan-activity;sid:84705975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.119.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842874/; classtype:trojan-activity;sid:84705974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"9rtfhxav.nanovo5kull.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842873/; classtype:trojan-activity;sid:84705973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"mercore7is.velorix.life"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842872/; classtype:trojan-activity;sid:84705972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"memory-tone.nanovo5kull.pics"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842871/; classtype:trojan-activity;sid:84705971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842870/; classtype:trojan-activity;sid:84705970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.119.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842869/; classtype:trojan-activity;sid:84705969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dsff.softwincli.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842868/; classtype:trojan-activity;sid:84705968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.115.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842867/; classtype:trojan-activity;sid:84705967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.50.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842866/; classtype:trojan-activity;sid:84705966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.146.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842865/; classtype:trojan-activity;sid:84705965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sshpro.skynodecfg.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842864/; classtype:trojan-activity;sid:84705964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"tcp.skynodecfg.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842863/; classtype:trojan-activity;sid:84705963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.112.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842862/; classtype:trojan-activity;sid:84705962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.71.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842860/; classtype:trojan-activity;sid:84705960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.155.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842861/; classtype:trojan-activity;sid:84705961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"git.softwincli.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842859/; classtype:trojan-activity;sid:84705959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.142.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842858/; classtype:trojan-activity;sid:84705958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"netman.skynodecfg.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842857/; classtype:trojan-activity;sid:84705957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.168.103.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842856/; classtype:trojan-activity;sid:84705956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.244.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842855/; classtype:trojan-activity;sid:84705955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sys.softnetlink.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842854/; classtype:trojan-activity;sid:84705954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ops.softwincli.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842853/; classtype:trojan-activity;sid:84705953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"webdoc.softnetlink.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842852/; classtype:trojan-activity;sid:84705952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.61.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842851/; classtype:trojan-activity;sid:84705951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bin.softwincli.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842850/; classtype:trojan-activity;sid:84705950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.168.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842849/; classtype:trojan-activity;sid:84705949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"app.softnetlink.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842848/; classtype:trojan-activity;sid:84705948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cli.softwincli.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842847/; classtype:trojan-activity;sid:84705947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"logbin.softnetlink.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842846/; classtype:trojan-activity;sid:84705946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.75.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842844/; classtype:trojan-activity;sid:84705944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842845/; classtype:trojan-activity;sid:84705945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"win.softwincli.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842843/; classtype:trojan-activity;sid:84705943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.26.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842842/; classtype:trojan-activity;sid:84705942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842841/; classtype:trojan-activity;sid:84705941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"apiops.softnetlink.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842840/; classtype:trojan-activity;sid:84705940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.71.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842839/; classtype:trojan-activity;sid:84705939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sys.softwincli.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842838/; classtype:trojan-activity;sid:84705938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"git.softnetlink.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842837/; classtype:trojan-activity;sid:84705937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"pro.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842836/; classtype:trojan-activity;sid:84705936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.61.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842835/; classtype:trojan-activity;sid:84705935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"877zsa.earoauth.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842834/; classtype:trojan-activity;sid:84705934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"877zsa.earoauth.life"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842833/; classtype:trojan-activity;sid:84705933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tcp.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842832/; classtype:trojan-activity;sid:84705932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tcp.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842831/; classtype:trojan-activity;sid:84705931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ultra-sh4p3.earoauth.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842830/; classtype:trojan-activity;sid:84705930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842829/; classtype:trojan-activity;sid:84705929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.75.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842828/; classtype:trojan-activity;sid:84705928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ssh.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842827/; classtype:trojan-activity;sid:84705927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.44.154.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842826/; classtype:trojan-activity;sid:84705926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"c4che-pulse.earoauth.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842825/; classtype:trojan-activity;sid:84705925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"doc.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842824/; classtype:trojan-activity;sid:84705924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"doc.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842823/; classtype:trojan-activity;sid:84705923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.192.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842822/; classtype:trojan-activity;sid:84705922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"yuo7qefc.mixruby.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842821/; classtype:trojan-activity;sid:84705921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"usr.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842820/; classtype:trojan-activity;sid:84705920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"usr.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842819/; classtype:trojan-activity;sid:84705919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"opt.skyprodoc.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842818/; classtype:trojan-activity;sid:84705918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.168.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842817/; classtype:trojan-activity;sid:84705917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"retailvelvet.mixruby.life"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842816/; classtype:trojan-activity;sid:84705916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.90.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842815/; classtype:trojan-activity;sid:84705915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.174.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842814/; classtype:trojan-activity;sid:84705914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"nor-venix.mixruby.life"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842813/; classtype:trojan-activity;sid:84705913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.185.188.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842812/; classtype:trojan-activity;sid:84705912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sub.vpssysnet.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842811/; classtype:trojan-activity;sid:84705911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"sajnrfcj.mixruby.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842810/; classtype:trojan-activity;sid:84705910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sub.vpssysnet.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842809/; classtype:trojan-activity;sid:84705909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/isuewwr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842806/; classtype:trojan-activity;sid:84705906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/xefu0kh.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842807/; classtype:trojan-activity;sid:84705907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/gmwgfzd.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842808/; classtype:trojan-activity;sid:84705908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/omujkyu.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842789/; classtype:trojan-activity;sid:84705889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8635093259/bems4tr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842790/; classtype:trojan-activity;sid:84705890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/2x5rpef.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842791/; classtype:trojan-activity;sid:84705891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6077499728/xczftwc.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842792/; classtype:trojan-activity;sid:84705892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/soowjoj.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842793/; classtype:trojan-activity;sid:84705893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/8cbz7av.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842794/; classtype:trojan-activity;sid:84705894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/ilyevyy.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842795/; classtype:trojan-activity;sid:84705895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/g7v5v75.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842796/; classtype:trojan-activity;sid:84705896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/lreciqj.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842797/; classtype:trojan-activity;sid:84705897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/ifsfilf.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842798/; classtype:trojan-activity;sid:84705898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/n0dlikv.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842799/; classtype:trojan-activity;sid:84705899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/bjmgbvr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842800/; classtype:trojan-activity;sid:84705900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/jq17rgt.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842801/; classtype:trojan-activity;sid:84705901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/li3m3jx.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842802/; classtype:trojan-activity;sid:84705902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/mdssbk9.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842803/; classtype:trojan-activity;sid:84705903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/ndo8zgi.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842804/; classtype:trojan-activity;sid:84705904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/0cjpipe.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842805/; classtype:trojan-activity;sid:84705905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ontol.exe"; depth:10; endswith; nocase; http.host; content:"neonwallet.app"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842788/; classtype:trojan-activity;sid:84705888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/o7gnpuj.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842787/; classtype:trojan-activity;sid:84705887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/x38ngph.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842782/; classtype:trojan-activity;sid:84705882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/qvwhpvl.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842783/; classtype:trojan-activity;sid:84705883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/qlq0tkw.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842784/; classtype:trojan-activity;sid:84705884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/bjx4b6a.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842785/; classtype:trojan-activity;sid:84705885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/c7xnvrr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842786/; classtype:trojan-activity;sid:84705886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/ckem4ld.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842778/; classtype:trojan-activity;sid:84705878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/lau6yzd.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842779/; classtype:trojan-activity;sid:84705879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/nysprfj.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842780/; classtype:trojan-activity;sid:84705880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/wd5mnlp.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842781/; classtype:trojan-activity;sid:84705881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/nldnxnv.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842776/; classtype:trojan-activity;sid:84705876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/orabzrc.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842777/; classtype:trojan-activity;sid:84705877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/ah0awq2.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842770/; classtype:trojan-activity;sid:84705870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/7ahrrjl.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842771/; classtype:trojan-activity;sid:84705871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/lkz74gv.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842772/; classtype:trojan-activity;sid:84705872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/o2o8oay.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842773/; classtype:trojan-activity;sid:84705873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/zhibidr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842774/; classtype:trojan-activity;sid:84705874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/rvjxalf.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842775/; classtype:trojan-activity;sid:84705875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/5jvjumi.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842764/; classtype:trojan-activity;sid:84705864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/v6zklp9.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842765/; classtype:trojan-activity;sid:84705865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1824233174/rip3rn5.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842766/; classtype:trojan-activity;sid:84705866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/ttnomwa.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842767/; classtype:trojan-activity;sid:84705867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/72uukrf.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842768/; classtype:trojan-activity;sid:84705868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8176913892/2ccmalr.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842769/; classtype:trojan-activity;sid:84705869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"jpmfljz3.mixruby.life"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842763/; classtype:trojan-activity;sid:84705863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sys.vpssysnet.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842762/; classtype:trojan-activity;sid:84705862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.83.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842761/; classtype:trojan-activity;sid:84705861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.117.108.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842760/; classtype:trojan-activity;sid:84705860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.64.135.181"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842759/; classtype:trojan-activity;sid:84705859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99c7fa93-4d32-47c2-84f9-163f7755f5e3/check.rock"; depth:48; endswith; nocase; http.host; content:"ly1p.mixruby.life"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842758/; classtype:trojan-activity;sid:84705858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"env.vpssysnet.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842757/; classtype:trojan-activity;sid:84705857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.90.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842756/; classtype:trojan-activity;sid:84705856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"doc.vpssysnet.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842755/; classtype:trojan-activity;sid:84705855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"doc.vpssysnet.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842754/; classtype:trojan-activity;sid:84705854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"usr.skynodecfg.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842753/; classtype:trojan-activity;sid:84705853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sync.clouditapp.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842752/; classtype:trojan-activity;sid:84705852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.83.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842751/; classtype:trojan-activity;sid:84705851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"opt.skynodecfg.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842750/; classtype:trojan-activity;sid:84705850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"opt.skynodecfg.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842748/; classtype:trojan-activity;sid:84705848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"io.clouditapp.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842749/; classtype:trojan-activity;sid:84705849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.80.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842747/; classtype:trojan-activity;sid:84705847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"proxy.vpsgateway.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842745/; classtype:trojan-activity;sid:84705845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"app.clouditapp.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842746/; classtype:trojan-activity;sid:84705846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.174.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842744/; classtype:trojan-activity;sid:84705844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"web.clouditapp.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842743/; classtype:trojan-activity;sid:84705843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"lan.vpsgateway.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842742/; classtype:trojan-activity;sid:84705842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"lan.vpsgateway.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842741/; classtype:trojan-activity;sid:84705841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.117.108.240"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842740/; classtype:trojan-activity;sid:84705840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"sub.vpsgateway.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842739/; classtype:trojan-activity;sid:84705839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"it.clouditapp.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842738/; classtype:trojan-activity;sid:84705838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.6.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842737/; classtype:trojan-activity;sid:84705837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"bit.vpsgateway.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842736/; classtype:trojan-activity;sid:84705836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"aut.clouditapp.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842735/; classtype:trojan-activity;sid:84705835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"open.openlogmgr.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842734/; classtype:trojan-activity;sid:84705834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"envset.vpsgateway.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842733/; classtype:trojan-activity;sid:84705833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logs.openlogmgr.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842732/; classtype:trojan-activity;sid:84705832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"doc.vpsgateway.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842731/; classtype:trojan-activity;sid:84705831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"syncit.bitflowapp.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842729/; classtype:trojan-activity;sid:84705829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"net.openlogmgr.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842730/; classtype:trojan-activity;sid:84705830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.168.217.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842728/; classtype:trojan-activity;sid:84705828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.90.164"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842727/; classtype:trojan-activity;sid:84705827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"mgr.openlogmgr.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842726/; classtype:trojan-activity;sid:84705826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.80.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842725/; classtype:trojan-activity;sid:84705825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"io.bitflowapp.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842724/; classtype:trojan-activity;sid:84705824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"mod.openlogmgr.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842723/; classtype:trojan-activity;sid:84705823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"taskid.bitflowapp.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842722/; classtype:trojan-activity;sid:84705822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"taskid.bitflowapp.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842721/; classtype:trojan-activity;sid:84705821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.119.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842720/; classtype:trojan-activity;sid:84705820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"web.bitflowapp.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842719/; classtype:trojan-activity;sid:84705819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"src.openlogmgr.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842718/; classtype:trojan-activity;sid:84705818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"src.openlogmgr.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842717/; classtype:trojan-activity;sid:84705817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.6.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842716/; classtype:trojan-activity;sid:84705816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bit.fastbitbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842715/; classtype:trojan-activity;sid:84705815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"refid.bitflowapp.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842714/; classtype:trojan-activity;sid:84705814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"122.137.214.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842713/; classtype:trojan-activity;sid:84705813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"aut.bitflowapp.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842712/; classtype:trojan-activity;sid:84705812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ftp.fastbitbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842711/; classtype:trojan-activity;sid:84705811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"box.fastbitbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842710/; classtype:trojan-activity;sid:84705810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"dom.openapiserv.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842709/; classtype:trojan-activity;sid:84705809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"adm.fastbitbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842708/; classtype:trojan-activity;sid:84705808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"pwrlog.openapiserv.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842707/; classtype:trojan-activity;sid:84705807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.210.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842706/; classtype:trojan-activity;sid:84705806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"raw.fastbitbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842705/; classtype:trojan-activity;sid:84705805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"raw.fastbitbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842704/; classtype:trojan-activity;sid:84705804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"extnet.openapiserv.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842703/; classtype:trojan-activity;sid:84705803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.119.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842702/; classtype:trojan-activity;sid:84705802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.73.133.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842701/; classtype:trojan-activity;sid:84705801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.137.214.162"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842700/; classtype:trojan-activity;sid:84705800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dat/linux.dat"; depth:14; endswith; nocase; http.host; content:"cdn1.monero1478.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842699/; classtype:trojan-activity;sid:84705799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dat/linux.dat"; depth:14; endswith; nocase; http.host; content:"cdn.monero1478.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842698/; classtype:trojan-activity;sid:84705798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"zip.fastbitbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842697/; classtype:trojan-activity;sid:84705797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"run.openapiserv.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842696/; classtype:trojan-activity;sid:84705796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"link.linkrunops.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842695/; classtype:trojan-activity;sid:84705795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"modbus.openapiserv.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842694/; classtype:trojan-activity;sid:84705794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"src.openapiserv.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842693/; classtype:trojan-activity;sid:84705793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"run.linkrunops.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842692/; classtype:trojan-activity;sid:84705792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"uid.fastrunbase.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842691/; classtype:trojan-activity;sid:84705791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ops.linkrunops.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842690/; classtype:trojan-activity;sid:84705790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"uid.fastrunbase.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842689/; classtype:trojan-activity;sid:84705789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"db.linkrunops.pics"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842688/; classtype:trojan-activity;sid:84705788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ftp.fastrunbase.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842687/; classtype:trojan-activity;sid:84705787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.238.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842686/; classtype:trojan-activity;sid:84705786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sky.linkrunops.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842685/; classtype:trojan-activity;sid:84705785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"lib.fastrunbase.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842684/; classtype:trojan-activity;sid:84705784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"jobadm.fastrunbase.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842683/; classtype:trojan-activity;sid:84705783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cmd.linkrunops.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842682/; classtype:trojan-activity;sid:84705782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.234.9.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842681/; classtype:trojan-activity;sid:84705781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"raw.fastrunbase.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842680/; classtype:trojan-activity;sid:84705780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bin.datasrvhub.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842679/; classtype:trojan-activity;sid:84705779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bin.datasrvhub.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842678/; classtype:trojan-activity;sid:84705778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"zip.fastrunbase.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842677/; classtype:trojan-activity;sid:84705777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"os.linkdataproc.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842676/; classtype:trojan-activity;sid:84705776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ssl.datasrvhub.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842675/; classtype:trojan-activity;sid:84705775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"os.linkdataproc.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842674/; classtype:trojan-activity;sid:84705774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"hub.datasrvhub.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842673/; classtype:trojan-activity;sid:84705773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"metal.linkdataproc.pics"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842672/; classtype:trojan-activity;sid:84705772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"node.datasrvhub.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842671/; classtype:trojan-activity;sid:84705771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"api.linkdataproc.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842670/; classtype:trojan-activity;sid:84705770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"dbinst.linkdataproc.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842669/; classtype:trojan-activity;sid:84705769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"fix.datasrvhub.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842668/; classtype:trojan-activity;sid:84705768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"skyvpn.linkdataproc.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842667/; classtype:trojan-activity;sid:84705767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.234.9.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842666/; classtype:trojan-activity;sid:84705766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cfg.webcfgbase.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842665/; classtype:trojan-activity;sid:84705765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"cmd.linkdataproc.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842664/; classtype:trojan-activity;sid:84705764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"cmd.linkdataproc.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842663/; classtype:trojan-activity;sid:84705763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"top.webcfgbase.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842662/; classtype:trojan-activity;sid:84705762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"tmp.cloudviewtop.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842661/; classtype:trojan-activity;sid:84705761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"bin.cloudviewtop.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842660/; classtype:trojan-activity;sid:84705760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cpu.webcfgbase.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842659/; classtype:trojan-activity;sid:84705759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ssl.cloudviewtop.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842658/; classtype:trojan-activity;sid:84705758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vps.webcfgbase.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842657/; classtype:trojan-activity;sid:84705757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"getcfg.cloudviewtop.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842656/; classtype:trojan-activity;sid:84705756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dns.webcfgbase.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842655/; classtype:trojan-activity;sid:84705755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.182.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842654/; classtype:trojan-activity;sid:84705754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ipnode.cloudviewtop.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842653/; classtype:trojan-activity;sid:84705753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ipnode.cloudviewtop.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842652/; classtype:trojan-activity;sid:84705752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"nodes.netnodeset.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842651/; classtype:trojan-activity;sid:84705751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"fix.cloudviewtop.pics"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842650/; classtype:trojan-activity;sid:84705750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dbit.netnodeset.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842649/; classtype:trojan-activity;sid:84705749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"bitfox.websyncbox.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842648/; classtype:trojan-activity;sid:84705748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.196.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842646/; classtype:trojan-activity;sid:84705746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logs.netnodeset.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842647/; classtype:trojan-activity;sid:84705747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.8.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842645/; classtype:trojan-activity;sid:84705745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"top.websyncbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842644/; classtype:trojan-activity;sid:84705744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.netnodeset.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842643/; classtype:trojan-activity;sid:84705743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"api.netnodeset.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842642/; classtype:trojan-activity;sid:84705742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.182.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842641/; classtype:trojan-activity;sid:84705741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"opsmgr.websyncbox.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842640/; classtype:trojan-activity;sid:84705740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cdnx.netnodeset.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842639/; classtype:trojan-activity;sid:84705739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"cpu.websyncbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842638/; classtype:trojan-activity;sid:84705738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srv.netnodeset.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842637/; classtype:trojan-activity;sid:84705737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"vpsrun.websyncbox.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842636/; classtype:trojan-activity;sid:84705736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"gitlabhubs.sorix2en.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842635/; classtype:trojan-activity;sid:84705735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.209.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842634/; classtype:trojan-activity;sid:84705734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"dns.websyncbox.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842633/; classtype:trojan-activity;sid:84705733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.132.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842632/; classtype:trojan-activity;sid:84705732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"apiopsstat.sorix2en.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842631/; classtype:trojan-activity;sid:84705731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.127.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842630/; classtype:trojan-activity;sid:84705730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.209.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842629/; classtype:trojan-activity;sid:84705729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"appbox.netloghubs.pics"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842628/; classtype:trojan-activity;sid:84705728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.132.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842627/; classtype:trojan-activity;sid:84705727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842626/; classtype:trojan-activity;sid:84705726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"dbit.netloghubs.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842625/; classtype:trojan-activity;sid:84705725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.127.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842624/; classtype:trojan-activity;sid:84705724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"appsrchcli.sorix2en.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842623/; classtype:trojan-activity;sid:84705723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.192.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842622/; classtype:trojan-activity;sid:84705722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.192.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842621/; classtype:trojan-activity;sid:84705721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.86.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842620/; classtype:trojan-activity;sid:84705720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"logs.netloghubs.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842619/; classtype:trojan-activity;sid:84705719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"webdocserv.sorix2en.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842618/; classtype:trojan-activity;sid:84705718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syskeypath.sorix2en.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842617/; classtype:trojan-activity;sid:84705717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"cdnx.netloghubs.pics"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842616/; classtype:trojan-activity;sid:84705716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.75.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842615/; classtype:trojan-activity;sid:84705715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"netmanproc.9doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842614/; classtype:trojan-activity;sid:84705714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"srv.netloghubs.pics"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842613/; classtype:trojan-activity;sid:84705713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tcpconpath.9doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842612/; classtype:trojan-activity;sid:84705712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tcpconpath.9doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842611/; classtype:trojan-activity;sid:84705711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842610/; classtype:trojan-activity;sid:84705710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.196.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842609/; classtype:trojan-activity;sid:84705709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"gitlabhubs.sorix1ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842608/; classtype:trojan-activity;sid:84705708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sshproserv.9doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842607/; classtype:trojan-activity;sid:84705707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.60.77.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842606/; classtype:trojan-activity;sid:84705706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"logbinnode.sorix1ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842605/; classtype:trojan-activity;sid:84705705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"usrgrpstat.9doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842604/; classtype:trojan-activity;sid:84705704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"appsrchcli.sorix1ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842603/; classtype:trojan-activity;sid:84705703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"optwebnode.9doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842602/; classtype:trojan-activity;sid:84705702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"webdocserv.sorix1ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842601/; classtype:trojan-activity;sid:84705701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.48.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842599/; classtype:trojan-activity;sid:84705699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842600/; classtype:trojan-activity;sid:84705700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"proxysserv.vexon4ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842598/; classtype:trojan-activity;sid:84705698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"syskeypath.sorix1ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842597/; classtype:trojan-activity;sid:84705697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"lanhoppath.vexon4ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842596/; classtype:trojan-activity;sid:84705696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"99-105-56-184.lightspeed.sntcca.sbcglobal.net"; depth:45; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842595/; classtype:trojan-activity;sid:84705695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"99.105.56.184"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842594/; classtype:trojan-activity;sid:84705694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"netmanproc.6doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842593/; classtype:trojan-activity;sid:84705693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"subclidata.vexon4ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842592/; classtype:trojan-activity;sid:84705692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"tcpconpath.6doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842591/; classtype:trojan-activity;sid:84705691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.102.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842590/; classtype:trojan-activity;sid:84705690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bitkitmaps.vexon4ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842589/; classtype:trojan-activity;sid:84705689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"sshproserv.6doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842588/; classtype:trojan-activity;sid:84705688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"envsetproc.vexon4ar.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842587/; classtype:trojan-activity;sid:84705687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.90.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842586/; classtype:trojan-activity;sid:84705686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"vmlistview.6doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842585/; classtype:trojan-activity;sid:84705685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.180.10.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842584/; classtype:trojan-activity;sid:84705684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.170.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842583/; classtype:trojan-activity;sid:84705683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"usrgrpstat.6doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842582/; classtype:trojan-activity;sid:84705682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syncitnode.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842581/; classtype:trojan-activity;sid:84705681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842580/; classtype:trojan-activity;sid:84705680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"optwebnode.6doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842579/; classtype:trojan-activity;sid:84705679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ioflowpath.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842578/; classtype:trojan-activity;sid:84705678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.48.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842577/; classtype:trojan-activity;sid:84705677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ioflowpath.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842576/; classtype:trojan-activity;sid:84705676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"optwebnode.6doreval.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842575/; classtype:trojan-activity;sid:84705675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"proxysserv.vexon3ix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842574/; classtype:trojan-activity;sid:84705674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"taskidview.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842573/; classtype:trojan-activity;sid:84705673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.90.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842572/; classtype:trojan-activity;sid:84705672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"taskidview.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842571/; classtype:trojan-activity;sid:84705671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.102.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842570/; classtype:trojan-activity;sid:84705670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"lanhoppath.vexon3ix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842569/; classtype:trojan-activity;sid:84705669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"lanhoppath.vexon3ix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842568/; classtype:trojan-activity;sid:84705668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"comwebstat.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842567/; classtype:trojan-activity;sid:84705667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"subclidata.vexon3ix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842566/; classtype:trojan-activity;sid:84705666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"refid-core.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842565/; classtype:trojan-activity;sid:84705665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.170.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842564/; classtype:trojan-activity;sid:84705664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"bitkitmaps.vexon3ix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842563/; classtype:trojan-activity;sid:84705663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"bitkitmaps.vexon3ix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842562/; classtype:trojan-activity;sid:84705662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"autboxserv.pav6mirex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842561/; classtype:trojan-activity;sid:84705661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.180.10.67"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842560/; classtype:trojan-activity;sid:84705660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.229.197.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842559/; classtype:trojan-activity;sid:84705659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"domregutil.xamir1ol.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842558/; classtype:trojan-activity;sid:84705658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"doclabutil.vexon3ix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842557/; classtype:trojan-activity;sid:84705657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"pwrlogview.xamir1ol.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842556/; classtype:trojan-activity;sid:84705656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"syncitnode.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842555/; classtype:trojan-activity;sid:84705655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"syncitnode.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842554/; classtype:trojan-activity;sid:84705654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"extnetprox.xamir1ol.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842553/; classtype:trojan-activity;sid:84705653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ioflowpath.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842552/; classtype:trojan-activity;sid:84705652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ioflowpath.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842551/; classtype:trojan-activity;sid:84705651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"pkgrunstat.xamir1ol.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842550/; classtype:trojan-activity;sid:84705650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"taskidview.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842549/; classtype:trojan-activity;sid:84705649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"modbusdata.xamir1ol.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842548/; classtype:trojan-activity;sid:84705648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srcgetproc.xamir1ol.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842547/; classtype:trojan-activity;sid:84705647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"comwebstat.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842546/; classtype:trojan-activity;sid:84705646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"uidmapbits.tavro8xel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842545/; classtype:trojan-activity;sid:84705645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.34.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842544/; classtype:trojan-activity;sid:84705644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.34.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842543/; classtype:trojan-activity;sid:84705643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"refid-core.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842542/; classtype:trojan-activity;sid:84705642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"autboxserv.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842541/; classtype:trojan-activity;sid:84705641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"autboxserv.pav8mirel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842540/; classtype:trojan-activity;sid:84705640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ftpsrvnode.tavro8xel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842539/; classtype:trojan-activity;sid:84705639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.231.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842538/; classtype:trojan-activity;sid:84705638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"libsyspath.tavro8xel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842537/; classtype:trojan-activity;sid:84705637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.243.48"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842536/; classtype:trojan-activity;sid:84705636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842534/; classtype:trojan-activity;sid:84705634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.80.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842535/; classtype:trojan-activity;sid:84705635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"pwrlogview.xamir4al.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842533/; classtype:trojan-activity;sid:84705633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.127.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842532/; classtype:trojan-activity;sid:84705632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"jobadmmgrs.tavro8xel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842531/; classtype:trojan-activity;sid:84705631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.37.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842530/; classtype:trojan-activity;sid:84705630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"extnetprox.xamir4al.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842529/; classtype:trojan-activity;sid:84705629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"rawdatamap.tavro8xel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842528/; classtype:trojan-activity;sid:84705628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"pkgrunstat.xamir4al.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842527/; classtype:trojan-activity;sid:84705627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ziparkview.tavro8xel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842526/; classtype:trojan-activity;sid:84705626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"osbasesyst.2zorevin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842525/; classtype:trojan-activity;sid:84705625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"modbusdata.xamir4al.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842524/; classtype:trojan-activity;sid:84705624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"srcgetproc.xamir4al.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842523/; classtype:trojan-activity;sid:84705623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"metaltscfg.2zorevin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842522/; classtype:trojan-activity;sid:84705622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"metaltscfg.2zorevin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842521/; classtype:trojan-activity;sid:84705621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"uidmapbits.tavro5xen.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842520/; classtype:trojan-activity;sid:84705620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"apidocserv.2zorevin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842519/; classtype:trojan-activity;sid:84705619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.13.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842518/; classtype:trojan-activity;sid:84705618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ftpsrvnode.tavro5xen.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842517/; classtype:trojan-activity;sid:84705617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dbinstlist.2zorevin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842516/; classtype:trojan-activity;sid:84705616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.234.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842515/; classtype:trojan-activity;sid:84705615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"libsyspath.tavro5xen.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842514/; classtype:trojan-activity;sid:84705614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"skyvpnnode.2zorevin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842513/; classtype:trojan-activity;sid:84705613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"jobadmmgrs.tavro5xen.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842512/; classtype:trojan-activity;sid:84705612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.37.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842511/; classtype:trojan-activity;sid:84705611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"rawdatamap.tavro5xen.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842510/; classtype:trojan-activity;sid:84705610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.88.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842509/; classtype:trojan-activity;sid:84705609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tmpdirsets.qen3larex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842508/; classtype:trojan-activity;sid:84705608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842507/; classtype:trojan-activity;sid:84705607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sshbinpath.qen3larex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842506/; classtype:trojan-activity;sid:84705606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"osbasesyst.1zarelin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842505/; classtype:trojan-activity;sid:84705605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.234.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842504/; classtype:trojan-activity;sid:84705604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"osbasesyst.1zarelin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842503/; classtype:trojan-activity;sid:84705603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sslkeybase.qen3larex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842502/; classtype:trojan-activity;sid:84705602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sslkeybase.qen3larex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842501/; classtype:trojan-activity;sid:84705601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.13.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_09; reference:url, urlhaus.abuse.ch/url/3842500/; classtype:trojan-activity;sid:84705600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"metaltscfg.1zarelin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842499/; classtype:trojan-activity;sid:84705599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"getcfghubs.qen3larex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842498/; classtype:trojan-activity;sid:84705598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"apidocserv.1zarelin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842497/; classtype:trojan-activity;sid:84705597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ipnodeclis.qen3larex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842496/; classtype:trojan-activity;sid:84705596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"dbinstlist.1zarelin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842495/; classtype:trojan-activity;sid:84705595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"hotfixpack.qen3larex.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842494/; classtype:trojan-activity;sid:84705594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"skyvpnnode.1zarelin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842493/; classtype:trojan-activity;sid:84705593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bitfoxcore.mav7voren.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842492/; classtype:trojan-activity;sid:84705592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"cmdsetproc.1zarelin.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842491/; classtype:trojan-activity;sid:84705591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"opsmgrsvcs.mav7voren.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842490/; classtype:trojan-activity;sid:84705590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"tmpdirsets.qen9vorel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842489/; classtype:trojan-activity;sid:84705589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.232.77.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842488/; classtype:trojan-activity;sid:84705588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"sshbinpath.qen9vorel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842487/; classtype:trojan-activity;sid:84705587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"cpuprosmgr.mav7voren.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842486/; classtype:trojan-activity;sid:84705586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"sslkeybase.qen9vorel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842485/; classtype:trojan-activity;sid:84705585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vpsrunproc.mav7voren.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842484/; classtype:trojan-activity;sid:84705584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"getcfghubs.qen9vorel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842483/; classtype:trojan-activity;sid:84705583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.254.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842482/; classtype:trojan-activity;sid:84705582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"dnswebsrvs.mav7voren.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842481/; classtype:trojan-activity;sid:84705581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"ipnodeclis.qen9vorel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842480/; classtype:trojan-activity;sid:84705580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"appboxdata.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842479/; classtype:trojan-activity;sid:84705579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"appboxdata.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842478/; classtype:trojan-activity;sid:84705578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.254.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842477/; classtype:trojan-activity;sid:84705577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"hotfixpack.qen9vorel.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842476/; classtype:trojan-activity;sid:84705576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842475/; classtype:trojan-activity;sid:84705575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"devbitscfg.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842474/; classtype:trojan-activity;sid:84705574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"bitfoxcore.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842473/; classtype:trojan-activity;sid:84705573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"bitfoxcore.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842472/; classtype:trojan-activity;sid:84705572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srvlogview.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842471/; classtype:trojan-activity;sid:84705571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.80.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842470/; classtype:trojan-activity;sid:84705570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.14.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842469/; classtype:trojan-activity;sid:84705569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.201.120"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842468/; classtype:trojan-activity;sid:84705568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"topsvcutil.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842467/; classtype:trojan-activity;sid:84705567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"topsvcutil.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842466/; classtype:trojan-activity;sid:84705566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"netapiprot.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842465/; classtype:trojan-activity;sid:84705565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842464/; classtype:trojan-activity;sid:84705564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"opsmgrsvcs.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842463/; classtype:trojan-activity;sid:84705563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.sh4"; depth:9; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842462/; classtype:trojan-activity;sid:84705562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"webcdnstat.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842461/; classtype:trojan-activity;sid:84705561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"webcdnstat.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842460/; classtype:trojan-activity;sid:84705560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.m68k"; depth:10; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842455/; classtype:trojan-activity;sid:84705555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.ppc"; depth:9; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842456/; classtype:trojan-activity;sid:84705556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.sh"; depth:8; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842457/; classtype:trojan-activity;sid:84705557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.arm6"; depth:10; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842458/; classtype:trojan-activity;sid:84705558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.x86"; depth:9; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842459/; classtype:trojan-activity;sid:84705559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.x86_32"; depth:12; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842447/; classtype:trojan-activity;sid:84705547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.arm7"; depth:10; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842448/; classtype:trojan-activity;sid:84705548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.x86_64"; depth:12; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842449/; classtype:trojan-activity;sid:84705549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.arm5"; depth:10; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842450/; classtype:trojan-activity;sid:84705550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.sparc"; depth:11; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842451/; classtype:trojan-activity;sid:84705551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.mips"; depth:10; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842452/; classtype:trojan-activity;sid:84705552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.mpsl"; depth:10; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842453/; classtype:trojan-activity;sid:84705553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerv.arm4"; depth:10; endswith; nocase; http.host; content:"103.77.246.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842454/; classtype:trojan-activity;sid:84705554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.131.156.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842446/; classtype:trojan-activity;sid:84705546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.134.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842445/; classtype:trojan-activity;sid:84705545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"srvhubnode.5toralix.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842444/; classtype:trojan-activity;sid:84705544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"cpuprosmgr.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842443/; classtype:trojan-activity;sid:84705543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.185.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842442/; classtype:trojan-activity;sid:84705542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.134.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842441/; classtype:trojan-activity;sid:84705541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"logbinnode.surgeon-snoot.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842440/; classtype:trojan-activity;sid:84705540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"vpsrunproc.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842439/; classtype:trojan-activity;sid:84705539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.185.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842438/; classtype:trojan-activity;sid:84705538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"appsrchcli.surgeon-snoot.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842437/; classtype:trojan-activity;sid:84705537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"dnswebsrvs.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842436/; classtype:trojan-activity;sid:84705536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"dnswebsrvs.mav2lorix.pics"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842435/; classtype:trojan-activity;sid:84705535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"webdocserv.surgeon-snoot.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842434/; classtype:trojan-activity;sid:84705534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"appboxdata.7toravex.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842433/; classtype:trojan-activity;sid:84705533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syskeypath.surgeon-snoot.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842432/; classtype:trojan-activity;sid:84705532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842431/; classtype:trojan-activity;sid:84705531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syskeypath.surgeon-snoot.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842430/; classtype:trojan-activity;sid:84705530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"devbitscfg.7toravex.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842429/; classtype:trojan-activity;sid:84705529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"netmanproc.krat5urface.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842428/; classtype:trojan-activity;sid:84705528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"srvlogview.7toravex.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842427/; classtype:trojan-activity;sid:84705527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"tcpconpath.krat5urface.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842426/; classtype:trojan-activity;sid:84705526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"netapiprot.7toravex.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842425/; classtype:trojan-activity;sid:84705525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.83.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842424/; classtype:trojan-activity;sid:84705524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"sshproserv.krat5urface.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842423/; classtype:trojan-activity;sid:84705523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"webcdnstat.7toravex.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842422/; classtype:trojan-activity;sid:84705522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"vmlistview.krat5urface.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842421/; classtype:trojan-activity;sid:84705521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/73922b30-d888-4af7-9bb4-e76054f7aa33/check.so"; depth:46; endswith; nocase; http.host; content:"srvhubnode.7toravex.pics"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842420/; classtype:trojan-activity;sid:84705520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"usrgrpstat.krat5urface.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842419/; classtype:trojan-activity;sid:84705519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842417/; classtype:trojan-activity;sid:84705517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"optwebnode.krat5urface.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842418/; classtype:trojan-activity;sid:84705518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"proxysserv.guess-relevation.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842416/; classtype:trojan-activity;sid:84705516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"lanhoppath.guess-relevation.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842415/; classtype:trojan-activity;sid:84705515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.48.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842414/; classtype:trojan-activity;sid:84705514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"subclidata.guess-relevation.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842413/; classtype:trojan-activity;sid:84705513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842412/; classtype:trojan-activity;sid:84705512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.247.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842411/; classtype:trojan-activity;sid:84705511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"bitkitmaps.guess-relevation.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842410/; classtype:trojan-activity;sid:84705510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"envsetproc.guess-relevation.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842409/; classtype:trojan-activity;sid:84705509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"doclabutil.guess-relevation.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842408/; classtype:trojan-activity;sid:84705508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.101.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842407/; classtype:trojan-activity;sid:84705507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.236.101.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842406/; classtype:trojan-activity;sid:84705506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.168.52.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842405/; classtype:trojan-activity;sid:84705505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"syncitnode.fromj2nitor.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842404/; classtype:trojan-activity;sid:84705504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"ioflowpath.fromj2nitor.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842403/; classtype:trojan-activity;sid:84705503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.247.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842402/; classtype:trojan-activity;sid:84705502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.83.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842401/; classtype:trojan-activity;sid:84705501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"taskidview.fromj2nitor.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842400/; classtype:trojan-activity;sid:84705500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2cb43a1-3db9-486a-a707-ee88bcdb4813/google.ocx"; depth:48; endswith; nocase; http.host; content:"taskidview.fromj2nitor.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842399/; classtype:trojan-activity;sid:84705499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.0.82.176"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842398/; classtype:trojan-activity;sid:84705498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.217.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842397/; classtype:trojan-activity;sid:84705497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.228.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842396/; classtype:trojan-activity;sid:84705496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.168.52.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842395/; classtype:trojan-activity;sid:84705495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.0.82.176"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842394/; classtype:trojan-activity;sid:84705494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842393/; classtype:trojan-activity;sid:84705493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.92.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842392/; classtype:trojan-activity;sid:84705492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=eionlkkgmahmubqx"; depth:27; endswith; nocase; http.host; content:"dqooybvg.overreactuntr2ve.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842391/; classtype:trojan-activity;sid:84705491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.8.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842390/; classtype:trojan-activity;sid:84705490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.228.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842389/; classtype:trojan-activity;sid:84705489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.217.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842388/; classtype:trojan-activity;sid:84705488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.247.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842387/; classtype:trojan-activity;sid:84705487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842386/; classtype:trojan-activity;sid:84705486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.powerpc"; depth:12; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842376/; classtype:trojan-activity;sid:84705476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv6l"; depth:11; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842377/; classtype:trojan-activity;sid:84705477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i686"; depth:9; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842378/; classtype:trojan-activity;sid:84705478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.sh4"; depth:8; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842379/; classtype:trojan-activity;sid:84705479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv4l"; depth:11; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842380/; classtype:trojan-activity;sid:84705480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.m68k"; depth:9; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842381/; classtype:trojan-activity;sid:84705481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.i586"; depth:9; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842382/; classtype:trojan-activity;sid:84705482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv7l"; depth:11; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842383/; classtype:trojan-activity;sid:84705483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.x86_64"; depth:11; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842384/; classtype:trojan-activity;sid:84705484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.armv5l"; depth:11; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842385/; classtype:trojan-activity;sid:84705485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.232.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842375/; classtype:trojan-activity;sid:84705475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.18.70.240"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842374/; classtype:trojan-activity;sid:84705474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.54.249"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842372/; classtype:trojan-activity;sid:84705472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.15.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842373/; classtype:trojan-activity;sid:84705473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.209.178.80"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842371/; classtype:trojan-activity;sid:84705471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.139.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842369/; classtype:trojan-activity;sid:84705469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.232.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842370/; classtype:trojan-activity;sid:84705470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"extnets.centaur-victim.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842368/; classtype:trojan-activity;sid:84705468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"pkgrunstat.cabardian-year.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842367/; classtype:trojan-activity;sid:84705467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.54.249"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842366/; classtype:trojan-activity;sid:84705466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.145.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842365/; classtype:trojan-activity;sid:84705465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"pkgruns.centaur-victim.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842364/; classtype:trojan-activity;sid:84705464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"modbuss.centaur-victim.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842363/; classtype:trojan-activity;sid:84705463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.49.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842362/; classtype:trojan-activity;sid:84705462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"modbusdata.cabardian-year.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842361/; classtype:trojan-activity;sid:84705461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.139.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842360/; classtype:trojan-activity;sid:84705460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"srcgets.centaur-victim.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842359/; classtype:trojan-activity;sid:84705459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"srcgetproc.cabardian-year.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842358/; classtype:trojan-activity;sid:84705458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.80.211"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842357/; classtype:trojan-activity;sid:84705457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"uidmapbits.herdpu7pose.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842356/; classtype:trojan-activity;sid:84705456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.209.88.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842355/; classtype:trojan-activity;sid:84705455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.145.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842354/; classtype:trojan-activity;sid:84705454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.228.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842353/; classtype:trojan-activity;sid:84705453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.228.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842352/; classtype:trojan-activity;sid:84705452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.25.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842351/; classtype:trojan-activity;sid:84705451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.35.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842350/; classtype:trojan-activity;sid:84705450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.232.246.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842349/; classtype:trojan-activity;sid:84705449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"rawdats.malachtax2tion.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842348/; classtype:trojan-activity;sid:84705448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"rawdatamap.herdpu7pose.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842347/; classtype:trojan-activity;sid:84705447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/131/wellgoingonbestfeelingsforme.hta|3f||7c|26|7c|https://developer.box.com/guides/box-ai/ai-tutorials/default-agent-overrides"; depth:127; endswith; nocase; http.host; content:"192.210.186.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842346/; classtype:trojan-activity;sid:84705446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpsdeveloper.box.comguidesbox-aiai-tutorialsprerequisites.php"; depth:64; endswith; nocase; http.host; content:"192.210.186.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842345/; classtype:trojan-activity;sid:84705445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"ziparkview.herdpu7pose.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842344/; classtype:trojan-activity;sid:84705444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_183508.png"; depth:15; endswith; nocase; http.host; content:"pokoli.byethost9.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842343/; classtype:trojan-activity;sid:84705443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"ziparks.malachtax2tion.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842342/; classtype:trojan-activity;sid:84705442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vpycvi|3f||7c|26|7c|https://www.getmailbird.com/setup/access-secureserver-net-via-imap-smtp"; depth:92; endswith; nocase; http.host; content:"gacorbos.me"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842340/; classtype:trojan-activity;sid:84705440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oa0f7y|3f||7c|26|7c|https://www.hipaavault.com/resources/hipaa-compliant-cloud-storage-secure-your-healthcare-datas"; depth:116; endswith; nocase; http.host; content:"gacorbos.me"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842341/; classtype:trojan-activity;sid:84705441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.80.211"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842339/; classtype:trojan-activity;sid:84705439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpswww.hipaavault.comresourceshipaa-compliant-cloud-storage-secure-your-healthcare-datasbase.php"; depth:99; endswith; nocase; http.host; content:"107.172.235.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842337/; classtype:trojan-activity;sid:84705437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www.cdwg.comcontentcdwgenarticlessecurityprotecting-ot-and-critical-infrastructure-in-an-evolving-threat-linkingclooud.php"; depth:123; endswith; nocase; http.host; content:"107.172.235.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842338/; classtype:trojan-activity;sid:84705438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.35.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842336/; classtype:trojan-activity;sid:84705436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/156/img_182659.png"; depth:19; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842333/; classtype:trojan-activity;sid:84705433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/112/wecontrolaroundtheworldwithme.hta"; depth:38; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842334/; classtype:trojan-activity;sid:84705434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpswww.cdwg.comcontentcdwgensolutionsdigital-enablemententerprise-application-integration.html.php"; depth:101; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842335/; classtype:trojan-activity;sid:84705435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"osbases.tribun-triptych.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842332/; classtype:trojan-activity;sid:84705432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11/verynicepersonforeverybodytogive.hta"; depth:40; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842330/; classtype:trojan-activity;sid:84705430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11/img_235009.png"; depth:18; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842331/; classtype:trojan-activity;sid:84705431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/images/social-icons.png"; depth:34; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842328/; classtype:trojan-activity;sid:84705428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/stylesheets/all.css"; depth:30; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842329/; classtype:trojan-activity;sid:84705429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpswww.box.comindustriesmedia-and-entertainment.php"; depth:54; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842322/; classtype:trojan-activity;sid:84705422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/42/greatthingsforbetterwayformebest.hta"; depth:40; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842323/; classtype:trojan-activity;sid:84705423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51/treeforbetterpicturetogiveubest.hta|3f||7c|26|7c|https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661"; depth:136; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842324/; classtype:trojan-activity;sid:84705424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/112/img_230705.png"; depth:19; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842325/; classtype:trojan-activity;sid:84705425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www.cdwg.comcontentcdwgenarticlessecurityprotecting-ot-and-critical-infrastructure-in-an-evolving-threat-landscape.php"; depth:119; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842326/; classtype:trojan-activity;sid:84705426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/155/greatideadsneverbeenchangefrom.hta"; depth:39; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842327/; classtype:trojan-activity;sid:84705427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842321/; classtype:trojan-activity;sid:84705421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.210.109"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842320/; classtype:trojan-activity;sid:84705420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26/securethispersonnetworkwithmyfriend.hta|3f||7c|26|7c|%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c%d4%8c"; depth:153; endswith; nocase; http.host; content:"66.63.170.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842319/; classtype:trojan-activity;sid:84705419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpsblog.photobucket.comsecure-photo-sharing-keeping-your-photos-safe-and-secure-metadata.php"; depth:95; endswith; nocase; http.host; content:"66.63.170.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842318/; classtype:trojan-activity;sid:84705418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"metalts.tribun-triptych.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842317/; classtype:trojan-activity;sid:84705417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.232.246.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842316/; classtype:trojan-activity;sid:84705416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"apidocs.tribun-triptych.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842315/; classtype:trojan-activity;sid:84705415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"apidocs.tribun-triptych.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842314/; classtype:trojan-activity;sid:84705414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.107.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842313/; classtype:trojan-activity;sid:84705413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20/webuybetterplacesformebetter.hta"; depth:36; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842312/; classtype:trojan-activity;sid:84705412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpsblog.photobucket.comsecure-photo-sharing-keeping-your-photos-safe-and-secure.php"; depth:86; endswith; nocase; http.host; content:"66.63.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842311/; classtype:trojan-activity;sid:84705411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"dbinsts.tribun-triptych.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842310/; classtype:trojan-activity;sid:84705410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm7"; depth:16; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842308/; classtype:trojan-activity;sid:84705408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.arm5"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842309/; classtype:trojan-activity;sid:84705409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.mips"; depth:16; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842304/; classtype:trojan-activity;sid:84705404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bwwg"; depth:5; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842305/; classtype:trojan-activity;sid:84705405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.arm"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842306/; classtype:trojan-activity;sid:84705406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.mpsl"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842307/; classtype:trojan-activity;sid:84705407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.arm7"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842290/; classtype:trojan-activity;sid:84705390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbcl"; depth:5; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842291/; classtype:trojan-activity;sid:84705391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.m68k"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842292/; classtype:trojan-activity;sid:84705392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm"; depth:15; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842293/; classtype:trojan-activity;sid:84705393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.x86_64"; depth:18; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842294/; classtype:trojan-activity;sid:84705394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.mpsl"; depth:16; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842295/; classtype:trojan-activity;sid:84705395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.arm6"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842296/; classtype:trojan-activity;sid:84705396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm6"; depth:16; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842297/; classtype:trojan-activity;sid:84705397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.ppc"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842298/; classtype:trojan-activity;sid:84705398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.arm5"; depth:16; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842299/; classtype:trojan-activity;sid:84705399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.m68k"; depth:16; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842300/; classtype:trojan-activity;sid:84705400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.sh4"; depth:10; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842301/; classtype:trojan-activity;sid:84705401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.x86"; depth:15; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842302/; classtype:trojan-activity;sid:84705402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.mips"; depth:11; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842303/; classtype:trojan-activity;sid:84705403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.sh4"; depth:15; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842286/; classtype:trojan-activity;sid:84705386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.ppc"; depth:15; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842287/; classtype:trojan-activity;sid:84705387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/micro.spc"; depth:15; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842288/; classtype:trojan-activity;sid:84705388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nexus.x86_64"; depth:13; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842289/; classtype:trojan-activity;sid:84705389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wwg"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842284/; classtype:trojan-activity;sid:84705384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ccl"; depth:4; endswith; nocase; http.host; content:"85.239.151.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842285/; classtype:trojan-activity;sid:84705385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaynig"; depth:7; endswith; nocase; http.host; content:"45.148.10.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842281/; classtype:trojan-activity;sid:84705381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microc2.sh"; depth:11; endswith; nocase; http.host; content:"217.60.245.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842282/; classtype:trojan-activity;sid:84705382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gay"; depth:4; endswith; nocase; http.host; content:"45.148.10.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842283/; classtype:trojan-activity;sid:84705383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"skyvpns.tribun-triptych.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842280/; classtype:trojan-activity;sid:84705380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.203.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842279/; classtype:trojan-activity;sid:84705379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"tmpdirs.overdoitework.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842278/; classtype:trojan-activity;sid:84705378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.108.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842277/; classtype:trojan-activity;sid:84705377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"sshbins.overdoitework.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842276/; classtype:trojan-activity;sid:84705376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.182.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842275/; classtype:trojan-activity;sid:84705375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"sslkeys.overdoitework.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842274/; classtype:trojan-activity;sid:84705374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"getcfgs.overdoitework.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842272/; classtype:trojan-activity;sid:84705372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"getcfghubs.nomination5yak.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842273/; classtype:trojan-activity;sid:84705373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.108.67"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842270/; classtype:trojan-activity;sid:84705370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.67.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842271/; classtype:trojan-activity;sid:84705371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.203.119"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842269/; classtype:trojan-activity;sid:84705369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"ipnodes.overdoitework.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842268/; classtype:trojan-activity;sid:84705368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"hotfixs.overdoitework.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842267/; classtype:trojan-activity;sid:84705367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"hotfixpack.nomination5yak.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842266/; classtype:trojan-activity;sid:84705366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"bitfoxs.comforter-panel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842265/; classtype:trojan-activity;sid:84705365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"bitfoxcore.radio-technic.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842264/; classtype:trojan-activity;sid:84705364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.172.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842263/; classtype:trojan-activity;sid:84705363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.110.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842262/; classtype:trojan-activity;sid:84705362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.182.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842261/; classtype:trojan-activity;sid:84705361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"topsvcutil.radio-technic.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842260/; classtype:trojan-activity;sid:84705360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"topsvcs.comforter-panel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842259/; classtype:trojan-activity;sid:84705359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"opsmgrsvcs.radio-technic.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842258/; classtype:trojan-activity;sid:84705358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"opsmgrs.comforter-panel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842257/; classtype:trojan-activity;sid:84705357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"cpuprosmgr.radio-technic.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842256/; classtype:trojan-activity;sid:84705356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"cpupros.comforter-panel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842255/; classtype:trojan-activity;sid:84705355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.158.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842254/; classtype:trojan-activity;sid:84705354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"vpsrunproc.radio-technic.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842253/; classtype:trojan-activity;sid:84705353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"vpsruns.comforter-panel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842252/; classtype:trojan-activity;sid:84705352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.172.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842251/; classtype:trojan-activity;sid:84705351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k5s8-byna-tqed-r6mwn-swmbz-jb2jq3v/access.fltr"; depth:47; endswith; nocase; http.host; content:"dnswebs.comforter-panel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842250/; classtype:trojan-activity;sid:84705350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3yi7g-ma327-8b2fi-63zr3-x2775-6qb/updates.gstate"; depth:50; endswith; nocase; http.host; content:"dnswebsrvs.radio-technic.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842249/; classtype:trojan-activity;sid:84705349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.223.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842248/; classtype:trojan-activity;sid:84705348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"srvlogview.cereal5pesivet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842247/; classtype:trojan-activity;sid:84705347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"appboxs.dreamer5hrew.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842246/; classtype:trojan-activity;sid:84705346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.110.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842245/; classtype:trojan-activity;sid:84705345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.135.223.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842244/; classtype:trojan-activity;sid:84705344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.102.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842243/; classtype:trojan-activity;sid:84705343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"netapiprot.cereal5pesivet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842242/; classtype:trojan-activity;sid:84705342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"netapiprot.cereal5pesivet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842241/; classtype:trojan-activity;sid:84705341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"devbits.dreamer5hrew.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842240/; classtype:trojan-activity;sid:84705340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"webcdnstat.cereal5pesivet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842239/; classtype:trojan-activity;sid:84705339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"srvlogs.dreamer5hrew.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842238/; classtype:trojan-activity;sid:84705338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"srvlogs.dreamer5hrew.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842237/; classtype:trojan-activity;sid:84705337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.158.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842236/; classtype:trojan-activity;sid:84705336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"srvhubnode.cereal5pesivet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842235/; classtype:trojan-activity;sid:84705335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"srvhubnode.cereal5pesivet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842234/; classtype:trojan-activity;sid:84705334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"netapis.dreamer5hrew.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842233/; classtype:trojan-activity;sid:84705333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842232/; classtype:trojan-activity;sid:84705332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"webcdnx.dreamer5hrew.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842231/; classtype:trojan-activity;sid:84705331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"gene-pod.di7ectkoshevoy.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842230/; classtype:trojan-activity;sid:84705330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"srvhubs.dreamer5hrew.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842229/; classtype:trojan-activity;sid:84705329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"yv1v.di7ectkoshevoy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842228/; classtype:trojan-activity;sid:84705328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"organiquot.scient-telograyka.lat"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842227/; classtype:trojan-activity;sid:84705327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"circuit-scope.lomov-stroganal.lat"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842226/; classtype:trojan-activity;sid:84705326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.249.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842224/; classtype:trojan-activity;sid:84705324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.119.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842225/; classtype:trojan-activity;sid:84705325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.251.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842223/; classtype:trojan-activity;sid:84705323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"c52ih.lomov-stroganal.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842222/; classtype:trojan-activity;sid:84705322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.198.25.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842221/; classtype:trojan-activity;sid:84705321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"7mnkjpr.scient-telograyka.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842220/; classtype:trojan-activity;sid:84705320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"rgdqy.lomov-stroganal.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842219/; classtype:trojan-activity;sid:84705319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"hf0gzeo.scient-telograyka.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842218/; classtype:trojan-activity;sid:84705318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"factima.lomov-stroganal.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842217/; classtype:trojan-activity;sid:84705317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"factima.lomov-stroganal.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842216/; classtype:trojan-activity;sid:84705316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"norflux9ar.scient-telograyka.lat"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842215/; classtype:trojan-activity;sid:84705315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"lumnex0or.lomov-stroganal.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842214/; classtype:trojan-activity;sid:84705314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"lumnex0or.lomov-stroganal.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842213/; classtype:trojan-activity;sid:84705313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"layersun.scient-telograyka.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842212/; classtype:trojan-activity;sid:84705312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"outer8-signal.lomov-stroganal.lat"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842211/; classtype:trojan-activity;sid:84705311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"biomesha.salvat5pozar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842210/; classtype:trojan-activity;sid:84705310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"biomesha.salvat5pozar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842209/; classtype:trojan-activity;sid:84705309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"pasturepal.swimsuit-unable.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842208/; classtype:trojan-activity;sid:84705308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"triven1os.salvat5pozar.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842207/; classtype:trojan-activity;sid:84705307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"triven1os.salvat5pozar.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842206/; classtype:trojan-activity;sid:84705306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=phpawalzacjtsvhp"; depth:27; endswith; nocase; http.host; content:"c3353u83.peddler-wasting.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842205/; classtype:trojan-activity;sid:84705305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"ascfholn.salvat5pozar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842204/; classtype:trojan-activity;sid:84705304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"unx7.swimsuit-unable.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842203/; classtype:trojan-activity;sid:84705303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842194/; classtype:trojan-activity;sid:84705294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842195/; classtype:trojan-activity;sid:84705295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842196/; classtype:trojan-activity;sid:84705296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842197/; classtype:trojan-activity;sid:84705297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842198/; classtype:trojan-activity;sid:84705298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842199/; classtype:trojan-activity;sid:84705299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842200/; classtype:trojan-activity;sid:84705300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842201/; classtype:trojan-activity;sid:84705301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842202/; classtype:trojan-activity;sid:84705302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"hjdssxth.swimsuit-unable.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842193/; classtype:trojan-activity;sid:84705293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"amrl.salvat5pozar.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842192/; classtype:trojan-activity;sid:84705292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"hjdssxth.swimsuit-unable.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842191/; classtype:trojan-activity;sid:84705291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842189/; classtype:trojan-activity;sid:84705289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842190/; classtype:trojan-activity;sid:84705290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"dynmarka.swimsuit-unable.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842188/; classtype:trojan-activity;sid:84705288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"dynmarka.swimsuit-unable.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842187/; classtype:trojan-activity;sid:84705287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"sceneform.salvat5pozar.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842186/; classtype:trojan-activity;sid:84705286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.244.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842185/; classtype:trojan-activity;sid:84705285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.239.80.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842184/; classtype:trojan-activity;sid:84705284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"komv9kg.swimsuit-unable.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842183/; classtype:trojan-activity;sid:84705283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.15.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842182/; classtype:trojan-activity;sid:84705282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"sh1e1d8-trail.diesel-stark.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842181/; classtype:trojan-activity;sid:84705281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.253.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842180/; classtype:trojan-activity;sid:84705280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"oak-branch.swimsuit-unable.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842179/; classtype:trojan-activity;sid:84705279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"zhe9.diesel-stark.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842178/; classtype:trojan-activity;sid:84705278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.112.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842177/; classtype:trojan-activity;sid:84705277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"global-defe.swimsuit-unable.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842176/; classtype:trojan-activity;sid:84705276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"dynline1a.diesel-stark.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842175/; classtype:trojan-activity;sid:84705275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.112.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842173/; classtype:trojan-activity;sid:84705273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.176.13.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842174/; classtype:trojan-activity;sid:84705274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"859wyr.porukau8ar.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842172/; classtype:trojan-activity;sid:84705272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"harrain.diesel-stark.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842171/; classtype:trojan-activity;sid:84705271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.244.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842170/; classtype:trojan-activity;sid:84705270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.15.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842169/; classtype:trojan-activity;sid:84705269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.161.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842168/; classtype:trojan-activity;sid:84705268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/fyr2gxe.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842167/; classtype:trojan-activity;sid:84705267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"finalcampaign.porukau8ar.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842166/; classtype:trojan-activity;sid:84705266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"finalcampaign.porukau8ar.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842165/; classtype:trojan-activity;sid:84705265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"lfvkqfz.diesel-stark.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842164/; classtype:trojan-activity;sid:84705264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"kelspire4en.skewedencro2ch.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842163/; classtype:trojan-activity;sid:84705263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"sub-4sh.porukau8ar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842162/; classtype:trojan-activity;sid:84705262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"gwq4.skewedencro2ch.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842161/; classtype:trojan-activity;sid:84705261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"gwq4.skewedencro2ch.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842160/; classtype:trojan-activity;sid:84705260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"cqkjo.porukau8ar.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842159/; classtype:trojan-activity;sid:84705259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.202.79"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842158/; classtype:trojan-activity;sid:84705258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"howgsr7.porukau8ar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842157/; classtype:trojan-activity;sid:84705257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"efk47wb3.skewedencro2ch.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842156/; classtype:trojan-activity;sid:84705256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"5torm-sync.porukau8ar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842155/; classtype:trojan-activity;sid:84705255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.241.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842154/; classtype:trojan-activity;sid:84705254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"kekie27.skewedencro2ch.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842153/; classtype:trojan-activity;sid:84705253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.249.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842152/; classtype:trojan-activity;sid:84705252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.101.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842150/; classtype:trojan-activity;sid:84705250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.199.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842151/; classtype:trojan-activity;sid:84705251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"dyn-fluxix.porukau8ar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842149/; classtype:trojan-activity;sid:84705249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"neo-carg0.skewedencro2ch.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842148/; classtype:trojan-activity;sid:84705248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"dptfcl.rataj-vertky.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842147/; classtype:trojan-activity;sid:84705247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"tvqib.centrifuge-four.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842146/; classtype:trojan-activity;sid:84705246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"reef7-line.centrifuge-four.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842145/; classtype:trojan-activity;sid:84705245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"x9hs.rataj-vertky.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842144/; classtype:trojan-activity;sid:84705244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.131.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842142/; classtype:trojan-activity;sid:84705242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"shapegate.rataj-vertky.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842143/; classtype:trojan-activity;sid:84705243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.135.209.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842141/; classtype:trojan-activity;sid:84705241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"audi-vector.centrifuge-four.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842140/; classtype:trojan-activity;sid:84705240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"grim-wave.rataj-vertky.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842139/; classtype:trojan-activity;sid:84705239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"quor-draet.centrifuge-four.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842138/; classtype:trojan-activity;sid:84705238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.138.129.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842137/; classtype:trojan-activity;sid:84705237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"irfw.rataj-vertky.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842136/; classtype:trojan-activity;sid:84705236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"shapegeyse.centrifuge-four.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842135/; classtype:trojan-activity;sid:84705235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s7yhd67/sleepforebear.ps1"; depth:26; endswith; nocase; http.host; content:"193.169.194.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842134/; classtype:trojan-activity;sid:84705234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.131.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842133/; classtype:trojan-activity;sid:84705233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s7yhd67/adhesivewipe.ps1"; depth:25; endswith; nocase; http.host; content:"193.169.194.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842131/; classtype:trojan-activity;sid:84705231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s7yhd67/madlybibliography.ps1"; depth:30; endswith; nocase; http.host; content:"193.169.194.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842132/; classtype:trojan-activity;sid:84705232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"1ws11.rataj-vertky.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842129/; classtype:trojan-activity;sid:84705229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"1ws11.rataj-vertky.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842130/; classtype:trojan-activity;sid:84705230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s7yhd67/buggypassage.ps1"; depth:25; endswith; nocase; http.host; content:"193.169.194.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842128/; classtype:trojan-activity;sid:84705228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1eu5cytpsdmnohtb-qsbippdmlifwuusz"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842127/; classtype:trojan-activity;sid:84705227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h29d63/h29d63mde2/pqpnf692.js"; depth:30; endswith; nocase; http.host; content:"254.182.153.160.host.secureserver.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842126/; classtype:trojan-activity;sid:84705226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_094219.png"; depth:15; endswith; nocase; http.host; content:"104.249.10.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842124/; classtype:trojan-activity;sid:84705224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_133323.png"; depth:15; endswith; nocase; http.host; content:"updatedserverrr.io"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842125/; classtype:trojan-activity;sid:84705225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"vordrais9.audiheadboa7d.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842123/; classtype:trojan-activity;sid:84705223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/auth/current/tb.msi"; depth:24; endswith; nocase; http.host; content:"wmail.dsdmpu.gov.za"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842122/; classtype:trojan-activity;sid:84705222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"mount9-crest.rataj-vertky.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842121/; classtype:trojan-activity;sid:84705221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/autoit-dat|3f|t=af0231313f5c45e4a040832b420953fd"; depth:53; endswith; nocase; http.host; content:"65.109.55.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842120/; classtype:trojan-activity;sid:84705220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/autoit-exe|3f|t=af0231313f5c45e4a040832b420953fd"; depth:53; endswith; nocase; http.host; content:"65.109.55.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842119/; classtype:trojan-activity;sid:84705219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"slate1-pulse.audiheadboa7d.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842118/; classtype:trojan-activity;sid:84705218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"eyahy.expo5ejouer.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842117/; classtype:trojan-activity;sid:84705217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bf6"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842116/; classtype:trojan-activity;sid:84705216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dq0"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842111/; classtype:trojan-activity;sid:84705211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/460g"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842112/; classtype:trojan-activity;sid:84705212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ele"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842113/; classtype:trojan-activity;sid:84705213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t5m"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842114/; classtype:trojan-activity;sid:84705214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hgn"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842115/; classtype:trojan-activity;sid:84705215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"sol-lithon.audiheadboa7d.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842110/; classtype:trojan-activity;sid:84705210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"urban-rel.expo5ejouer.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842109/; classtype:trojan-activity;sid:84705209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.239.201"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842107/; classtype:trojan-activity;sid:84705207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"25smp.audiheadboa7d.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842108/; classtype:trojan-activity;sid:84705208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"25smp.audiheadboa7d.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842106/; classtype:trojan-activity;sid:84705206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"extractrela.audiheadboa7d.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842105/; classtype:trojan-activity;sid:84705205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"itage.expo5ejouer.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842104/; classtype:trojan-activity;sid:84705204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantom.sh"; depth:11; endswith; nocase; http.host; content:"45.157.233.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842103/; classtype:trojan-activity;sid:84705203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/sie4juh.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842102/; classtype:trojan-activity;sid:84705202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.233.39.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842101/; classtype:trojan-activity;sid:84705201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.200.81.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842099/; classtype:trojan-activity;sid:84705199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"fclmwfzz.colonist-proph.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842100/; classtype:trojan-activity;sid:84705200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"fclmwfzz.colonist-proph.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842098/; classtype:trojan-activity;sid:84705198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"sermarkal8.expo5ejouer.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842097/; classtype:trojan-activity;sid:84705197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.168.217.0"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842096/; classtype:trojan-activity;sid:84705196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"byi4cjm.expo5ejouer.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842095/; classtype:trojan-activity;sid:84705195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"arnnav.colonist-proph.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842094/; classtype:trojan-activity;sid:84705194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"insightmemo.expo5ejouer.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842093/; classtype:trojan-activity;sid:84705193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"insightmemo.expo5ejouer.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842092/; classtype:trojan-activity;sid:84705192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"ark-vena.colonist-proph.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842091/; classtype:trojan-activity;sid:84705191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"balancebold.expo5ejouer.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842090/; classtype:trojan-activity;sid:84705190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"podcamoss.colonist-proph.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842089/; classtype:trojan-activity;sid:84705189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"reviewgard.priesthood-in.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842088/; classtype:trojan-activity;sid:84705188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.239.201"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842087/; classtype:trojan-activity;sid:84705187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"printposte.colonist-proph.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842086/; classtype:trojan-activity;sid:84705186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"trilineon.priesthood-in.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842085/; classtype:trojan-activity;sid:84705185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"trilineon.priesthood-in.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842084/; classtype:trojan-activity;sid:84705184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.44.179"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842083/; classtype:trojan-activity;sid:84705183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"sub-s3cur.assonanceka1e.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842082/; classtype:trojan-activity;sid:84705182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"alt-5cene.priesthood-in.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842081/; classtype:trojan-activity;sid:84705181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.180.15.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842080/; classtype:trojan-activity;sid:84705180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"runw4y5-spark.assonanceka1e.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842079/; classtype:trojan-activity;sid:84705179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"warmdock.priesthood-in.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842078/; classtype:trojan-activity;sid:84705178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"lz9di.assonanceka1e.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842077/; classtype:trojan-activity;sid:84705177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"zentideis4.priesthood-in.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842076/; classtype:trojan-activity;sid:84705176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.3.67"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842075/; classtype:trojan-activity;sid:84705175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"aa63qt.assonanceka1e.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842074/; classtype:trojan-activity;sid:84705174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"mistcin.priesthood-in.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842073/; classtype:trojan-activity;sid:84705173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.3.67"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842072/; classtype:trojan-activity;sid:84705172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"v28e.assonanceka1e.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842071/; classtype:trojan-activity;sid:84705171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"emuw.priesthood-in.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842069/; classtype:trojan-activity;sid:84705169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"emuw.priesthood-in.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842070/; classtype:trojan-activity;sid:84705170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"rougcurio.airport-clar.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842068/; classtype:trojan-activity;sid:84705168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.233.39.219"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842067/; classtype:trojan-activity;sid:84705167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.214.57.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842066/; classtype:trojan-activity;sid:84705166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"importdeep.sprutte5t.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842065/; classtype:trojan-activity;sid:84705165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"importdeep.sprutte5t.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842064/; classtype:trojan-activity;sid:84705164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.228.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842062/; classtype:trojan-activity;sid:84705162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.214.57.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842063/; classtype:trojan-activity;sid:84705163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.125.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842061/; classtype:trojan-activity;sid:84705161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"9rehfapi.airport-clar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842060/; classtype:trojan-activity;sid:84705160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"bgkdrlm.sprutte5t.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842059/; classtype:trojan-activity;sid:84705159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"bgkdrlm.sprutte5t.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842058/; classtype:trojan-activity;sid:84705158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"kelmeshon.airport-clar.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842057/; classtype:trojan-activity;sid:84705157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"load-array.sprutte5t.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842056/; classtype:trojan-activity;sid:84705156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.180.15.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842055/; classtype:trojan-activity;sid:84705155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/vbv/blacksheep/update.ps1"; depth:46; endswith; nocase; http.host; content:"abc.3bcs.cn"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842054/; classtype:trojan-activity;sid:84705154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"1vz4le.airport-clar.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842053/; classtype:trojan-activity;sid:84705153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"1vz4le.airport-clar.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842052/; classtype:trojan-activity;sid:84705152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/ccb/update.ps1"; depth:49; endswith; nocase; http.host; content:"lianagomes.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842051/; classtype:trojan-activity;sid:84705151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/morgreport/brinami.txt"; depth:23; endswith; nocase; http.host; content:"mivventi.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842050/; classtype:trojan-activity;sid:84705150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"zenspirea.byerottin8.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842049/; classtype:trojan-activity;sid:84705149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"jm7xf.sprutte5t.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842048/; classtype:trojan-activity;sid:84705148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/niihmz40"; depth:13; endswith; nocase; http.host; content:"yaso.su"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842047/; classtype:trojan-activity;sid:84705147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.96.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842046/; classtype:trojan-activity;sid:84705146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"qulxjkdn.byerottin8.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842045/; classtype:trojan-activity;sid:84705145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curinglined"; depth:12; endswith; nocase; http.host; content:"paste.sensio.no"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842044/; classtype:trojan-activity;sid:84705144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"hyper-n4rro.sprutte5t.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842043/; classtype:trojan-activity;sid:84705143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842042/; classtype:trojan-activity;sid:84705142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"rmxuj8se.sprutte5t.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842041/; classtype:trojan-activity;sid:84705141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01/eambkfo.txt"; depth:15; endswith; nocase; http.host; content:"45.66.249.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842040/; classtype:trojan-activity;sid:84705140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=16vdiv3b_qeq-uwbxjpa-rpksv7l9pqkp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842038/; classtype:trojan-activity;sid:84705138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1lzf1gfbq3yfnq90tliwjio1qwaq-cp0z"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842039/; classtype:trojan-activity;sid:84705139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hfkkihf.txt"; depth:12; endswith; nocase; http.host; content:"176.31.142.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842037/; classtype:trojan-activity;sid:84705137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"7onw.byerottin8.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842036/; classtype:trojan-activity;sid:84705136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"tcng.buckish-nabere.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842035/; classtype:trojan-activity;sid:84705135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842034/; classtype:trojan-activity;sid:84705134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a9f88b/rc.txt"; depth:14; endswith; nocase; http.host; content:"catalogo.castrouria.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842031/; classtype:trojan-activity;sid:84705131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vs/cz1290078882100-8261001.zip"; depth:31; endswith; nocase; http.host; content:"wayradigitalmusic.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842032/; classtype:trojan-activity;sid:84705132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vs/rc07833082771003-003281.zip"; depth:31; endswith; nocase; http.host; content:"wayradigitalmusic.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842033/; classtype:trojan-activity;sid:84705133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vs/bst.vbs"; depth:11; endswith; nocase; http.host; content:"wayradigitalmusic.com"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842030/; classtype:trojan-activity;sid:84705130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"lab-mark.buckish-nabere.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842029/; classtype:trojan-activity;sid:84705129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c84da/bl.txt"; depth:13; endswith; nocase; http.host; content:"catalogo.castrouria.com"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842028/; classtype:trojan-activity;sid:84705128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"fram-branch.byerottin8.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842027/; classtype:trojan-activity;sid:84705127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/5ljrfcuo"; depth:13; endswith; nocase; http.host; content:"yaso.su"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842026/; classtype:trojan-activity;sid:84705126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"flow-bann.byerottin8.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842025/; classtype:trojan-activity;sid:84705125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"vel-nexa.pav9mirel.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842024/; classtype:trojan-activity;sid:84705124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"vel-nexa.pav9mirel.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842023/; classtype:trojan-activity;sid:84705123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"9jp4c.buckish-nabere.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842022/; classtype:trojan-activity;sid:84705122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"lofr.pav9mirel.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842021/; classtype:trojan-activity;sid:84705121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.96.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842020/; classtype:trojan-activity;sid:84705120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"silv3r-flow.buckish-nabere.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842019/; classtype:trojan-activity;sid:84705119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"silv3r-flow.buckish-nabere.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842018/; classtype:trojan-activity;sid:84705118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.138.129.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842017/; classtype:trojan-activity;sid:84705117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=vmcobgfkevpmymiq"; depth:27; endswith; nocase; http.host; content:"uvxh0h1f.ethen0shypnotist.digital"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842016/; classtype:trojan-activity;sid:84705116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"quercanv.pav9mirel.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842015/; classtype:trojan-activity;sid:84705115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.125.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842014/; classtype:trojan-activity;sid:84705114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"catal0-trail.buckish-nabere.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842013/; classtype:trojan-activity;sid:84705113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"fallverify.pav9mirel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842012/; classtype:trojan-activity;sid:84705112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"fallverify.pav9mirel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842011/; classtype:trojan-activity;sid:84705111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.27.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842010/; classtype:trojan-activity;sid:84705110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"am6xg75.buckish-nabere.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842009/; classtype:trojan-activity;sid:84705109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.108.110"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842008/; classtype:trojan-activity;sid:84705108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.33.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842007/; classtype:trojan-activity;sid:84705107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"runwayclini.xamir4al.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842006/; classtype:trojan-activity;sid:84705106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shednndce-looge-hronospp-up83sds35-onboard/wverif.camp"; depth:55; endswith; nocase; http.host; content:"clip3-stream.buckish-nabere.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842005/; classtype:trojan-activity;sid:84705105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.128.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842004/; classtype:trojan-activity;sid:84705104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0re-best34kjfeen-fmmexcel-wr3775-on75/on3.verification"; depth:57; endswith; nocase; http.host; content:"kptc.xamir4al.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842003/; classtype:trojan-activity;sid:84705103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"circuit-scope.lomov-stroganal.lat"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842002/; classtype:trojan-activity;sid:84705102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"carrie-branch.7doreval.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842001/; classtype:trojan-activity;sid:84705101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3842000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"arraydar.lomov-stroganal.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3842000/; classtype:trojan-activity;sid:84705100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"dev-shel.sorix1ar.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841999/; classtype:trojan-activity;sid:84705099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.183.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841997/; classtype:trojan-activity;sid:84705097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.128.84"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841998/; classtype:trojan-activity;sid:84705098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"5fp3.sorix1ar.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841996/; classtype:trojan-activity;sid:84705096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"yv1v.di7ectkoshevoy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841995/; classtype:trojan-activity;sid:84705095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841994/; classtype:trojan-activity;sid:84705094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"gene-pod.di7ectkoshevoy.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841993/; classtype:trojan-activity;sid:84705093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"goldefer.sorix1ar.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841992/; classtype:trojan-activity;sid:84705092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841991/; classtype:trojan-activity;sid:84705091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"176.65.139.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841990/; classtype:trojan-activity;sid:84705090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toto.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841989/; classtype:trojan-activity;sid:84705089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.33.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841988/; classtype:trojan-activity;sid:84705088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"xvinmbn2.sorix1ar.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841987/; classtype:trojan-activity;sid:84705087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841984/; classtype:trojan-activity;sid:84705084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841985/; classtype:trojan-activity;sid:84705085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841986/; classtype:trojan-activity;sid:84705086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841978/; classtype:trojan-activity;sid:84705078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841979/; classtype:trojan-activity;sid:84705079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841980/; classtype:trojan-activity;sid:84705080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841981/; classtype:trojan-activity;sid:84705081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841982/; classtype:trojan-activity;sid:84705082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841983/; classtype:trojan-activity;sid:84705083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"proto-c4sua.di7ectkoshevoy.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841977/; classtype:trojan-activity;sid:84705077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.139.83.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841976/; classtype:trojan-activity;sid:84705076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"aesgauji.sorix1ar.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841975/; classtype:trojan-activity;sid:84705075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"sh4do-phase.di7ectkoshevoy.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841974/; classtype:trojan-activity;sid:84705074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.230.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841973/; classtype:trojan-activity;sid:84705073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"r0ad-hold.di7ectkoshevoy.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841972/; classtype:trojan-activity;sid:84705072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.247.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841971/; classtype:trojan-activity;sid:84705071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"serforge8en.xamir4al.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841970/; classtype:trojan-activity;sid:84705070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"aligncolu.xamir4al.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841969/; classtype:trojan-activity;sid:84705069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.87.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841968/; classtype:trojan-activity;sid:84705068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cove-sdk.di7ectkoshevoy.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841967/; classtype:trojan-activity;sid:84705067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.36.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841966/; classtype:trojan-activity;sid:84705066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"yz8pj.di7ectkoshevoy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841965/; classtype:trojan-activity;sid:84705065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"tridraar.xamir4al.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841964/; classtype:trojan-activity;sid:84705064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.80.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841963/; classtype:trojan-activity;sid:84705063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cgkeayqe.brand5calpel.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841962/; classtype:trojan-activity;sid:84705062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//kl0n-green-excel-yy3775-get65/gett3.verification"; depth:50; endswith; nocase; http.host; content:"velvetcalm.5toravex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841961/; classtype:trojan-activity;sid:84705061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.87.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841960/; classtype:trojan-activity;sid:84705060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.249.188"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841959/; classtype:trojan-activity;sid:84705059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.139.83.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841958/; classtype:trojan-activity;sid:84705058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.101.188.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841957/; classtype:trojan-activity;sid:84705057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/senior4/img_101400.png"; depth:23; endswith; nocase; http.host; content:"nmturc.cyou"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841956/; classtype:trojan-activity;sid:84705056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.247.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841955/; classtype:trojan-activity;sid:84705055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//kl0n-green-excel-yy3775-get65/gett3.verification"; depth:50; endswith; nocase; http.host; content:"lumspireen1.5toravex.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841954/; classtype:trojan-activity;sid:84705054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"sort4-mesh.brand5calpel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841953/; classtype:trojan-activity;sid:84705053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logmeinresolve_unattended.msi"; depth:30; endswith; nocase; http.host; content:"pub-ff1914891a3e4ac9911682a004158d63.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841952/; classtype:trojan-activity;sid:84705052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pp/img_035646.png"; depth:18; endswith; nocase; http.host; content:"andjemztech.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841951/; classtype:trojan-activity;sid:84705051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yufornewpanel.png"; depth:18; endswith; nocase; http.host; content:"tradedsglobal.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841950/; classtype:trojan-activity;sid:84705050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obomay.png"; depth:11; endswith; nocase; http.host; content:"tradedsglobal.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841948/; classtype:trojan-activity;sid:84705048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"svcd.tavro6xen.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841949/; classtype:trojan-activity;sid:84705049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rumpfornew.png"; depth:15; endswith; nocase; http.host; content:"tradedsglobal.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841947/; classtype:trojan-activity;sid:84705047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imgoilandgasss.png"; depth:19; endswith; nocase; http.host; content:"valfanto.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841946/; classtype:trojan-activity;sid:84705046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"neuraldepot.brand5calpel.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841945/; classtype:trojan-activity;sid:84705045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"5bzb.tavro6xen.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841944/; classtype:trojan-activity;sid:84705044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ultra-d0ck.brand5calpel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841943/; classtype:trojan-activity;sid:84705043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.105.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841942/; classtype:trojan-activity;sid:84705042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/airkanpang/bientianlp/main/dsgrlnihdsfrg.txt"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841940/; classtype:trojan-activity;sid:84705040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/airkanpang/bientianlp/main/mkgyhhuihfyjyufkuik.pdf"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841941/; classtype:trojan-activity;sid:84705041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.206.135.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841939/; classtype:trojan-activity;sid:84705039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.28.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841938/; classtype:trojan-activity;sid:84705038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cwtkhh54/cwtkhh54mde2/mzb412.js"; depth:32; endswith; nocase; http.host; content:"254.182.153.160.host.secureserver.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841937/; classtype:trojan-activity;sid:84705037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flomo.zip"; depth:10; endswith; nocase; http.host; content:"xxxzxxxzxxx.cc"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841936/; classtype:trojan-activity;sid:84705036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"kdffa87z.1zarelin.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841935/; classtype:trojan-activity;sid:84705035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.64.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841934/; classtype:trojan-activity;sid:84705034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"5ound-span.brand5calpel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841933/; classtype:trojan-activity;sid:84705033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/7b5d5a8a45b32867_264.php"; depth:33; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841932/; classtype:trojan-activity;sid:84705032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/64a7ffd2030af46a_264.php"; depth:33; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841931/; classtype:trojan-activity;sid:84705031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/5a286063ecc09f8f_264.php"; depth:33; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841930/; classtype:trojan-activity;sid:84705030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/4fe4008aa7fff8c6_264.php"; depth:33; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841929/; classtype:trojan-activity;sid:84705029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/1bbd7cd5392f2cd4_264.php"; depth:33; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841928/; classtype:trojan-activity;sid:84705028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.101.188.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841926/; classtype:trojan-activity;sid:84705026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"st0n-beam.1zarelin.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841927/; classtype:trojan-activity;sid:84705027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"4vxdasln.brand5calpel.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841924/; classtype:trojan-activity;sid:84705024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"st0n-beam.1zarelin.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841925/; classtype:trojan-activity;sid:84705025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"4vxdasln.brand5calpel.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841923/; classtype:trojan-activity;sid:84705023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"hs01.1zarelin.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841922/; classtype:trojan-activity;sid:84705022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"apiass.brand5calpel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841921/; classtype:trojan-activity;sid:84705021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"wz08rx0.1zarelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841920/; classtype:trojan-activity;sid:84705020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"wz08rx0.1zarelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841919/; classtype:trojan-activity;sid:84705019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"dfsdf.sixbaud.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841918/; classtype:trojan-activity;sid:84705018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.28.212"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841917/; classtype:trojan-activity;sid:84705017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/jame/refs/heads/main/iakkoaj.txt"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841916/; classtype:trojan-activity;sid:84705016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/hg/refs/heads/main/aknsdkr.txt"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841915/; classtype:trojan-activity;sid:84705015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svdsdadsad/vcxv/raw/0878bd481def8e71bb56b5f565d625a755d00281/1.jpg"; depth:67; endswith; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841914/; classtype:trojan-activity;sid:84705014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.206.135.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841913/; classtype:trojan-activity;sid:84705013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"windharbor.1zarelin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841912/; classtype:trojan-activity;sid:84705012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.105.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841911/; classtype:trojan-activity;sid:84705011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.241.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841910/; classtype:trojan-activity;sid:84705010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match/img_130250.png"; depth:21; endswith; nocase; http.host; content:"nmturc.cyou"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841909/; classtype:trojan-activity;sid:84705009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/kgbybxnnan178.bin"; depth:25; endswith; nocase; http.host; content:"jobhunters.ly"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841907/; classtype:trojan-activity;sid:84705007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/eftertnd.asd"; depth:20; endswith; nocase; http.host; content:"jobhunters.ly"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841908/; classtype:trojan-activity;sid:84705008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"aobgz.1zarelin.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841906/; classtype:trojan-activity;sid:84705006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"lum-fluxen.1zarelin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841905/; classtype:trojan-activity;sid:84705005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.64.100"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841904/; classtype:trojan-activity;sid:84705004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"vpsk.qen8vorel.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841903/; classtype:trojan-activity;sid:84705003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"crestdeliv.qen8vorel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841902/; classtype:trojan-activity;sid:84705002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run_x64.exe"; depth:12; endswith; nocase; http.host; content:"196.251.107.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841900/; classtype:trojan-activity;sid:84705000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run_x32.exe"; depth:12; endswith; nocase; http.host; content:"196.251.107.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841901/; classtype:trojan-activity;sid:84705001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/riubqy6b3ggc.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841899/; classtype:trojan-activity;sid:84704999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"68uvag.qen8vorel.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841898/; classtype:trojan-activity;sid:84704998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/4wyz1gcvbwzd.exe"; depth:25; endswith; nocase; http.host; content:"id89652.cfd"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841897/; classtype:trojan-activity;sid:84704997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/v2biqxdfgxz4.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841891/; classtype:trojan-activity;sid:84704991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/xvqvqrunpnzm.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841892/; classtype:trojan-activity;sid:84704992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/ayimqf0b9zn4.exe"; depth:25; endswith; nocase; http.host; content:"id89652.cfd"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841893/; classtype:trojan-activity;sid:84704993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/ayimqf0b9zn4.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841894/; classtype:trojan-activity;sid:84704994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/4wyz1gcvbwzd.exe"; depth:25; endswith; nocase; http.host; content:"62.60.226.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841895/; classtype:trojan-activity;sid:84704995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/xvqvqrunpnzm.exe"; depth:25; endswith; nocase; http.host; content:"id89652.cfd"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841896/; classtype:trojan-activity;sid:84704996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841886/; classtype:trojan-activity;sid:84704986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841887/; classtype:trojan-activity;sid:84704987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841888/; classtype:trojan-activity;sid:84704988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841889/; classtype:trojan-activity;sid:84704989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10/4656.txt"; depth:12; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841890/; classtype:trojan-activity;sid:84704990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.125.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841885/; classtype:trojan-activity;sid:84704985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10/n.txt"; depth:9; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841874/; classtype:trojan-activity;sid:84704974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8/7782.txt"; depth:11; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841875/; classtype:trojan-activity;sid:84704975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841876/; classtype:trojan-activity;sid:84704976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841877/; classtype:trojan-activity;sid:84704977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9/18241.txt"; depth:12; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841878/; classtype:trojan-activity;sid:84704978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11/2048.txt"; depth:12; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841879/; classtype:trojan-activity;sid:84704979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3/11987.txt"; depth:12; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841880/; classtype:trojan-activity;sid:84704980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5/2640.txt"; depth:11; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841881/; classtype:trojan-activity;sid:84704981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7/25091.txt"; depth:12; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841882/; classtype:trojan-activity;sid:84704982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2/303.txt"; depth:10; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841883/; classtype:trojan-activity;sid:84704983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/24282.txt"; depth:12; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841884/; classtype:trojan-activity;sid:84704984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11/n.txt"; depth:9; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841870/; classtype:trojan-activity;sid:84704970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841871/; classtype:trojan-activity;sid:84704971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8/n.txt"; depth:8; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841872/; classtype:trojan-activity;sid:84704972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/1217.txt"; depth:11; endswith; nocase; http.host; content:"130.12.180.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841873/; classtype:trojan-activity;sid:84704973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"quorvalea5.qen8vorel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841869/; classtype:trojan-activity;sid:84704969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"quorvalea5.qen8vorel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841868/; classtype:trojan-activity;sid:84704968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.144.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841867/; classtype:trojan-activity;sid:84704967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/masabik/update.ps1"; depth:19; endswith; nocase; http.host; content:"ozaltuntel.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841866/; classtype:trojan-activity;sid:84704966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1"; depth:11; endswith; nocase; http.host; content:"ozaltuntel.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841865/; classtype:trojan-activity;sid:84704965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/catt/update.ps1"; depth:16; endswith; nocase; http.host; content:"ozaltuntel.xyz"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841864/; classtype:trojan-activity;sid:84704964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"vortide7en.qen8vorel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841863/; classtype:trojan-activity;sid:84704963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"yslgmz.qen8vorel.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841862/; classtype:trojan-activity;sid:84704962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.241.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841861/; classtype:trojan-activity;sid:84704961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.111.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841860/; classtype:trojan-activity;sid:84704960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.240.204.126"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841859/; classtype:trojan-activity;sid:84704959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"invoimeado.qen8vorel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841858/; classtype:trojan-activity;sid:84704958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetest001.png"; depth:17; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841856/; classtype:trojan-activity;sid:84704956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"invoimeado.qen8vorel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841857/; classtype:trojan-activity;sid:84704957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"flame-reage.mav2lorix.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841855/; classtype:trojan-activity;sid:84704955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"routercircuit.mav2lorix.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841854/; classtype:trojan-activity;sid:84704954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"routercircuit.mav2lorix.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841853/; classtype:trojan-activity;sid:84704953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.111.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841852/; classtype:trojan-activity;sid:84704952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"genomecatalog.mav2lorix.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841851/; classtype:trojan-activity;sid:84704951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"vinespr.mav2lorix.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841850/; classtype:trojan-activity;sid:84704950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/ham/img_182056.png"; depth:23; endswith; nocase; http.host; content:"89.40.31.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841847/; classtype:trojan-activity;sid:84704947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/hio/img_205611.png"; depth:23; endswith; nocase; http.host; content:"89.40.31.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841848/; classtype:trojan-activity;sid:84704948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"3awswdxc.mav2lorix.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841849/; classtype:trojan-activity;sid:84704949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"89.40.31.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841846/; classtype:trojan-activity;sid:84704946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/013112017617.php"; depth:17; endswith; nocase; http.host; content:"89.40.31.143"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841845/; classtype:trojan-activity;sid:84704945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.233.235.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841844/; classtype:trojan-activity;sid:84704944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"xmz60xrj.mav2lorix.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841843/; classtype:trojan-activity;sid:84704943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"proxyss.sixbaud.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841842/; classtype:trojan-activity;sid:84704942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"xmz60xrj.mav2lorix.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841841/; classtype:trojan-activity;sid:84704941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.229.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841840/; classtype:trojan-activity;sid:84704940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.36.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841839/; classtype:trojan-activity;sid:84704939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"lanhops.sixbaud.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841838/; classtype:trojan-activity;sid:84704938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"lanhops.sixbaud.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841836/; classtype:trojan-activity;sid:84704936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"layoutamp.mav2lorix.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841837/; classtype:trojan-activity;sid:84704937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"subclis.sixbaud.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841835/; classtype:trojan-activity;sid:84704935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"stea-summ.5toravex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841834/; classtype:trojan-activity;sid:84704934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"bitkits.sixbaud.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841833/; classtype:trojan-activity;sid:84704933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"private2-port.5toravex.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841832/; classtype:trojan-activity;sid:84704932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"arkfluxum.5toravex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841831/; classtype:trojan-activity;sid:84704931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"envsets.sixbaud.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841830/; classtype:trojan-activity;sid:84704930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.36.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841829/; classtype:trojan-activity;sid:84704929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"t0n3-wave.5toravex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841828/; classtype:trojan-activity;sid:84704928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"doclabs.sixbaud.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841827/; classtype:trojan-activity;sid:84704927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module2"; depth:18; endswith; nocase; http.host; content:"whpayment.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841826/; classtype:trojan-activity;sid:84704926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/component"; depth:20; endswith; nocase; http.host; content:"whpayment.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841825/; classtype:trojan-activity;sid:84704925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/runtimebroker.exe"; depth:28; endswith; nocase; http.host; content:"whpayment.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841824/; classtype:trojan-activity;sid:84704924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/pjibf.exe"; depth:20; endswith; nocase; http.host; content:"whpayment.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841820/; classtype:trojan-activity;sid:84704920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/security"; depth:19; endswith; nocase; http.host; content:"whpayment.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841821/; classtype:trojan-activity;sid:84704921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/module"; depth:17; endswith; nocase; http.host; content:"whpayment.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841822/; classtype:trojan-activity;sid:84704922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/jar/elevator"; depth:19; endswith; nocase; http.host; content:"whpayment.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841823/; classtype:trojan-activity;sid:84704923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"lumlithen.5toravex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841819/; classtype:trojan-activity;sid:84704919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7048186296/lvcwwp2.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841817/; classtype:trojan-activity;sid:84704917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.sh"; depth:12; endswith; nocase; http.host; content:"31.57.129.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841818/; classtype:trojan-activity;sid:84704918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"syncits.ratmedia.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841816/; classtype:trojan-activity;sid:84704916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"zijas.5toravex.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841815/; classtype:trojan-activity;sid:84704915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"zijas.5toravex.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841814/; classtype:trojan-activity;sid:84704914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ioflows.ratmedia.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841813/; classtype:trojan-activity;sid:84704913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"taskids.ratmedia.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841812/; classtype:trojan-activity;sid:84704912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"taskids.ratmedia.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841811/; classtype:trojan-activity;sid:84704911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"gitlabh.vbytetap.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841810/; classtype:trojan-activity;sid:84704910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"comwebs.ratmedia.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841809/; classtype:trojan-activity;sid:84704909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"apiopss.vbytetap.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841808/; classtype:trojan-activity;sid:84704908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"refid-xs.ratmedia.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841807/; classtype:trojan-activity;sid:84704907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"autboxs.ratmedia.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841806/; classtype:trojan-activity;sid:84704906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.135.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841805/; classtype:trojan-activity;sid:84704905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"logbins.vbytetap.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841804/; classtype:trojan-activity;sid:84704904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"domregs.gzipsea.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841803/; classtype:trojan-activity;sid:84704903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"appsrch.vbytetap.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841802/; classtype:trojan-activity;sid:84704902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"webdocs.vbytetap.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841801/; classtype:trojan-activity;sid:84704901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.251.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841800/; classtype:trojan-activity;sid:84704900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"pwrlogs.gzipsea.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841799/; classtype:trojan-activity;sid:84704899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.140.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841798/; classtype:trojan-activity;sid:84704898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"syskeys.vbytetap.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841797/; classtype:trojan-activity;sid:84704897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"extnets.gzipsea.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841796/; classtype:trojan-activity;sid:84704896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"extnets.gzipsea.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841795/; classtype:trojan-activity;sid:84704895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"netmans.ipfspie.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841794/; classtype:trojan-activity;sid:84704894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"pkgruns.gzipsea.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841793/; classtype:trojan-activity;sid:84704893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.161.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841792/; classtype:trojan-activity;sid:84704892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.19.161.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841791/; classtype:trojan-activity;sid:84704891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"tcpcons.ipfspie.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841790/; classtype:trojan-activity;sid:84704890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"modbuss.gzipsea.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841789/; classtype:trojan-activity;sid:84704889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"sshpros.ipfspie.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841788/; classtype:trojan-activity;sid:84704888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.135.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841787/; classtype:trojan-activity;sid:84704887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"srcgets.gzipsea.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841786/; classtype:trojan-activity;sid:84704886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"vmlists.ipfspie.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841785/; classtype:trojan-activity;sid:84704885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"vmlists.ipfspie.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841784/; classtype:trojan-activity;sid:84704884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"uidmaps.addport.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841783/; classtype:trojan-activity;sid:84704883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"usrgrps.ipfspie.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841782/; classtype:trojan-activity;sid:84704882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ftpsrvs.addport.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841781/; classtype:trojan-activity;sid:84704881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.23.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841780/; classtype:trojan-activity;sid:84704880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"optwebs.ipfspie.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841779/; classtype:trojan-activity;sid:84704879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"libsyss.addport.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841778/; classtype:trojan-activity;sid:84704878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.161.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841777/; classtype:trojan-activity;sid:84704877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"gitlabh.1navorex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841776/; classtype:trojan-activity;sid:84704876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"jobadms.addport.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841775/; classtype:trojan-activity;sid:84704875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"jobadms.addport.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841774/; classtype:trojan-activity;sid:84704874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.123.40"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841773/; classtype:trojan-activity;sid:84704873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"apiopss.1navorex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841772/; classtype:trojan-activity;sid:84704872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"rawdats.addport.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841771/; classtype:trojan-activity;sid:84704871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ziparks.addport.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841770/; classtype:trojan-activity;sid:84704870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.237.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841769/; classtype:trojan-activity;sid:84704869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"logbins.1navorex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841768/; classtype:trojan-activity;sid:84704868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"appsrch.1navorex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841767/; classtype:trojan-activity;sid:84704867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841766/; classtype:trojan-activity;sid:84704866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"osbases.modeall.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841765/; classtype:trojan-activity;sid:84704865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841764/; classtype:trojan-activity;sid:84704864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.246.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841763/; classtype:trojan-activity;sid:84704863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"webdocs.1navorex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841762/; classtype:trojan-activity;sid:84704862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"metalts.modeall.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841761/; classtype:trojan-activity;sid:84704861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"syskeys.1navorex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841760/; classtype:trojan-activity;sid:84704860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"apidocs.modeall.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841759/; classtype:trojan-activity;sid:84704859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"netmans.lorex7in.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841758/; classtype:trojan-activity;sid:84704858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.122.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841757/; classtype:trojan-activity;sid:84704857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.7.237.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841756/; classtype:trojan-activity;sid:84704856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"dbinsts.modeall.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841755/; classtype:trojan-activity;sid:84704855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"tcpcons.lorex7in.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841754/; classtype:trojan-activity;sid:84704854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"skyvpns.modeall.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841753/; classtype:trojan-activity;sid:84704853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"sshpros.lorex7in.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841752/; classtype:trojan-activity;sid:84704852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.146.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841751/; classtype:trojan-activity;sid:84704851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cmdsets.modeall.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841750/; classtype:trojan-activity;sid:84704850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cmdsets.modeall.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841749/; classtype:trojan-activity;sid:84704849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"vmlists.lorex7in.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841748/; classtype:trojan-activity;sid:84704848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"usrgrps.lorex7in.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841747/; classtype:trojan-activity;sid:84704847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"tmpdirs.ipsetsew.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841746/; classtype:trojan-activity;sid:84704846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.65.199"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841745/; classtype:trojan-activity;sid:84704845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.52.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841744/; classtype:trojan-activity;sid:84704844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"sshbins.ipsetsew.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841742/; classtype:trojan-activity;sid:84704842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.52.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841743/; classtype:trojan-activity;sid:84704843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"optwebs.lorex7in.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841741/; classtype:trojan-activity;sid:84704841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.16.164.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841740/; classtype:trojan-activity;sid:84704840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"proxyss.mel6vator.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841738/; classtype:trojan-activity;sid:84704838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"sslkeys.ipsetsew.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841739/; classtype:trojan-activity;sid:84704839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.32.111"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841737/; classtype:trojan-activity;sid:84704837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.1.156"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841736/; classtype:trojan-activity;sid:84704836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"getcfgs.ipsetsew.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841735/; classtype:trojan-activity;sid:84704835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"lanhops.mel6vator.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841734/; classtype:trojan-activity;sid:84704834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.49.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841733/; classtype:trojan-activity;sid:84704833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ipnodes.ipsetsew.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841732/; classtype:trojan-activity;sid:84704832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.0.239"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841731/; classtype:trojan-activity;sid:84704831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"subclis.mel6vator.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841730/; classtype:trojan-activity;sid:84704830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"hotfixs.ipsetsew.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841729/; classtype:trojan-activity;sid:84704829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"hotfixs.ipsetsew.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841728/; classtype:trojan-activity;sid:84704828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"bitkits.mel6vator.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841727/; classtype:trojan-activity;sid:84704827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.211.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841726/; classtype:trojan-activity;sid:84704826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"bitfoxs.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841725/; classtype:trojan-activity;sid:84704825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"envsets.mel6vator.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841723/; classtype:trojan-activity;sid:84704823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"bitfoxs.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841724/; classtype:trojan-activity;sid:84704824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.180.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841722/; classtype:trojan-activity;sid:84704822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.187.193.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841721/; classtype:trojan-activity;sid:84704821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.180.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841720/; classtype:trojan-activity;sid:84704820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"topsvcs.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841719/; classtype:trojan-activity;sid:84704819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.255.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841718/; classtype:trojan-activity;sid:84704818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"doclabs.mel6vator.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841717/; classtype:trojan-activity;sid:84704817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.136.54.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841716/; classtype:trojan-activity;sid:84704816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"opsmgrs.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841715/; classtype:trojan-activity;sid:84704815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.49.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841714/; classtype:trojan-activity;sid:84704814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"syncits.pav3mirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841713/; classtype:trojan-activity;sid:84704813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cpupros.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841712/; classtype:trojan-activity;sid:84704812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"ioflows.pav3mirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841711/; classtype:trojan-activity;sid:84704811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cpupros.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841710/; classtype:trojan-activity;sid:84704810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"vpsruns.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841709/; classtype:trojan-activity;sid:84704809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.211.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841708/; classtype:trojan-activity;sid:84704808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"taskids.pav3mirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841707/; classtype:trojan-activity;sid:84704807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"dnswebs.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841706/; classtype:trojan-activity;sid:84704806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"dnswebs.mayservo.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841705/; classtype:trojan-activity;sid:84704805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.146.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841704/; classtype:trojan-activity;sid:84704804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"comwebs.pav3mirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841703/; classtype:trojan-activity;sid:84704803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"comwebs.pav3mirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841702/; classtype:trojan-activity;sid:84704802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"appboxs.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841701/; classtype:trojan-activity;sid:84704801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.255.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841700/; classtype:trojan-activity;sid:84704800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"refid-xs.pav3mirex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841699/; classtype:trojan-activity;sid:84704799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.228.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841698/; classtype:trojan-activity;sid:84704798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.136.54.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841697/; classtype:trojan-activity;sid:84704797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"autboxs.pav3mirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841696/; classtype:trojan-activity;sid:84704796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"devbits.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841694/; classtype:trojan-activity;sid:84704794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"autboxs.pav3mirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841695/; classtype:trojan-activity;sid:84704795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"domregs.xamir5ol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841693/; classtype:trojan-activity;sid:84704793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"srvlogs.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841692/; classtype:trojan-activity;sid:84704792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.2.42"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841690/; classtype:trojan-activity;sid:84704790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.65.199"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841691/; classtype:trojan-activity;sid:84704791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"netapis.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841689/; classtype:trojan-activity;sid:84704789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"pwrlogs.xamir5ol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841688/; classtype:trojan-activity;sid:84704788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"extnets.xamir5ol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841686/; classtype:trojan-activity;sid:84704786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"extnets.xamir5ol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841687/; classtype:trojan-activity;sid:84704787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"webcdnx.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841685/; classtype:trojan-activity;sid:84704785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"webcdnx.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841684/; classtype:trojan-activity;sid:84704784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"pkgruns.xamir5ol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841683/; classtype:trojan-activity;sid:84704783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.239.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841682/; classtype:trojan-activity;sid:84704782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"srvhubs.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841681/; classtype:trojan-activity;sid:84704781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"srvhubs.dimchown.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841680/; classtype:trojan-activity;sid:84704780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"gitlabh.scornful-up.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841679/; classtype:trojan-activity;sid:84704779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"modbuss.xamir5ol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841678/; classtype:trojan-activity;sid:84704778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.2.42"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841677/; classtype:trojan-activity;sid:84704777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.153.67.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841676/; classtype:trojan-activity;sid:84704776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.51.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841675/; classtype:trojan-activity;sid:84704775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"apiopss.scornful-up.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841674/; classtype:trojan-activity;sid:84704774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"srcgets.xamir5ol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841673/; classtype:trojan-activity;sid:84704773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"logbins.scornful-up.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841672/; classtype:trojan-activity;sid:84704772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"uidmaps.tavro9xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841671/; classtype:trojan-activity;sid:84704771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.223.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841670/; classtype:trojan-activity;sid:84704770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"ftpsrvs.tavro9xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841669/; classtype:trojan-activity;sid:84704769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"appsrch.scornful-up.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841668/; classtype:trojan-activity;sid:84704768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"webdocs.scornful-up.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841667/; classtype:trojan-activity;sid:84704767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"libsyss.tavro9xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841666/; classtype:trojan-activity;sid:84704766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.78.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841665/; classtype:trojan-activity;sid:84704765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.153.67.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841664/; classtype:trojan-activity;sid:84704764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.1.156"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841663/; classtype:trojan-activity;sid:84704763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.189.239.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841662/; classtype:trojan-activity;sid:84704762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"syskeys.scornful-up.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841661/; classtype:trojan-activity;sid:84704761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"syskeys.scornful-up.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841660/; classtype:trojan-activity;sid:84704760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"jobadms.tavro9xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841659/; classtype:trojan-activity;sid:84704759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.51.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841658/; classtype:trojan-activity;sid:84704758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"rawdats.tavro9xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841657/; classtype:trojan-activity;sid:84704757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"netmans.parliament5almon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841656/; classtype:trojan-activity;sid:84704756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"tcpcons.parliament5almon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841655/; classtype:trojan-activity;sid:84704755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"ziparks.tavro9xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841654/; classtype:trojan-activity;sid:84704754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"sshpros.parliament5almon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841653/; classtype:trojan-activity;sid:84704753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"osbases.2zorevin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841652/; classtype:trojan-activity;sid:84704752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841651/; classtype:trojan-activity;sid:84704751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"metalts.2zorevin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841650/; classtype:trojan-activity;sid:84704750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"vmlists.parliament5almon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841649/; classtype:trojan-activity;sid:84704749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"usrgrps.parliament5almon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841648/; classtype:trojan-activity;sid:84704748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"apidocs.2zorevin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841647/; classtype:trojan-activity;sid:84704747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.123.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841646/; classtype:trojan-activity;sid:84704746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.255.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841645/; classtype:trojan-activity;sid:84704745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"optwebs.parliament5almon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841644/; classtype:trojan-activity;sid:84704744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"dbinsts.2zorevin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841643/; classtype:trojan-activity;sid:84704743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.78.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841642/; classtype:trojan-activity;sid:84704742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"proxyss.peat-scoop.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841641/; classtype:trojan-activity;sid:84704741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"skyvpns.2zorevin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841640/; classtype:trojan-activity;sid:84704740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.225.133.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841639/; classtype:trojan-activity;sid:84704739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"cmdsets.2zorevin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841638/; classtype:trojan-activity;sid:84704738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.123.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841637/; classtype:trojan-activity;sid:84704737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"lanhops.peat-scoop.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841636/; classtype:trojan-activity;sid:84704736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"tmpdirs.qen7larex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841635/; classtype:trojan-activity;sid:84704735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"subclis.peat-scoop.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841634/; classtype:trojan-activity;sid:84704734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"sshbins.qen7larex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841633/; classtype:trojan-activity;sid:84704733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"bitkits.peat-scoop.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841632/; classtype:trojan-activity;sid:84704732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"sslkeys.qen7larex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841631/; classtype:trojan-activity;sid:84704731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.71.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841630/; classtype:trojan-activity;sid:84704730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"envsets.peat-scoop.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841629/; classtype:trojan-activity;sid:84704729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"getcfgs.qen7larex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841628/; classtype:trojan-activity;sid:84704728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"doclabs.peat-scoop.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841627/; classtype:trojan-activity;sid:84704727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.225.133.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841626/; classtype:trojan-activity;sid:84704726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"syncits.residency5ilicat.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841625/; classtype:trojan-activity;sid:84704725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"ipnodes.qen7larex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841624/; classtype:trojan-activity;sid:84704724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"hotfixs.qen7larex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841623/; classtype:trojan-activity;sid:84704723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.55.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841622/; classtype:trojan-activity;sid:84704722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.8.68"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841621/; classtype:trojan-activity;sid:84704721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ioflows.residency5ilicat.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841620/; classtype:trojan-activity;sid:84704720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"bitfoxs.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841619/; classtype:trojan-activity;sid:84704719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"taskids.residency5ilicat.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841618/; classtype:trojan-activity;sid:84704718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"topsvcs.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841617/; classtype:trojan-activity;sid:84704717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"topsvcs.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841616/; classtype:trojan-activity;sid:84704716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.71.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841615/; classtype:trojan-activity;sid:84704715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"comwebs.residency5ilicat.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841614/; classtype:trojan-activity;sid:84704714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"refid-xs.residency5ilicat.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841613/; classtype:trojan-activity;sid:84704713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"refid-xs.residency5ilicat.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841611/; classtype:trojan-activity;sid:84704711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"opsmgrs.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841612/; classtype:trojan-activity;sid:84704712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"autboxs.residency5ilicat.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841610/; classtype:trojan-activity;sid:84704710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"cpupros.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841609/; classtype:trojan-activity;sid:84704709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"vpsruns.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841608/; classtype:trojan-activity;sid:84704708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"domregs.comrade-dec1ine.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841607/; classtype:trojan-activity;sid:84704707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.46.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841606/; classtype:trojan-activity;sid:84704706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"dnswebs.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841605/; classtype:trojan-activity;sid:84704705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"dnswebs.mav1voren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841604/; classtype:trojan-activity;sid:84704704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"pwrlogs.comrade-dec1ine.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841603/; classtype:trojan-activity;sid:84704703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"appboxs.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841602/; classtype:trojan-activity;sid:84704702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"extnets.comrade-dec1ine.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841601/; classtype:trojan-activity;sid:84704701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.11.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841600/; classtype:trojan-activity;sid:84704700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"devbits.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841598/; classtype:trojan-activity;sid:84704698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"devbits.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841599/; classtype:trojan-activity;sid:84704699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"pkgruns.comrade-dec1ine.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841597/; classtype:trojan-activity;sid:84704697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"srvlogs.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841596/; classtype:trojan-activity;sid:84704696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"srvlogs.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841595/; classtype:trojan-activity;sid:84704695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"modbuss.comrade-dec1ine.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841594/; classtype:trojan-activity;sid:84704694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"modbuss.comrade-dec1ine.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841593/; classtype:trojan-activity;sid:84704693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"netapis.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841592/; classtype:trojan-activity;sid:84704692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"srcgets.comrade-dec1ine.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841591/; classtype:trojan-activity;sid:84704691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"webcdnx.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841590/; classtype:trojan-activity;sid:84704690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.11.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841589/; classtype:trojan-activity;sid:84704689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"srvhubs.6toralix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841588/; classtype:trojan-activity;sid:84704688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"uidmaps.alien2tedchisel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841587/; classtype:trojan-activity;sid:84704687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.243.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841586/; classtype:trojan-activity;sid:84704686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"unhoq4.arch-vivarium.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841585/; classtype:trojan-activity;sid:84704685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"unhoq4.arch-vivarium.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841584/; classtype:trojan-activity;sid:84704684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.108.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841583/; classtype:trojan-activity;sid:84704683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ftpsrvs.alien2tedchisel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841582/; classtype:trojan-activity;sid:84704682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"loagolden.arch-vivarium.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841581/; classtype:trojan-activity;sid:84704681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"libsyss.alien2tedchisel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841580/; classtype:trojan-activity;sid:84704680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"jobadms.alien2tedchisel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841579/; classtype:trojan-activity;sid:84704679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.209.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841578/; classtype:trojan-activity;sid:84704678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"volt4-stack.arch-vivarium.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841577/; classtype:trojan-activity;sid:84704677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"kznyspcb.arch-vivarium.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841576/; classtype:trojan-activity;sid:84704676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"rawdats.alien2tedchisel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841575/; classtype:trojan-activity;sid:84704675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ziparks.alien2tedchisel.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841574/; classtype:trojan-activity;sid:84704674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"kelven4en.baked5ham.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841573/; classtype:trojan-activity;sid:84704673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"kelven4en.baked5ham.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841572/; classtype:trojan-activity;sid:84704672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"osbases.enricher-exclam.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841571/; classtype:trojan-activity;sid:84704671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"talfluxal6.baked5ham.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841570/; classtype:trojan-activity;sid:84704670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"talfluxal6.baked5ham.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841569/; classtype:trojan-activity;sid:84704669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.72.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841568/; classtype:trojan-activity;sid:84704668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"metalts.enricher-exclam.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841567/; classtype:trojan-activity;sid:84704667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"stackcoupon.baked5ham.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841566/; classtype:trojan-activity;sid:84704666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"apidocs.enricher-exclam.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841565/; classtype:trojan-activity;sid:84704665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"ym04rg.baked5ham.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841564/; classtype:trojan-activity;sid:84704664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"dbinsts.enricher-exclam.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841563/; classtype:trojan-activity;sid:84704663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"p1l07-dock.baked5ham.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841562/; classtype:trojan-activity;sid:84704662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.0.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841561/; classtype:trojan-activity;sid:84704661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"vor-markor.baked5ham.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841560/; classtype:trojan-activity;sid:84704660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.108.65"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841559/; classtype:trojan-activity;sid:84704659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"vor-markor.baked5ham.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841558/; classtype:trojan-activity;sid:84704658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"skyvpns.enricher-exclam.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841557/; classtype:trojan-activity;sid:84704657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.72.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_08; reference:url, urlhaus.abuse.ch/url/3841556/; classtype:trojan-activity;sid:84704656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841555/; classtype:trojan-activity;sid:84704655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cmdsets.enricher-exclam.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841554/; classtype:trojan-activity;sid:84704654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"891ax6si.baked5ham.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841553/; classtype:trojan-activity;sid:84704653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.62.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841552/; classtype:trojan-activity;sid:84704652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.209.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841551/; classtype:trojan-activity;sid:84704651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"zzkd.eight-education.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841549/; classtype:trojan-activity;sid:84704649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"tmpdirs.most0vikrowan.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841550/; classtype:trojan-activity;sid:84704650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"sshbins.most0vikrowan.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841548/; classtype:trojan-activity;sid:84704648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"cliffdawn.eight-education.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841547/; classtype:trojan-activity;sid:84704647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"sslkeys.most0vikrowan.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841546/; classtype:trojan-activity;sid:84704646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.0.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841545/; classtype:trojan-activity;sid:84704645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"e31txu7.eight-education.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841544/; classtype:trojan-activity;sid:84704644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841543/; classtype:trojan-activity;sid:84704643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"velmeshos.eight-education.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841542/; classtype:trojan-activity;sid:84704642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"getcfgs.most0vikrowan.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841541/; classtype:trojan-activity;sid:84704641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841540/; classtype:trojan-activity;sid:84704640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841539/; classtype:trojan-activity;sid:84704639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.246.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841538/; classtype:trojan-activity;sid:84704638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"apicascade.eight-education.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841537/; classtype:trojan-activity;sid:84704637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.62.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841536/; classtype:trojan-activity;sid:84704636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ipnodes.most0vikrowan.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841535/; classtype:trojan-activity;sid:84704635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"kuacu.eight-education.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841534/; classtype:trojan-activity;sid:84704634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"hotfixs.most0vikrowan.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841533/; classtype:trojan-activity;sid:84704633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"bitfoxs.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841532/; classtype:trojan-activity;sid:84704632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"pubdraft.eight-education.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841531/; classtype:trojan-activity;sid:84704631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.187.193.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841530/; classtype:trojan-activity;sid:84704630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.244.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841529/; classtype:trojan-activity;sid:84704629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"topsvcs.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841528/; classtype:trojan-activity;sid:84704628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"autumn1-zone.hundred5elf.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841527/; classtype:trojan-activity;sid:84704627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.46.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841526/; classtype:trojan-activity;sid:84704626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"topsvcs.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841525/; classtype:trojan-activity;sid:84704625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841524/; classtype:trojan-activity;sid:84704624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.135.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841523/; classtype:trojan-activity;sid:84704623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"opsmgrs.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841522/; classtype:trojan-activity;sid:84704622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"opsmgrs.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841521/; classtype:trojan-activity;sid:84704621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"gu1d-frame.hundred5elf.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841520/; classtype:trojan-activity;sid:84704620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"gu1d-frame.hundred5elf.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841519/; classtype:trojan-activity;sid:84704619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.54.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841518/; classtype:trojan-activity;sid:84704618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.175.107.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841517/; classtype:trojan-activity;sid:84704617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cpupros.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841516/; classtype:trojan-activity;sid:84704616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"cpupros.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841515/; classtype:trojan-activity;sid:84704615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"proxyvall.hundred5elf.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841514/; classtype:trojan-activity;sid:84704614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841513/; classtype:trojan-activity;sid:84704613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"norlineor.hundred5elf.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841512/; classtype:trojan-activity;sid:84704612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"vpsruns.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841511/; classtype:trojan-activity;sid:84704611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.55.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841510/; classtype:trojan-activity;sid:84704610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"catalogpriv.hundred5elf.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841509/; classtype:trojan-activity;sid:84704609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.237.46.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841508/; classtype:trojan-activity;sid:84704608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"dnswebs.barbos-slimy.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841507/; classtype:trojan-activity;sid:84704607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"appboxs.prepol5oldafon.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841506/; classtype:trojan-activity;sid:84704606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"fy4k.hundred5elf.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841505/; classtype:trojan-activity;sid:84704605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"fy4k.hundred5elf.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841504/; classtype:trojan-activity;sid:84704604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"appboxs.prepol5oldafon.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841503/; classtype:trojan-activity;sid:84704603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.135.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841502/; classtype:trojan-activity;sid:84704602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.24.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841501/; classtype:trojan-activity;sid:84704601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"dyn-venen.hundred5elf.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841500/; classtype:trojan-activity;sid:84704600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"devbits.prepol5oldafon.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841499/; classtype:trojan-activity;sid:84704599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.63.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841498/; classtype:trojan-activity;sid:84704598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841497/; classtype:trojan-activity;sid:84704597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.127.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841496/; classtype:trojan-activity;sid:84704596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"srvlogs.prepol5oldafon.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841495/; classtype:trojan-activity;sid:84704595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"hgelsd.years-very.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841494/; classtype:trojan-activity;sid:84704594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.54.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841492/; classtype:trojan-activity;sid:84704592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"hgelsd.years-very.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841493/; classtype:trojan-activity;sid:84704593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841491/; classtype:trojan-activity;sid:84704591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841490/; classtype:trojan-activity;sid:84704590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.209.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841489/; classtype:trojan-activity;sid:84704589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"netapis.prepol5oldafon.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841488/; classtype:trojan-activity;sid:84704588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.208.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841487/; classtype:trojan-activity;sid:84704587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"5igna-line.years-very.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841486/; classtype:trojan-activity;sid:84704586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.104.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841485/; classtype:trojan-activity;sid:84704585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"engineeast.years-very.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841484/; classtype:trojan-activity;sid:84704584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"webcdnx.prepol5oldafon.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841483/; classtype:trojan-activity;sid:84704583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"srvhubs.prepol5oldafon.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841482/; classtype:trojan-activity;sid:84704582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"85ot.years-very.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841481/; classtype:trojan-activity;sid:84704581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"spro3-gate.years-very.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841479/; classtype:trojan-activity;sid:84704579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"lettercinema.vexon6ar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841480/; classtype:trojan-activity;sid:84704580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"velvet-frame.vexon6ar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841478/; classtype:trojan-activity;sid:84704578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"mistmar.years-very.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841477/; classtype:trojan-activity;sid:84704577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"alt-c0mp.years-very.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841476/; classtype:trojan-activity;sid:84704576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"c18ows.5doreval.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841475/; classtype:trojan-activity;sid:84704575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.189.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841474/; classtype:trojan-activity;sid:84704574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.4.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841473/; classtype:trojan-activity;sid:84704573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"qdgpv.p7ickmuch.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841472/; classtype:trojan-activity;sid:84704572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"qdgpv.p7ickmuch.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841471/; classtype:trojan-activity;sid:84704571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"broprairi.5doreval.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841470/; classtype:trojan-activity;sid:84704570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.208.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841469/; classtype:trojan-activity;sid:84704569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"basi-wave.5doreval.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841468/; classtype:trojan-activity;sid:84704568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"ashsynt.p7ickmuch.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841467/; classtype:trojan-activity;sid:84704567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"107.189.19.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841460/; classtype:trojan-activity;sid:84704560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"107.189.19.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841461/; classtype:trojan-activity;sid:84704561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"107.189.19.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841462/; classtype:trojan-activity;sid:84704562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"107.189.19.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841463/; classtype:trojan-activity;sid:84704563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"107.189.19.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841464/; classtype:trojan-activity;sid:84704564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"107.189.19.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841465/; classtype:trojan-activity;sid:84704565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"107.189.19.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841466/; classtype:trojan-activity;sid:84704566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"jdn6.5doreval.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841459/; classtype:trojan-activity;sid:84704559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"jdn6.5doreval.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841458/; classtype:trojan-activity;sid:84704558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.113.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841457/; classtype:trojan-activity;sid:84704557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"meta-tr4c.5doreval.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841456/; classtype:trojan-activity;sid:84704556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"yoi0771.p7ickmuch.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841454/; classtype:trojan-activity;sid:84704554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"meta-tr4c.5doreval.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841455/; classtype:trojan-activity;sid:84704555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.11.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841453/; classtype:trojan-activity;sid:84704553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841452/; classtype:trojan-activity;sid:84704552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.105.105"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841451/; classtype:trojan-activity;sid:84704551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"n3ed5-drive.p7ickmuch.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841450/; classtype:trojan-activity;sid:84704550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.189.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841449/; classtype:trojan-activity;sid:84704549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"6995847.5doreval.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841448/; classtype:trojan-activity;sid:84704548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"pitch-cast.p7ickmuch.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841447/; classtype:trojan-activity;sid:84704547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"wood-switch.p7ickmuch.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841446/; classtype:trojan-activity;sid:84704546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"bjzm628x.5doreval.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841445/; classtype:trojan-activity;sid:84704545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.107.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841444/; classtype:trojan-activity;sid:84704544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"qxodg.sorix3en.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841443/; classtype:trojan-activity;sid:84704543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"rk3ow.p7ickmuch.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841442/; classtype:trojan-activity;sid:84704542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.11.122"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841441/; classtype:trojan-activity;sid:84704541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"arkvenon1.represent-skittish.lat"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841440/; classtype:trojan-activity;sid:84704540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"arkvenon1.represent-skittish.lat"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841439/; classtype:trojan-activity;sid:84704539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.113.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841438/; classtype:trojan-activity;sid:84704538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"ultraceda.sorix3en.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841437/; classtype:trojan-activity;sid:84704537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"kernel-azur.represent-skittish.lat"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841436/; classtype:trojan-activity;sid:84704536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"massivesubtle.sorix3en.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841435/; classtype:trojan-activity;sid:84704535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841434/; classtype:trojan-activity;sid:84704534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"norcrest9os.represent-skittish.lat"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841432/; classtype:trojan-activity;sid:84704532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"den53-plate.sorix3en.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841433/; classtype:trojan-activity;sid:84704533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.236.64.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841431/; classtype:trojan-activity;sid:84704531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.225.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841430/; classtype:trojan-activity;sid:84704530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"5pru3-trail.sorix3en.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841428/; classtype:trojan-activity;sid:84704528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"c56xjoz.represent-skittish.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841429/; classtype:trojan-activity;sid:84704529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841427/; classtype:trojan-activity;sid:84704527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"breezetone.represent-skittish.lat"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841426/; classtype:trojan-activity;sid:84704526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"pipelineconvert.sorix3en.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841425/; classtype:trojan-activity;sid:84704525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"breezetone.represent-skittish.lat"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841424/; classtype:trojan-activity;sid:84704524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-logs-neppy-upd8335-www3/get123c.camp"; depth:43; endswith; nocase; http.host; content:"neurocivi.sorix3en.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841423/; classtype:trojan-activity;sid:84704523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"wxuwbd.represent-skittish.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841422/; classtype:trojan-activity;sid:84704522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.68.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841421/; classtype:trojan-activity;sid:84704521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.4.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841420/; classtype:trojan-activity;sid:84704520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.199.194.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841418/; classtype:trojan-activity;sid:84704518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.194.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841419/; classtype:trojan-activity;sid:84704519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.110.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841417/; classtype:trojan-activity;sid:84704517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.253.127"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841416/; classtype:trojan-activity;sid:84704516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.71.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841415/; classtype:trojan-activity;sid:84704515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.157.252.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841414/; classtype:trojan-activity;sid:84704514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.207.189.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841413/; classtype:trojan-activity;sid:84704513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.233.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841412/; classtype:trojan-activity;sid:84704512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.157.252.30"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841411/; classtype:trojan-activity;sid:84704511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.110.97"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841410/; classtype:trojan-activity;sid:84704510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.71.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841409/; classtype:trojan-activity;sid:84704509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.199.194.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841408/; classtype:trojan-activity;sid:84704508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.244.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841407/; classtype:trojan-activity;sid:84704507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=paztjfesgihyziho"; depth:27; endswith; nocase; http.host; content:"tatyixqn.dunkpo1ytechnic.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841406/; classtype:trojan-activity;sid:84704506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.207.189.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841405/; classtype:trojan-activity;sid:84704505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.45.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841404/; classtype:trojan-activity;sid:84704504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.120.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841403/; classtype:trojan-activity;sid:84704503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.50.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841402/; classtype:trojan-activity;sid:84704502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.120.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841401/; classtype:trojan-activity;sid:84704501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.156.87.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841400/; classtype:trojan-activity;sid:84704500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.102.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841399/; classtype:trojan-activity;sid:84704499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.45.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841397/; classtype:trojan-activity;sid:84704497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.50.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841398/; classtype:trojan-activity;sid:84704498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.151.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841396/; classtype:trojan-activity;sid:84704496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.113.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841395/; classtype:trojan-activity;sid:84704495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.111.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841394/; classtype:trojan-activity;sid:84704494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.115.37.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841393/; classtype:trojan-activity;sid:84704493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solid-23/ki/refs/heads/main/boagnif.txt"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841392/; classtype:trojan-activity;sid:84704492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841391/; classtype:trojan-activity;sid:84704491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adminreport/service.txt"; depth:24; endswith; nocase; http.host; content:"mivventi.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841390/; classtype:trojan-activity;sid:84704490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/uy3rcxfk"; depth:13; endswith; nocase; http.host; content:"yaso.su"; depth:7; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841389/; classtype:trojan-activity;sid:84704489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.164.117.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841388/; classtype:trojan-activity;sid:84704488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.151.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841387/; classtype:trojan-activity;sid:84704487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.111.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841386/; classtype:trojan-activity;sid:84704486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.109.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841385/; classtype:trojan-activity;sid:84704485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841384/; classtype:trojan-activity;sid:84704484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.232.137.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841383/; classtype:trojan-activity;sid:84704483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.26.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841382/; classtype:trojan-activity;sid:84704482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.180.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841381/; classtype:trojan-activity;sid:84704481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.223.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841380/; classtype:trojan-activity;sid:84704480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.164.117.86"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841379/; classtype:trojan-activity;sid:84704479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.246.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841378/; classtype:trojan-activity;sid:84704478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.191.69.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841377/; classtype:trojan-activity;sid:84704477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.230.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841376/; classtype:trojan-activity;sid:84704476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.14.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841375/; classtype:trojan-activity;sid:84704475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.64.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841374/; classtype:trojan-activity;sid:84704474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.80.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841373/; classtype:trojan-activity;sid:84704473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.185.133.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841372/; classtype:trojan-activity;sid:84704472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.246.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841371/; classtype:trojan-activity;sid:84704471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.26.106"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841370/; classtype:trojan-activity;sid:84704470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.225.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841369/; classtype:trojan-activity;sid:84704469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.111.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841368/; classtype:trojan-activity;sid:84704468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d|7c|26|7c|h/img_092510.png"; depth:28; endswith; nocase; http.host; content:"lapwop.pw"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841367/; classtype:trojan-activity;sid:84704467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kl0n-green-excel-yy3775-get65/gett3.verification"; depth:49; endswith; nocase; http.host; content:"planbay.represent-skittish.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841366/; classtype:trojan-activity;sid:84704466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/co.js"; depth:6; endswith; nocase; http.host; content:"tina.gautengsound.co.za"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841365/; classtype:trojan-activity;sid:84704465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.81.38.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841364/; classtype:trojan-activity;sid:84704464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.16.164.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841363/; classtype:trojan-activity;sid:84704463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.115.15"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841362/; classtype:trojan-activity;sid:84704462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.226.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841361/; classtype:trojan-activity;sid:84704461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.150.205.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841360/; classtype:trojan-activity;sid:84704460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"94.156.152.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841359/; classtype:trojan-activity;sid:84704459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"94.156.152.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841358/; classtype:trojan-activity;sid:84704458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.mips64"; depth:40; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841353/; classtype:trojan-activity;sid:84704453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.sparc"; depth:39; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841354/; classtype:trojan-activity;sid:84704454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841355/; classtype:trojan-activity;sid:84704455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"94.156.152.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841356/; classtype:trojan-activity;sid:84704456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"94.156.152.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841357/; classtype:trojan-activity;sid:84704457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.125.42.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841352/; classtype:trojan-activity;sid:84704452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.233.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841351/; classtype:trojan-activity;sid:84704451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.21.123.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841350/; classtype:trojan-activity;sid:84704450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.233.133"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841349/; classtype:trojan-activity;sid:84704449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.21.123.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841348/; classtype:trojan-activity;sid:84704448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.95.191.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841347/; classtype:trojan-activity;sid:84704447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.165.187.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841346/; classtype:trojan-activity;sid:84704446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841345/; classtype:trojan-activity;sid:84704445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.81.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841344/; classtype:trojan-activity;sid:84704444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.81.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841343/; classtype:trojan-activity;sid:84704443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.182.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841342/; classtype:trojan-activity;sid:84704442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841341/; classtype:trojan-activity;sid:84704441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adb.sh"; depth:7; endswith; nocase; http.host; content:"94.156.152.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841340/; classtype:trojan-activity;sid:84704440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.sh"; depth:5; endswith; nocase; http.host; content:"94.156.152.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841339/; classtype:trojan-activity;sid:84704439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"unhoq4.arch-vivarium.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841338/; classtype:trojan-activity;sid:84704438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lettercinema.vexon6ar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841337/; classtype:trojan-activity;sid:84704437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lettercinema.vexon6ar.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841336/; classtype:trojan-activity;sid:84704436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"genesun.arch-vivarium.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841335/; classtype:trojan-activity;sid:84704435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"parcboo.vexon6ar.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841334/; classtype:trojan-activity;sid:84704434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.29.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841333/; classtype:trojan-activity;sid:84704433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.182.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841332/; classtype:trojan-activity;sid:84704432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cwpjb6yk.arch-vivarium.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841331/; classtype:trojan-activity;sid:84704431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cwpjb6yk.arch-vivarium.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841330/; classtype:trojan-activity;sid:84704430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"rapid-forge.vexon6ar.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841329/; classtype:trojan-activity;sid:84704429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.26.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841328/; classtype:trojan-activity;sid:84704428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"neuralcra.arch-vivarium.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841327/; classtype:trojan-activity;sid:84704427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.185.133.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841326/; classtype:trojan-activity;sid:84704426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"moledynam.vexon6ar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841325/; classtype:trojan-activity;sid:84704425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"onpyo.vexon6ar.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841324/; classtype:trojan-activity;sid:84704424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dawn3-spool.fixionmunici9al.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841323/; classtype:trojan-activity;sid:84704423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dawn3-spool.fixionmunici9al.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841322/; classtype:trojan-activity;sid:84704422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"xs2f.fixionmunici9al.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841321/; classtype:trojan-activity;sid:84704421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.233.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841320/; classtype:trojan-activity;sid:84704420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"xwpw.vexon6ar.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841319/; classtype:trojan-activity;sid:84704419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.194.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841318/; classtype:trojan-activity;sid:84704418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"1ce6-route.fixionmunici9al.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841317/; classtype:trojan-activity;sid:84704417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.115.221.12"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841316/; classtype:trojan-activity;sid:84704416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"thre-thic.pav1mirex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841315/; classtype:trojan-activity;sid:84704415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"18nnbu.fixionmunici9al.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841314/; classtype:trojan-activity;sid:84704414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.232.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841313/; classtype:trojan-activity;sid:84704413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"listenermacro.pav1mirex.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841312/; classtype:trojan-activity;sid:84704412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"1llume-sync.fixionmunici9al.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841311/; classtype:trojan-activity;sid:84704411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"hvr071.pav1mirex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841310/; classtype:trojan-activity;sid:84704410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"hvr071.pav1mirex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841309/; classtype:trojan-activity;sid:84704409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.233.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841308/; classtype:trojan-activity;sid:84704408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.29.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841307/; classtype:trojan-activity;sid:84704407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.187.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841306/; classtype:trojan-activity;sid:84704406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"birc6-trail.fixionmunici9al.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841305/; classtype:trojan-activity;sid:84704405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"launch-point.pav1mirex.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841304/; classtype:trojan-activity;sid:84704404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"solarvine.pav1mirex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841303/; classtype:trojan-activity;sid:84704403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"supplyvau.fixionmunici9al.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841302/; classtype:trojan-activity;sid:84704402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"shellengi.pastor-publicist.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841301/; classtype:trojan-activity;sid:84704401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"h1ll-switch.pav1mirex.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841300/; classtype:trojan-activity;sid:84704400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"h1ll-switch.pav1mirex.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841299/; classtype:trojan-activity;sid:84704399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.247.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841298/; classtype:trojan-activity;sid:84704398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"casual-hinge.pastor-publicist.lat"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841297/; classtype:trojan-activity;sid:84704397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"irngvd.pav1mirex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841296/; classtype:trojan-activity;sid:84704396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"irngvd.pav1mirex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841295/; classtype:trojan-activity;sid:84704395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.167.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841294/; classtype:trojan-activity;sid:84704394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"rgd2.pastor-publicist.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841293/; classtype:trojan-activity;sid:84704393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"rgd2.pastor-publicist.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841292/; classtype:trojan-activity;sid:84704392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"a3vrjnwj.xamir9el.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841291/; classtype:trojan-activity;sid:84704391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"talmark5ix.pastor-publicist.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841290/; classtype:trojan-activity;sid:84704390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"image-mesh.xamir9el.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841289/; classtype:trojan-activity;sid:84704389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"4mnyykj.pastor-publicist.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841288/; classtype:trojan-activity;sid:84704388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.13.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841287/; classtype:trojan-activity;sid:84704387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"jizeeb.xamir9el.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841286/; classtype:trojan-activity;sid:84704386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.200.20.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841285/; classtype:trojan-activity;sid:84704385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.167.205"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841284/; classtype:trojan-activity;sid:84704384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"1oc44-span.pastor-publicist.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841283/; classtype:trojan-activity;sid:84704383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"1oc4l-node.xamir9el.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841282/; classtype:trojan-activity;sid:84704382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.94.86.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841281/; classtype:trojan-activity;sid:84704381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"shore-leaf.pastor-publicist.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841280/; classtype:trojan-activity;sid:84704380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"doma.fastexitnow.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841279/; classtype:trojan-activity;sid:84704379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dynmesh5et.xamir9el.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841278/; classtype:trojan-activity;sid:84704378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"wg1wa8.xamir9el.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841277/; classtype:trojan-activity;sid:84704377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.148.230.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841276/; classtype:trojan-activity;sid:84704376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"mixblo.xamir9el.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841275/; classtype:trojan-activity;sid:84704375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"true.fastexitnow.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841274/; classtype:trojan-activity;sid:84704374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"outerlaunch.tavro4xel.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841273/; classtype:trojan-activity;sid:84704373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.13.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841272/; classtype:trojan-activity;sid:84704372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.200.20.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841271/; classtype:trojan-activity;sid:84704371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"un1o-loop.tavro4xel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841270/; classtype:trojan-activity;sid:84704370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"asts.datarunkey.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841269/; classtype:trojan-activity;sid:84704369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841268/; classtype:trojan-activity;sid:84704368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sketchbasic.tavro4xel.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841267/; classtype:trojan-activity;sid:84704367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"abh.openlinksys.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841266/; classtype:trojan-activity;sid:84704366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"5107vvgb.tavro4xel.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841265/; classtype:trojan-activity;sid:84704365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.165.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841264/; classtype:trojan-activity;sid:84704364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"5107vvgb.tavro4xel.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841263/; classtype:trojan-activity;sid:84704363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.242.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841262/; classtype:trojan-activity;sid:84704362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.244.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841261/; classtype:trojan-activity;sid:84704361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tal-linea.tavro4xel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841260/; classtype:trojan-activity;sid:84704360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.111.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841259/; classtype:trojan-activity;sid:84704359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.230.141.123"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841258/; classtype:trojan-activity;sid:84704358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.68.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841257/; classtype:trojan-activity;sid:84704357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.95.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841256/; classtype:trojan-activity;sid:84704356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"69zhzd.tavro4xel.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841255/; classtype:trojan-activity;sid:84704355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"rich-endpo.tavro4xel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841254/; classtype:trojan-activity;sid:84704354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.78.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841253/; classtype:trojan-activity;sid:84704353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.165.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841252/; classtype:trojan-activity;sid:84704352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"rl035mt.7zorelax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841251/; classtype:trojan-activity;sid:84704351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"gitlabh.openlinksys.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841250/; classtype:trojan-activity;sid:84704350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.36.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841249/; classtype:trojan-activity;sid:84704349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"neo-anch0r.7zorelax.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841248/; classtype:trojan-activity;sid:84704348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.36.38"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841247/; classtype:trojan-activity;sid:84704347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.115.15"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841246/; classtype:trojan-activity;sid:84704346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"agmdojf.7zorelax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841245/; classtype:trojan-activity;sid:84704345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apiopss.openlinksys.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841244/; classtype:trojan-activity;sid:84704344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"logbins.openlinksys.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841243/; classtype:trojan-activity;sid:84704343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"4rray-dock.7zorelax.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841242/; classtype:trojan-activity;sid:84704342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.45.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841241/; classtype:trojan-activity;sid:84704341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.78.11"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841240/; classtype:trojan-activity;sid:84704340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"pipelin-reach.7zorelax.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841239/; classtype:trojan-activity;sid:84704339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appsrch.openlinksys.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841238/; classtype:trojan-activity;sid:84704338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.45.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841237/; classtype:trojan-activity;sid:84704337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.3.36"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841236/; classtype:trojan-activity;sid:84704336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"jwosviuw.7zorelax.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841235/; classtype:trojan-activity;sid:84704335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.62.94"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841234/; classtype:trojan-activity;sid:84704334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webdocs.openlinksys.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841232/; classtype:trojan-activity;sid:84704332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webdocs.openlinksys.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841233/; classtype:trojan-activity;sid:84704333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.10.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841231/; classtype:trojan-activity;sid:84704331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"filte-path.7zorelax.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841230/; classtype:trojan-activity;sid:84704330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.10.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841229/; classtype:trojan-activity;sid:84704329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841228/; classtype:trojan-activity;sid:84704328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syskeys.openlinksys.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841227/; classtype:trojan-activity;sid:84704327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.119.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841225/; classtype:trojan-activity;sid:84704325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.154.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841226/; classtype:trojan-activity;sid:84704326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"wornod.qen2virex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841224/; classtype:trojan-activity;sid:84704324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netmans.datarunkey.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841223/; classtype:trojan-activity;sid:84704323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"steadymeasure.qen2virex.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841222/; classtype:trojan-activity;sid:84704322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.55.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841221/; classtype:trojan-activity;sid:84704321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tcpcons.datarunkey.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841220/; classtype:trojan-activity;sid:84704320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sandman.qen2virex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841219/; classtype:trojan-activity;sid:84704319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sandman.qen2virex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841218/; classtype:trojan-activity;sid:84704318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.130.235.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841217/; classtype:trojan-activity;sid:84704317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshpros.datarunkey.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841216/; classtype:trojan-activity;sid:84704316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"oixkxhga.qen2virex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841215/; classtype:trojan-activity;sid:84704315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"vmlists.datarunkey.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841214/; classtype:trojan-activity;sid:84704314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"75aohwq.qen2virex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841213/; classtype:trojan-activity;sid:84704313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"75aohwq.qen2virex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841212/; classtype:trojan-activity;sid:84704312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.136.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841211/; classtype:trojan-activity;sid:84704311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"usrgrps.datarunkey.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841210/; classtype:trojan-activity;sid:84704310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.108.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841209/; classtype:trojan-activity;sid:84704309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"3ohr8brt.qen2virex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841208/; classtype:trojan-activity;sid:84704308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"optwebs.datarunkey.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841207/; classtype:trojan-activity;sid:84704307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"fmnnyp.qen2virex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841206/; classtype:trojan-activity;sid:84704306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"proxyss.linkdevbase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841205/; classtype:trojan-activity;sid:84704305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.59.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841204/; classtype:trojan-activity;sid:84704304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ciabjdb.mav8loren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841203/; classtype:trojan-activity;sid:84704303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"lanhops.linkdevbase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841202/; classtype:trojan-activity;sid:84704302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.244.65"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841201/; classtype:trojan-activity;sid:84704301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"go1d8-core.mav8loren.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841200/; classtype:trojan-activity;sid:84704300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.58.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841199/; classtype:trojan-activity;sid:84704299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"subclis.linkdevbase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841198/; classtype:trojan-activity;sid:84704298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.136.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841197/; classtype:trojan-activity;sid:84704297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitkits.linkdevbase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841196/; classtype:trojan-activity;sid:84704296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitkits.linkdevbase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841195/; classtype:trojan-activity;sid:84704295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"arkdraor.mav8loren.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841194/; classtype:trojan-activity;sid:84704294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=gwqbxdigdgbdrivk"; depth:27; endswith; nocase; http.host; content:"gt5kq695.die-reformer.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841193/; classtype:trojan-activity;sid:84704293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.58.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841192/; classtype:trojan-activity;sid:84704292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.230.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841191/; classtype:trojan-activity;sid:84704291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ultra-narr0.mav8loren.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841190/; classtype:trojan-activity;sid:84704290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841189/; classtype:trojan-activity;sid:84704289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.180.160.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841188/; classtype:trojan-activity;sid:84704288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"envsets.linkdevbase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841187/; classtype:trojan-activity;sid:84704287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.241.176.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841186/; classtype:trojan-activity;sid:84704286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"doclabs.linkdevbase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841185/; classtype:trojan-activity;sid:84704285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"m0del9-spool.mav8loren.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841184/; classtype:trojan-activity;sid:84704284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.77.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841183/; classtype:trojan-activity;sid:84704283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"30vw.mav8loren.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841182/; classtype:trojan-activity;sid:84704282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syncits.softworkapi.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841181/; classtype:trojan-activity;sid:84704281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.11.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841180/; classtype:trojan-activity;sid:84704280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"roughvocal.mav8loren.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841179/; classtype:trojan-activity;sid:84704279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ioflows.softworkapi.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841178/; classtype:trojan-activity;sid:84704278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"taskids.softworkapi.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841177/; classtype:trojan-activity;sid:84704277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"5t4g3-port.3toravix.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841176/; classtype:trojan-activity;sid:84704276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841175/; classtype:trojan-activity;sid:84704275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lum-valeon.3toravix.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841174/; classtype:trojan-activity;sid:84704274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"comwebs.softworkapi.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841173/; classtype:trojan-activity;sid:84704273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.59.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841172/; classtype:trojan-activity;sid:84704272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.105.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841171/; classtype:trojan-activity;sid:84704271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"trackeglacie.3toravix.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841170/; classtype:trojan-activity;sid:84704270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"refid-xs.softworkapi.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841169/; classtype:trojan-activity;sid:84704269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"autboxs.softworkapi.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841168/; classtype:trojan-activity;sid:84704268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"autboxs.softworkapi.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841167/; classtype:trojan-activity;sid:84704267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"railmix.3toravix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841166/; classtype:trojan-activity;sid:84704266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.215.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841165/; classtype:trojan-activity;sid:84704265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841164/; classtype:trojan-activity;sid:84704264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"snowvolt.3toravix.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841163/; classtype:trojan-activity;sid:84704263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"domregs.fastexitnow.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841162/; classtype:trojan-activity;sid:84704262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"pwrlogs.fastexitnow.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841161/; classtype:trojan-activity;sid:84704261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"50cia8-route.3toravix.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841160/; classtype:trojan-activity;sid:84704260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.236.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841159/; classtype:trojan-activity;sid:84704259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.66.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841158/; classtype:trojan-activity;sid:84704258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.200.81.53"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841157/; classtype:trojan-activity;sid:84704257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tlbwfid.3toravix.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841156/; classtype:trojan-activity;sid:84704256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.165.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841155/; classtype:trojan-activity;sid:84704255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.119.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841154/; classtype:trojan-activity;sid:84704254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"extnets.fastexitnow.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841153/; classtype:trojan-activity;sid:84704253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"gitlabh.fatovism-r2ccoon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841152/; classtype:trojan-activity;sid:84704252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"apiopss.fatovism-r2ccoon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841151/; classtype:trojan-activity;sid:84704251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"modbuss.fastexitnow.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841150/; classtype:trojan-activity;sid:84704250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"logbins.fatovism-r2ccoon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841149/; classtype:trojan-activity;sid:84704249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"68.185.152.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841148/; classtype:trojan-activity;sid:84704248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srcgets.fastexitnow.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841147/; classtype:trojan-activity;sid:84704247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.7.236.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841146/; classtype:trojan-activity;sid:84704246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.205.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841145/; classtype:trojan-activity;sid:84704245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.8.68"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841144/; classtype:trojan-activity;sid:84704244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"appsrch.fatovism-r2ccoon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841143/; classtype:trojan-activity;sid:84704243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"uidmaps.cloudtaskgo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841142/; classtype:trojan-activity;sid:84704242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.119.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841141/; classtype:trojan-activity;sid:84704241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.82.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841140/; classtype:trojan-activity;sid:84704240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ftpsrvs.cloudtaskgo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841139/; classtype:trojan-activity;sid:84704239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.236.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841138/; classtype:trojan-activity;sid:84704238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.231.7.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841137/; classtype:trojan-activity;sid:84704237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"webdocs.fatovism-r2ccoon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841136/; classtype:trojan-activity;sid:84704236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.66.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841134/; classtype:trojan-activity;sid:84704234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.161.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841135/; classtype:trojan-activity;sid:84704235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.59.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841133/; classtype:trojan-activity;sid:84704233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"libsyss.cloudtaskgo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841132/; classtype:trojan-activity;sid:84704232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"syskeys.fatovism-r2ccoon.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841131/; classtype:trojan-activity;sid:84704231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.144.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841130/; classtype:trojan-activity;sid:84704230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.14.97.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841129/; classtype:trojan-activity;sid:84704229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.42.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841128/; classtype:trojan-activity;sid:84704228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"netmans.chemistry5till.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841127/; classtype:trojan-activity;sid:84704227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"jobadms.cloudtaskgo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841126/; classtype:trojan-activity;sid:84704226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"rawdats.cloudtaskgo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841125/; classtype:trojan-activity;sid:84704225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.98.97.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841124/; classtype:trojan-activity;sid:84704224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ziparks.cloudtaskgo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841123/; classtype:trojan-activity;sid:84704223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tcpcons.chemistry5till.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841121/; classtype:trojan-activity;sid:84704221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ziparks.cloudtaskgo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841122/; classtype:trojan-activity;sid:84704222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.231.7.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841120/; classtype:trojan-activity;sid:84704220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sshpros.chemistry5till.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841119/; classtype:trojan-activity;sid:84704219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"osbases.srvappsite.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841118/; classtype:trojan-activity;sid:84704218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vmlists.chemistry5till.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841117/; classtype:trojan-activity;sid:84704217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vmlists.chemistry5till.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841116/; classtype:trojan-activity;sid:84704216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"metalts.srvappsite.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841115/; classtype:trojan-activity;sid:84704215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"usrgrps.chemistry5till.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841114/; classtype:trojan-activity;sid:84704214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apidocs.srvappsite.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841113/; classtype:trojan-activity;sid:84704213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"optwebs.chemistry5till.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841112/; classtype:trojan-activity;sid:84704212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dbinsts.srvappsite.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841111/; classtype:trojan-activity;sid:84704211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"proxyss.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841110/; classtype:trojan-activity;sid:84704210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.srvappsite.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841109/; classtype:trojan-activity;sid:84704209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.98.97.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841108/; classtype:trojan-activity;sid:84704208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.srvappsite.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841107/; classtype:trojan-activity;sid:84704207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lanhops.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841106/; classtype:trojan-activity;sid:84704206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lanhops.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841105/; classtype:trojan-activity;sid:84704205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cmdsets.srvappsite.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841104/; classtype:trojan-activity;sid:84704204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.84.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841103/; classtype:trojan-activity;sid:84704203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.boxvpslog.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841102/; classtype:trojan-activity;sid:84704202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.boxvpslog.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841101/; classtype:trojan-activity;sid:84704201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"subclis.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841100/; classtype:trojan-activity;sid:84704200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.221.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841099/; classtype:trojan-activity;sid:84704199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"subclis.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841098/; classtype:trojan-activity;sid:84704198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.27.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841097/; classtype:trojan-activity;sid:84704197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.84.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841096/; classtype:trojan-activity;sid:84704196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshbins.boxvpslog.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841095/; classtype:trojan-activity;sid:84704195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"bitkits.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841094/; classtype:trojan-activity;sid:84704194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.162.39.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841093/; classtype:trojan-activity;sid:84704193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sslkeys.boxvpslog.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841092/; classtype:trojan-activity;sid:84704192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"envsets.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841091/; classtype:trojan-activity;sid:84704191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"getcfgs.boxvpslog.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841090/; classtype:trojan-activity;sid:84704190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ipnodes.boxvpslog.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841089/; classtype:trojan-activity;sid:84704189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"doclabs.smell-chat.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841088/; classtype:trojan-activity;sid:84704188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"syncits.inhum2ntendency.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841087/; classtype:trojan-activity;sid:84704187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.105.105"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841086/; classtype:trojan-activity;sid:84704186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"hotfixs.boxvpslog.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841085/; classtype:trojan-activity;sid:84704185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.162.39.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841084/; classtype:trojan-activity;sid:84704184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ioflows.inhum2ntendency.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841083/; classtype:trojan-activity;sid:84704183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitfoxs.webbitsync.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841082/; classtype:trojan-activity;sid:84704182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"taskids.inhum2ntendency.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841081/; classtype:trojan-activity;sid:84704181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.221.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841079/; classtype:trojan-activity;sid:84704179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.240.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841080/; classtype:trojan-activity;sid:84704180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.127.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841078/; classtype:trojan-activity;sid:84704178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"topsvcs.webbitsync.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841077/; classtype:trojan-activity;sid:84704177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.158.34.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841076/; classtype:trojan-activity;sid:84704176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"comwebs.inhum2ntendency.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841075/; classtype:trojan-activity;sid:84704175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"comwebs.inhum2ntendency.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841074/; classtype:trojan-activity;sid:84704174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"opsmgrs.webbitsync.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841073/; classtype:trojan-activity;sid:84704173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.240.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841072/; classtype:trojan-activity;sid:84704172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.106.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841071/; classtype:trojan-activity;sid:84704171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"refid-xs.inhum2ntendency.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841070/; classtype:trojan-activity;sid:84704170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cpupros.webbitsync.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841069/; classtype:trojan-activity;sid:84704169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.246.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841068/; classtype:trojan-activity;sid:84704168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"autboxs.inhum2ntendency.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841067/; classtype:trojan-activity;sid:84704167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.68.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841066/; classtype:trojan-activity;sid:84704166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"vpsruns.webbitsync.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841065/; classtype:trojan-activity;sid:84704165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.178.146.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841064/; classtype:trojan-activity;sid:84704164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.86.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841063/; classtype:trojan-activity;sid:84704163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dnswebs.webbitsync.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841062/; classtype:trojan-activity;sid:84704162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"domregs.hatched-labile.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841061/; classtype:trojan-activity;sid:84704161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appboxs.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841060/; classtype:trojan-activity;sid:84704160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"pwrlogs.hatched-labile.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841059/; classtype:trojan-activity;sid:84704159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.106.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841058/; classtype:trojan-activity;sid:84704158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"extnets.hatched-labile.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841057/; classtype:trojan-activity;sid:84704157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"devbits.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841056/; classtype:trojan-activity;sid:84704156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvlogs.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841055/; classtype:trojan-activity;sid:84704155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"pkgruns.hatched-labile.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841054/; classtype:trojan-activity;sid:84704154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.25.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841053/; classtype:trojan-activity;sid:84704153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.86.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841052/; classtype:trojan-activity;sid:84704152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.165.98.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841051/; classtype:trojan-activity;sid:84704151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netapis.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841050/; classtype:trojan-activity;sid:84704150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netapis.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841049/; classtype:trojan-activity;sid:84704149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"modbuss.hatched-labile.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841048/; classtype:trojan-activity;sid:84704148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.1.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841047/; classtype:trojan-activity;sid:84704147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.76.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841046/; classtype:trojan-activity;sid:84704146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.158.34.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841045/; classtype:trojan-activity;sid:84704145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"srcgets.hatched-labile.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841044/; classtype:trojan-activity;sid:84704144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webcdnx.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841043/; classtype:trojan-activity;sid:84704143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webcdnx.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841041/; classtype:trojan-activity;sid:84704141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.213.177.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841042/; classtype:trojan-activity;sid:84704142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.193.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841040/; classtype:trojan-activity;sid:84704140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.149.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841039/; classtype:trojan-activity;sid:84704139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"uidmaps.poi5oneducation.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841038/; classtype:trojan-activity;sid:84704138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvhubs.nethubtop.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841037/; classtype:trojan-activity;sid:84704137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.0.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841036/; classtype:trojan-activity;sid:84704136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ftpsrvs.poi5oneducation.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841035/; classtype:trojan-activity;sid:84704135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.165.98.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841034/; classtype:trojan-activity;sid:84704134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.76.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841033/; classtype:trojan-activity;sid:84704133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.1.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841032/; classtype:trojan-activity;sid:84704132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apiopss.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841030/; classtype:trojan-activity;sid:84704130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apiopss.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841031/; classtype:trojan-activity;sid:84704131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.55.207"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841029/; classtype:trojan-activity;sid:84704129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"libsyss.poi5oneducation.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841028/; classtype:trojan-activity;sid:84704128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.149.62"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841027/; classtype:trojan-activity;sid:84704127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"jobadms.poi5oneducation.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841026/; classtype:trojan-activity;sid:84704126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.0.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841025/; classtype:trojan-activity;sid:84704125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.193.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841024/; classtype:trojan-activity;sid:84704124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"rawdats.poi5oneducation.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841023/; classtype:trojan-activity;sid:84704123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appsrch.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841021/; classtype:trojan-activity;sid:84704121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appsrch.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841022/; classtype:trojan-activity;sid:84704122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.230.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841020/; classtype:trojan-activity;sid:84704120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ziparks.poi5oneducation.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841019/; classtype:trojan-activity;sid:84704119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webdocs.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841017/; classtype:trojan-activity;sid:84704117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webdocs.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841018/; classtype:trojan-activity;sid:84704118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syskeys.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841016/; classtype:trojan-activity;sid:84704116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syskeys.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841015/; classtype:trojan-activity;sid:84704115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"osbases.puerto-ricans.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841014/; classtype:trojan-activity;sid:84704114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netmans.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841013/; classtype:trojan-activity;sid:84704113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"metalts.puerto-ricans.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841012/; classtype:trojan-activity;sid:84704112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"apidocs.puerto-ricans.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841011/; classtype:trojan-activity;sid:84704111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.249.118.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841010/; classtype:trojan-activity;sid:84704110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lll"; depth:4; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841009/; classtype:trojan-activity;sid:84704109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dbinsts.puerto-ricans.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841007/; classtype:trojan-activity;sid:84704107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshpros.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841008/; classtype:trojan-activity;sid:84704108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kbotne.zip"; depth:16; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841006/; classtype:trojan-activity;sid:84704106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.31.180.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841004/; classtype:trojan-activity;sid:84704104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.3.36"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841005/; classtype:trojan-activity;sid:84704105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.202.88.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841003/; classtype:trojan-activity;sid:84704103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kbotne11"; depth:14; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841002/; classtype:trojan-activity;sid:84704102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"skyvpns.puerto-ricans.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841001/; classtype:trojan-activity;sid:84704101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3841000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"vmlists.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3841000/; classtype:trojan-activity;sid:84704100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"98.252.87.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840999/; classtype:trojan-activity;sid:84704099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"cmdsets.puerto-ricans.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840998/; classtype:trojan-activity;sid:84704098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840987/; classtype:trojan-activity;sid:84704087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840988/; classtype:trojan-activity;sid:84704088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840989/; classtype:trojan-activity;sid:84704089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840990/; classtype:trojan-activity;sid:84704090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840991/; classtype:trojan-activity;sid:84704091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840992/; classtype:trojan-activity;sid:84704092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840993/; classtype:trojan-activity;sid:84704093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840994/; classtype:trojan-activity;sid:84704094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840995/; classtype:trojan-activity;sid:84704095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840996/; classtype:trojan-activity;sid:84704096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"45.153.34.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840997/; classtype:trojan-activity;sid:84704097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"usrgrps.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840986/; classtype:trojan-activity;sid:84704086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tmpdirs.moto7transport.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840985/; classtype:trojan-activity;sid:84704085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"optwebs.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840984/; classtype:trojan-activity;sid:84704084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.236.64.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840983/; classtype:trojan-activity;sid:84704083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sshbins.moto7transport.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840982/; classtype:trojan-activity;sid:84704082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"proxyss.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840981/; classtype:trojan-activity;sid:84704081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.247.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840980/; classtype:trojan-activity;sid:84704080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.88.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840979/; classtype:trojan-activity;sid:84704079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sslkeys.moto7transport.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840978/; classtype:trojan-activity;sid:84704078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"lanhops.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840977/; classtype:trojan-activity;sid:84704077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.201.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840976/; classtype:trojan-activity;sid:84704076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"getcfgs.moto7transport.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840975/; classtype:trojan-activity;sid:84704075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"subclis.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840974/; classtype:trojan-activity;sid:84704074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ipnodes.moto7transport.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840973/; classtype:trojan-activity;sid:84704073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitkits.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840972/; classtype:trojan-activity;sid:84704072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"hotfixs.moto7transport.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840971/; classtype:trojan-activity;sid:84704071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"envsets.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840970/; classtype:trojan-activity;sid:84704070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"bitfoxs.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840969/; classtype:trojan-activity;sid:84704069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"doclabs.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840968/; classtype:trojan-activity;sid:84704068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.96.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840967/; classtype:trojan-activity;sid:84704067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"topsvcs.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840966/; classtype:trojan-activity;sid:84704066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syncits.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840965/; classtype:trojan-activity;sid:84704065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.82.84"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840964/; classtype:trojan-activity;sid:84704064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"opsmgrs.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840963/; classtype:trojan-activity;sid:84704063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ioflows.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840962/; classtype:trojan-activity;sid:84704062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"cpupros.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840961/; classtype:trojan-activity;sid:84704061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"cpupros.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840960/; classtype:trojan-activity;sid:84704060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.235.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840959/; classtype:trojan-activity;sid:84704059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"taskids.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840958/; classtype:trojan-activity;sid:84704058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.105.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840957/; classtype:trojan-activity;sid:84704057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.253.143"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840956/; classtype:trojan-activity;sid:84704056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vpsruns.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840955/; classtype:trojan-activity;sid:84704055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vpsruns.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840954/; classtype:trojan-activity;sid:84704054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"comwebs.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840953/; classtype:trojan-activity;sid:84704053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.7.121"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840952/; classtype:trojan-activity;sid:84704052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dnswebs.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840951/; classtype:trojan-activity;sid:84704051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dnswebs.breasted-skoda.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840950/; classtype:trojan-activity;sid:84704050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840949/; classtype:trojan-activity;sid:84704049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"refid-xs.pav8lorex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840948/; classtype:trojan-activity;sid:84704048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.235.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840947/; classtype:trojan-activity;sid:84704047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"appboxs.mowin8single.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840946/; classtype:trojan-activity;sid:84704046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.7.121"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840945/; classtype:trojan-activity;sid:84704045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"autboxs.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840944/; classtype:trojan-activity;sid:84704044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.99.180.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840943/; classtype:trojan-activity;sid:84704043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.208.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840942/; classtype:trojan-activity;sid:84704042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"devbits.mowin8single.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840941/; classtype:trojan-activity;sid:84704041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"domregs.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840940/; classtype:trojan-activity;sid:84704040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"srvlogs.mowin8single.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840939/; classtype:trojan-activity;sid:84704039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.227.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840938/; classtype:trojan-activity;sid:84704038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"netapis.mowin8single.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840937/; classtype:trojan-activity;sid:84704037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"pwrlogs.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840936/; classtype:trojan-activity;sid:84704036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"pwrlogs.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840935/; classtype:trojan-activity;sid:84704035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.70.240"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840934/; classtype:trojan-activity;sid:84704034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.246.84.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840933/; classtype:trojan-activity;sid:84704033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"extnets.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840932/; classtype:trojan-activity;sid:84704032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840931/; classtype:trojan-activity;sid:84704031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"webcdnx.mowin8single.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840930/; classtype:trojan-activity;sid:84704030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.246.84.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840929/; classtype:trojan-activity;sid:84704029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.163.99.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840928/; classtype:trojan-activity;sid:84704028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"pkgruns.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840927/; classtype:trojan-activity;sid:84704027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"203.99.180.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840926/; classtype:trojan-activity;sid:84704026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.232.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840925/; classtype:trojan-activity;sid:84704025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"srvhubs.mowin8single.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840924/; classtype:trojan-activity;sid:84704024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"modbuss.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840923/; classtype:trojan-activity;sid:84704023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.87.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840922/; classtype:trojan-activity;sid:84704022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"gitlabh.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840921/; classtype:trojan-activity;sid:84704021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srcgets.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840920/; classtype:trojan-activity;sid:84704020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.156.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840919/; classtype:trojan-activity;sid:84704019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.115.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840918/; classtype:trojan-activity;sid:84704018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"apiopss.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840917/; classtype:trojan-activity;sid:84704017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"uidmaps.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840916/; classtype:trojan-activity;sid:84704016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.108.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840915/; classtype:trojan-activity;sid:84704015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"logbins.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840914/; classtype:trojan-activity;sid:84704014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ftpsrvs.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840913/; classtype:trojan-activity;sid:84704013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"appsrch.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840912/; classtype:trojan-activity;sid:84704012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.122.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840911/; classtype:trojan-activity;sid:84704011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"libsyss.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840910/; classtype:trojan-activity;sid:84704010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.227.68"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840909/; classtype:trojan-activity;sid:84704009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.156.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840908/; classtype:trojan-activity;sid:84704008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"jobadms.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840907/; classtype:trojan-activity;sid:84704007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"webdocs.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840906/; classtype:trojan-activity;sid:84704006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.230.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840904/; classtype:trojan-activity;sid:84704004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.0.88"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840905/; classtype:trojan-activity;sid:84704005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.115.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840903/; classtype:trojan-activity;sid:84704003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"rawdats.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840902/; classtype:trojan-activity;sid:84704002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"syskeys.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_07; reference:url, urlhaus.abuse.ch/url/3840901/; classtype:trojan-activity;sid:84704001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"netmans.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840900/; classtype:trojan-activity;sid:84704000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.0.88"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840899/; classtype:trojan-activity;sid:84703999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ziparks.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840898/; classtype:trojan-activity;sid:84703998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tcpcons.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840897/; classtype:trojan-activity;sid:84703997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.96.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840896/; classtype:trojan-activity;sid:84703996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"osbases.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840895/; classtype:trojan-activity;sid:84703995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sshpros.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840894/; classtype:trojan-activity;sid:84703994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"metalts.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840893/; classtype:trojan-activity;sid:84703993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.82.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840892/; classtype:trojan-activity;sid:84703992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vmlists.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840891/; classtype:trojan-activity;sid:84703991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apidocs.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840890/; classtype:trojan-activity;sid:84703990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apidocs.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840889/; classtype:trojan-activity;sid:84703989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.163.99.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840888/; classtype:trojan-activity;sid:84703988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dbinsts.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840887/; classtype:trojan-activity;sid:84703987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.233.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840886/; classtype:trojan-activity;sid:84703986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"usrgrps.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840885/; classtype:trojan-activity;sid:84703985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.57.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840884/; classtype:trojan-activity;sid:84703984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.38.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840883/; classtype:trojan-activity;sid:84703983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"optwebs.5dorexin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840882/; classtype:trojan-activity;sid:84703982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"proxyss.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840881/; classtype:trojan-activity;sid:84703981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840880/; classtype:trojan-activity;sid:84703980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.84.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840879/; classtype:trojan-activity;sid:84703979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.39.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840878/; classtype:trojan-activity;sid:84703978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cmdsets.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840877/; classtype:trojan-activity;sid:84703977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lanhops.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840876/; classtype:trojan-activity;sid:84703976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.13.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840875/; classtype:trojan-activity;sid:84703975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840874/; classtype:trojan-activity;sid:84703974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.54.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840873/; classtype:trojan-activity;sid:84703973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"subclis.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840872/; classtype:trojan-activity;sid:84703972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshbins.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840871/; classtype:trojan-activity;sid:84703971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"bitkits.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840870/; classtype:trojan-activity;sid:84703970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sslkeys.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840869/; classtype:trojan-activity;sid:84703969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"envsets.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840868/; classtype:trojan-activity;sid:84703968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.84.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840867/; classtype:trojan-activity;sid:84703967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"getcfgs.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840866/; classtype:trojan-activity;sid:84703966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.38.17"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840865/; classtype:trojan-activity;sid:84703965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ipnodes.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840864/; classtype:trojan-activity;sid:84703964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.217.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840863/; classtype:trojan-activity;sid:84703963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"doclabs.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840862/; classtype:trojan-activity;sid:84703962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.187.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840861/; classtype:trojan-activity;sid:84703961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"syncits.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840860/; classtype:trojan-activity;sid:84703960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.125.21.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840859/; classtype:trojan-activity;sid:84703959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.54.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840858/; classtype:trojan-activity;sid:84703958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.26.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840857/; classtype:trojan-activity;sid:84703957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.187.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840856/; classtype:trojan-activity;sid:84703956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"hotfixs.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840854/; classtype:trojan-activity;sid:84703954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.123.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840855/; classtype:trojan-activity;sid:84703955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840853/; classtype:trojan-activity;sid:84703953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitfoxs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840852/; classtype:trojan-activity;sid:84703952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ioflows.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840851/; classtype:trojan-activity;sid:84703951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.127.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840850/; classtype:trojan-activity;sid:84703950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"taskids.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840849/; classtype:trojan-activity;sid:84703949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"topsvcs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840848/; classtype:trojan-activity;sid:84703948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"opsmgrs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840847/; classtype:trojan-activity;sid:84703947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840846/; classtype:trojan-activity;sid:84703946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"comwebs.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840845/; classtype:trojan-activity;sid:84703945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.123.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840844/; classtype:trojan-activity;sid:84703944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cpupros.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840843/; classtype:trojan-activity;sid:84703943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"refid-xs.pav8lorex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840842/; classtype:trojan-activity;sid:84703942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"refid-xs.pav8lorex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840841/; classtype:trojan-activity;sid:84703941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.157.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840840/; classtype:trojan-activity;sid:84703940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.76.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840839/; classtype:trojan-activity;sid:84703939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"autboxs.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840838/; classtype:trojan-activity;sid:84703938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"vpsruns.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840837/; classtype:trojan-activity;sid:84703937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.94.86.183"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840836/; classtype:trojan-activity;sid:84703936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.99.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840835/; classtype:trojan-activity;sid:84703935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"domregs.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840834/; classtype:trojan-activity;sid:84703934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.3.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840833/; classtype:trojan-activity;sid:84703933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dnswebs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840832/; classtype:trojan-activity;sid:84703932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"pwrlogs.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840831/; classtype:trojan-activity;sid:84703931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.140.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840830/; classtype:trojan-activity;sid:84703930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appboxs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840829/; classtype:trojan-activity;sid:84703929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"extnets.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840828/; classtype:trojan-activity;sid:84703928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.26.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840827/; classtype:trojan-activity;sid:84703927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"devbits.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840826/; classtype:trojan-activity;sid:84703926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.241.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840825/; classtype:trojan-activity;sid:84703925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvlogs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840824/; classtype:trojan-activity;sid:84703924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvlogs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840823/; classtype:trojan-activity;sid:84703923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"pkgruns.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840822/; classtype:trojan-activity;sid:84703922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.42.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840821/; classtype:trojan-activity;sid:84703921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.16.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840820/; classtype:trojan-activity;sid:84703920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.3.115"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840819/; classtype:trojan-activity;sid:84703919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netapis.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840818/; classtype:trojan-activity;sid:84703918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"modbuss.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840817/; classtype:trojan-activity;sid:84703917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.127.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840816/; classtype:trojan-activity;sid:84703916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.140.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840815/; classtype:trojan-activity;sid:84703915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"srcgets.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840814/; classtype:trojan-activity;sid:84703914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.217.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840813/; classtype:trojan-activity;sid:84703913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webcdnx.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840812/; classtype:trojan-activity;sid:84703912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|filename=11.msi"; depth:20; endswith; nocase; http.host; content:"bafybeibh6u74fuvyazqu2q7y6pginkxprjurxchgfshwigrs5y77qcbj6i.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840811/; classtype:trojan-activity;sid:84703911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvhubs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840810/; classtype:trojan-activity;sid:84703910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"uidmaps.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840809/; classtype:trojan-activity;sid:84703909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvhubs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840808/; classtype:trojan-activity;sid:84703908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"gitlabh.filipen-typograp.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840807/; classtype:trojan-activity;sid:84703907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ftpsrvs.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840806/; classtype:trojan-activity;sid:84703906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.122.26"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840805/; classtype:trojan-activity;sid:84703905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.233.235.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840804/; classtype:trojan-activity;sid:84703904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apiopss.filipen-typograp.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840803/; classtype:trojan-activity;sid:84703903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"libsyss.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840802/; classtype:trojan-activity;sid:84703902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"logbins.filipen-typograp.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840801/; classtype:trojan-activity;sid:84703901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"///arm5"; depth:7; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840800/; classtype:trojan-activity;sid:84703900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.77.69.225"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840799/; classtype:trojan-activity;sid:84703899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"jobadms.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840798/; classtype:trojan-activity;sid:84703898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appsrch.filipen-typograp.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840797/; classtype:trojan-activity;sid:84703897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appsrch.filipen-typograp.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840796/; classtype:trojan-activity;sid:84703896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/mips64"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840792/; classtype:trojan-activity;sid:84703892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/mipsel"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840793/; classtype:trojan-activity;sid:84703893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/arm6"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840794/; classtype:trojan-activity;sid:84703894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/kal32"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840795/; classtype:trojan-activity;sid:84703895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/amd64"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840789/; classtype:trojan-activity;sid:84703889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/mips64"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840790/; classtype:trojan-activity;sid:84703890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/mips64el"; depth:11; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840791/; classtype:trojan-activity;sid:84703891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/arm5"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840782/; classtype:trojan-activity;sid:84703882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/kal64"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840783/; classtype:trojan-activity;sid:84703883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/mips64"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840784/; classtype:trojan-activity;sid:84703884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/arm6"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840785/; classtype:trojan-activity;sid:84703885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/kal64"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840786/; classtype:trojan-activity;sid:84703886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/mips"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840787/; classtype:trojan-activity;sid:84703887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/mips64el"; depth:11; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840788/; classtype:trojan-activity;sid:84703888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/kswpad"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840781/; classtype:trojan-activity;sid:84703881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/kal32"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840778/; classtype:trojan-activity;sid:84703878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/386"; depth:6; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840779/; classtype:trojan-activity;sid:84703879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/mipsel"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840780/; classtype:trojan-activity;sid:84703880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/arm5"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840770/; classtype:trojan-activity;sid:84703870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/aarch64"; depth:10; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840771/; classtype:trojan-activity;sid:84703871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/linux"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840772/; classtype:trojan-activity;sid:84703872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/amd64"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840773/; classtype:trojan-activity;sid:84703873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/kal64"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840774/; classtype:trojan-activity;sid:84703874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/arm7"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840775/; classtype:trojan-activity;sid:84703875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/mipsel"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840776/; classtype:trojan-activity;sid:84703876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/kswpad"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840777/; classtype:trojan-activity;sid:84703877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/arm7"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840755/; classtype:trojan-activity;sid:84703855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/kal32"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840756/; classtype:trojan-activity;sid:84703856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/arm7"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840757/; classtype:trojan-activity;sid:84703857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/aarch64"; depth:10; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840758/; classtype:trojan-activity;sid:84703858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/aarch64"; depth:10; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840759/; classtype:trojan-activity;sid:84703859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/amd64"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840760/; classtype:trojan-activity;sid:84703860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/arm6"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840761/; classtype:trojan-activity;sid:84703861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/mips"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840762/; classtype:trojan-activity;sid:84703862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/386"; depth:6; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840763/; classtype:trojan-activity;sid:84703863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/linux"; depth:8; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840764/; classtype:trojan-activity;sid:84703864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/arm5"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840765/; classtype:trojan-activity;sid:84703865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/kswpad"; depth:9; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840766/; classtype:trojan-activity;sid:84703866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/mips64el"; depth:11; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840767/; classtype:trojan-activity;sid:84703867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/386"; depth:6; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840768/; classtype:trojan-activity;sid:84703868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/mips"; depth:7; endswith; nocase; http.host; content:"195.177.94.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840769/; classtype:trojan-activity;sid:84703869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"94.26.106.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840753/; classtype:trojan-activity;sid:84703853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"94.26.106.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840754/; classtype:trojan-activity;sid:84703854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840745/; classtype:trojan-activity;sid:84703845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840746/; classtype:trojan-activity;sid:84703846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840747/; classtype:trojan-activity;sid:84703847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840748/; classtype:trojan-activity;sid:84703848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840749/; classtype:trojan-activity;sid:84703849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840750/; classtype:trojan-activity;sid:84703850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840751/; classtype:trojan-activity;sid:84703851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840752/; classtype:trojan-activity;sid:84703852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840738/; classtype:trojan-activity;sid:84703838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.exe"; depth:11; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840739/; classtype:trojan-activity;sid:84703839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840740/; classtype:trojan-activity;sid:84703840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840741/; classtype:trojan-activity;sid:84703841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840742/; classtype:trojan-activity;sid:84703842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840743/; classtype:trojan-activity;sid:84703843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"87.121.84.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840744/; classtype:trojan-activity;sid:84703844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"rawdats.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840737/; classtype:trojan-activity;sid:84703837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.235.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840736/; classtype:trojan-activity;sid:84703836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ziparks.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840735/; classtype:trojan-activity;sid:84703835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webdocs.filipen-typograp.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840734/; classtype:trojan-activity;sid:84703834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"176.65.149.223"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840733/; classtype:trojan-activity;sid:84703833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"176.65.149.223.ptr.pfcloud.network"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840732/; classtype:trojan-activity;sid:84703832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syskeys.filipen-typograp.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840731/; classtype:trojan-activity;sid:84703831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"osbases.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840730/; classtype:trojan-activity;sid:84703830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netmans.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840728/; classtype:trojan-activity;sid:84703828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netmans.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840729/; classtype:trojan-activity;sid:84703829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.241.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840727/; classtype:trojan-activity;sid:84703827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.235.124"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840726/; classtype:trojan-activity;sid:84703826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"metalts.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840725/; classtype:trojan-activity;sid:84703825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.150.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840724/; classtype:trojan-activity;sid:84703824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tcpcons.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840723/; classtype:trojan-activity;sid:84703823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.105.189"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840722/; classtype:trojan-activity;sid:84703822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840716/; classtype:trojan-activity;sid:84703816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840717/; classtype:trojan-activity;sid:84703817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840718/; classtype:trojan-activity;sid:84703818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840719/; classtype:trojan-activity;sid:84703819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840720/; classtype:trojan-activity;sid:84703820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840721/; classtype:trojan-activity;sid:84703821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840714/; classtype:trojan-activity;sid:84703814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840715/; classtype:trojan-activity;sid:84703815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshpros.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840713/; classtype:trojan-activity;sid:84703813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i486"; depth:18; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840705/; classtype:trojan-activity;sid:84703805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.m68k"; depth:18; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840706/; classtype:trojan-activity;sid:84703806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.sh4"; depth:17; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840707/; classtype:trojan-activity;sid:84703807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mipsl"; depth:19; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840708/; classtype:trojan-activity;sid:84703808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc"; depth:17; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840709/; classtype:trojan-activity;sid:84703809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arc"; depth:17; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840710/; classtype:trojan-activity;sid:84703810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm5"; depth:18; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840711/; classtype:trojan-activity;sid:84703811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_64"; depth:20; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840712/; classtype:trojan-activity;sid:84703812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.mips"; depth:18; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840703/; classtype:trojan-activity;sid:84703803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.127.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840704/; classtype:trojan-activity;sid:84703804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshpros.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840702/; classtype:trojan-activity;sid:84703802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"apidocs.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840701/; classtype:trojan-activity;sid:84703801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dbinsts.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840700/; classtype:trojan-activity;sid:84703800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.41.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840699/; classtype:trojan-activity;sid:84703799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"vmlists.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840698/; classtype:trojan-activity;sid:84703798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.239.80.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840697/; classtype:trojan-activity;sid:84703797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840696/; classtype:trojan-activity;sid:84703796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"skyvpns.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840695/; classtype:trojan-activity;sid:84703795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"skyvpns.1zorelin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840694/; classtype:trojan-activity;sid:84703794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"usrgrps.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840693/; classtype:trojan-activity;sid:84703793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.10.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840692/; classtype:trojan-activity;sid:84703792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"optwebs.clampe7outback.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840691/; classtype:trojan-activity;sid:84703791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.41.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840690/; classtype:trojan-activity;sid:84703790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=nkpswesubxsjjxip"; depth:27; endswith; nocase; http.host; content:"x8jh7qqg.die-reformer.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840689/; classtype:trojan-activity;sid:84703789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.193.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840688/; classtype:trojan-activity;sid:84703788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tmpdirs.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840686/; classtype:trojan-activity;sid:84703786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tmpdirs.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840687/; classtype:trojan-activity;sid:84703787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"proxyss.captive-portal.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840685/; classtype:trojan-activity;sid:84703785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.243.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840683/; classtype:trojan-activity;sid:84703783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.162.60.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840684/; classtype:trojan-activity;sid:84703784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.10.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840682/; classtype:trojan-activity;sid:84703782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.208.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840681/; classtype:trojan-activity;sid:84703781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sshbins.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840680/; classtype:trojan-activity;sid:84703780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"lanhops.captive-portal.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840679/; classtype:trojan-activity;sid:84703779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"subclis.captive-portal.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840678/; classtype:trojan-activity;sid:84703778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sslkeys.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840677/; classtype:trojan-activity;sid:84703777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.215.103"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840676/; classtype:trojan-activity;sid:84703776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.42.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840675/; classtype:trojan-activity;sid:84703775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"getcfgs.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840673/; classtype:trojan-activity;sid:84703773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitkits.captive-portal.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840674/; classtype:trojan-activity;sid:84703774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.243.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840672/; classtype:trojan-activity;sid:84703772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ipnodes.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840671/; classtype:trojan-activity;sid:84703771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"envsets.captive-portal.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840670/; classtype:trojan-activity;sid:84703770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.105.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840669/; classtype:trojan-activity;sid:84703769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.242.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840668/; classtype:trojan-activity;sid:84703768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"doclabs.captive-portal.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840667/; classtype:trojan-activity;sid:84703767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"hotfixs.qen9varol.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840666/; classtype:trojan-activity;sid:84703766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.127.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840665/; classtype:trojan-activity;sid:84703765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"bitfoxs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840664/; classtype:trojan-activity;sid:84703764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syncits.academicunmemo7.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840663/; classtype:trojan-activity;sid:84703763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"bitfoxs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840662/; classtype:trojan-activity;sid:84703762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"syncits.academicunmemo7.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840661/; classtype:trojan-activity;sid:84703761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840659/; classtype:trojan-activity;sid:84703759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/px86"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840660/; classtype:trojan-activity;sid:84703760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kla.sh"; depth:12; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840654/; classtype:trojan-activity;sid:84703754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm6"; depth:11; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840655/; classtype:trojan-activity;sid:84703755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840656/; classtype:trojan-activity;sid:84703756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840657/; classtype:trojan-activity;sid:84703757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmips"; depth:11; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840658/; classtype:trojan-activity;sid:84703758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.162.60.250"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840653/; classtype:trojan-activity;sid:84703753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ioflows.academicunmemo7.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840652/; classtype:trojan-activity;sid:84703752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"topsvcs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840651/; classtype:trojan-activity;sid:84703751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"taskids.academicunmemo7.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840650/; classtype:trojan-activity;sid:84703750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"opsmgrs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840649/; classtype:trojan-activity;sid:84703749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.9.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840648/; classtype:trojan-activity;sid:84703748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"cpupros.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840647/; classtype:trojan-activity;sid:84703747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"comwebs.academicunmemo7.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840646/; classtype:trojan-activity;sid:84703746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"refid-xs.academicunmemo7.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840645/; classtype:trojan-activity;sid:84703745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"refid-xs.academicunmemo7.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840644/; classtype:trojan-activity;sid:84703744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vpsruns.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840643/; classtype:trojan-activity;sid:84703743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vpsruns.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840642/; classtype:trojan-activity;sid:84703742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"autboxs.academicunmemo7.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840641/; classtype:trojan-activity;sid:84703741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.242.25"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840640/; classtype:trojan-activity;sid:84703740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dnswebs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840639/; classtype:trojan-activity;sid:84703739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.79.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840638/; classtype:trojan-activity;sid:84703738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dnswebs.mav2lirex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840637/; classtype:trojan-activity;sid:84703737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"appboxs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840636/; classtype:trojan-activity;sid:84703736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"domregs.cobble-mortgag.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840635/; classtype:trojan-activity;sid:84703735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"pwrlogs.cobble-mortgag.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840634/; classtype:trojan-activity;sid:84703734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"extnets.cobble-mortgag.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840633/; classtype:trojan-activity;sid:84703733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.9.151"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840632/; classtype:trojan-activity;sid:84703732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"devbits.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840631/; classtype:trojan-activity;sid:84703731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840630/; classtype:trojan-activity;sid:84703730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"srvlogs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840629/; classtype:trojan-activity;sid:84703729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"pkgruns.cobble-mortgag.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840628/; classtype:trojan-activity;sid:84703728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"netapis.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840627/; classtype:trojan-activity;sid:84703727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"modbuss.cobble-mortgag.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840626/; classtype:trojan-activity;sid:84703726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.210.194.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840625/; classtype:trojan-activity;sid:84703725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"webcdnx.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840624/; classtype:trojan-activity;sid:84703724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srcgets.cobble-mortgag.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840623/; classtype:trojan-activity;sid:84703723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.79.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840622/; classtype:trojan-activity;sid:84703722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"uidmaps.setting5hoo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840621/; classtype:trojan-activity;sid:84703721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"srvhubs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840620/; classtype:trojan-activity;sid:84703720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"srvhubs.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840619/; classtype:trojan-activity;sid:84703719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840618/; classtype:trojan-activity;sid:84703718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ftpsrvs.setting5hoo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840617/; classtype:trojan-activity;sid:84703717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.28.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840616/; classtype:trojan-activity;sid:84703716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840615/; classtype:trojan-activity;sid:84703715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"libsyss.setting5hoo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840614/; classtype:trojan-activity;sid:84703714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"libsyss.setting5hoo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840613/; classtype:trojan-activity;sid:84703713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"jobadms.setting5hoo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840612/; classtype:trojan-activity;sid:84703712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.210.194.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840611/; classtype:trojan-activity;sid:84703711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"meta-narr0.sorix7el.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840610/; classtype:trojan-activity;sid:84703710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"rawdats.setting5hoo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840609/; classtype:trojan-activity;sid:84703709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ziparks.setting5hoo.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840608/; classtype:trojan-activity;sid:84703708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"itfr9qb.sorix7el.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840607/; classtype:trojan-activity;sid:84703707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"primeproxy.sorix7el.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840606/; classtype:trojan-activity;sid:84703706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"axwq1.sorix7el.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840605/; classtype:trojan-activity;sid:84703705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"osbases.jesuit5itny.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840604/; classtype:trojan-activity;sid:84703704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"solven9ix.sorix7el.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840603/; classtype:trojan-activity;sid:84703703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"solven9ix.sorix7el.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840602/; classtype:trojan-activity;sid:84703702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"metalts.jesuit5itny.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840601/; classtype:trojan-activity;sid:84703701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"metalts.jesuit5itny.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840600/; classtype:trojan-activity;sid:84703700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apidocs.jesuit5itny.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840599/; classtype:trojan-activity;sid:84703699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840598/; classtype:trojan-activity;sid:84703698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ivorywol.sorix7el.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840597/; classtype:trojan-activity;sid:84703697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dbinsts.jesuit5itny.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840596/; classtype:trojan-activity;sid:84703696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"quorlith0or.sorix7el.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840595/; classtype:trojan-activity;sid:84703695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.107.158.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840594/; classtype:trojan-activity;sid:84703694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.jesuit5itny.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840593/; classtype:trojan-activity;sid:84703693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lan39-trail.5dorexin.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840592/; classtype:trojan-activity;sid:84703692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cmdsets.jesuit5itny.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840591/; classtype:trojan-activity;sid:84703691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"arra-track.5dorexin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840590/; classtype:trojan-activity;sid:84703690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.stick-shaped.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840589/; classtype:trojan-activity;sid:84703689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"decoderunway.5dorexin.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840588/; classtype:trojan-activity;sid:84703688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.stick-shaped.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840587/; classtype:trojan-activity;sid:84703687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lischorus.5dorexin.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840586/; classtype:trojan-activity;sid:84703686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshbins.stick-shaped.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840585/; classtype:trojan-activity;sid:84703685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sslkeys.stick-shaped.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840584/; classtype:trojan-activity;sid:84703684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.189.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840583/; classtype:trojan-activity;sid:84703683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840582/; classtype:trojan-activity;sid:84703682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"faithfultin.5dorexin.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840581/; classtype:trojan-activity;sid:84703681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"faithfultin.5dorexin.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840580/; classtype:trojan-activity;sid:84703680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"getcfgs.stick-shaped.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840579/; classtype:trojan-activity;sid:84703679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"glofabric.5dorexin.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840578/; classtype:trojan-activity;sid:84703678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.33.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840577/; classtype:trojan-activity;sid:84703677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.156.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840576/; classtype:trojan-activity;sid:84703676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ipnodes.stick-shaped.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840575/; classtype:trojan-activity;sid:84703675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.68.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840574/; classtype:trojan-activity;sid:84703674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840573/; classtype:trojan-activity;sid:84703673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.118.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840572/; classtype:trojan-activity;sid:84703672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"enwz.5dorexin.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840571/; classtype:trojan-activity;sid:84703671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"hotfixs.stick-shaped.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840570/; classtype:trojan-activity;sid:84703670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840569/; classtype:trojan-activity;sid:84703669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.189.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840568/; classtype:trojan-activity;sid:84703668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"validatorpolar.vexon4al.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840567/; classtype:trojan-activity;sid:84703667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.195.7.105"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840566/; classtype:trojan-activity;sid:84703666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840565/; classtype:trojan-activity;sid:84703665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitfoxs.lyasi-special.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840564/; classtype:trojan-activity;sid:84703664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.17.156.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840563/; classtype:trojan-activity;sid:84703663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.54.110.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840562/; classtype:trojan-activity;sid:84703662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.166.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840561/; classtype:trojan-activity;sid:84703661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"r3lay-branch.vexon4al.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840560/; classtype:trojan-activity;sid:84703660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.68.233"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840559/; classtype:trojan-activity;sid:84703659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"topsvcs.lyasi-special.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840558/; classtype:trojan-activity;sid:84703658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840556/; classtype:trojan-activity;sid:84703656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840557/; classtype:trojan-activity;sid:84703657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"45.67.138.144"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840555/; classtype:trojan-activity;sid:84703655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"rurareag.vexon4al.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840554/; classtype:trojan-activity;sid:84703654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"opsmgrs.lyasi-special.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840553/; classtype:trojan-activity;sid:84703653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ffjc9r7.vexon4al.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840552/; classtype:trojan-activity;sid:84703652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cpupros.lyasi-special.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840551/; classtype:trojan-activity;sid:84703651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.94.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840550/; classtype:trojan-activity;sid:84703650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"eqdq.vexon4al.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840549/; classtype:trojan-activity;sid:84703649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"vpsruns.lyasi-special.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840548/; classtype:trojan-activity;sid:84703648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.54.110.14"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840547/; classtype:trojan-activity;sid:84703647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dnswebs.lyasi-special.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840545/; classtype:trojan-activity;sid:84703645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"m08xkitq.vexon4al.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840546/; classtype:trojan-activity;sid:84703646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"nornex8et.vexon4al.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840544/; classtype:trojan-activity;sid:84703644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appboxs.ascenderviinka.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840543/; classtype:trojan-activity;sid:84703643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.176.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840542/; classtype:trojan-activity;sid:84703642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"220.246.254.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840541/; classtype:trojan-activity;sid:84703641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840538/; classtype:trojan-activity;sid:84703638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm7"; depth:11; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840539/; classtype:trojan-activity;sid:84703639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"89.32.41.16"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840540/; classtype:trojan-activity;sid:84703640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"devbits.ascenderviinka.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840537/; classtype:trojan-activity;sid:84703637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"mvx23.pav8lorex.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840536/; classtype:trojan-activity;sid:84703636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"iwr5wtk.pav8lorex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840535/; classtype:trojan-activity;sid:84703635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvlogs.ascenderviinka.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840534/; classtype:trojan-activity;sid:84703634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sol-tidea.pav8lorex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840533/; classtype:trojan-activity;sid:84703633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netapis.ascenderviinka.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840532/; classtype:trojan-activity;sid:84703632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.142.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840531/; classtype:trojan-activity;sid:84703631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.9.191"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840529/; classtype:trojan-activity;sid:84703629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.133.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840530/; classtype:trojan-activity;sid:84703630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"lumnexum4.pav8lorex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840528/; classtype:trojan-activity;sid:84703628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webcdnx.ascenderviinka.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840527/; classtype:trojan-activity;sid:84703627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.176.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840526/; classtype:trojan-activity;sid:84703626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"trinex7is.pav8lorex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840525/; classtype:trojan-activity;sid:84703625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvhubs.ascenderviinka.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840524/; classtype:trojan-activity;sid:84703624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"scenwave.pav8lorex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840523/; classtype:trojan-activity;sid:84703623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"bs3qkgdh.pav8lorex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840522/; classtype:trojan-activity;sid:84703622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"dynmarkar8.xamir3on.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840521/; classtype:trojan-activity;sid:84703621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.130.235.5"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840520/; classtype:trojan-activity;sid:84703620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.133.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840519/; classtype:trojan-activity;sid:84703619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.148.230.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840518/; classtype:trojan-activity;sid:84703618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.5.59"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840517/; classtype:trojan-activity;sid:84703617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"juixt9f.xamir3on.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840516/; classtype:trojan-activity;sid:84703616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.36.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840515/; classtype:trojan-activity;sid:84703615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"metricregistry.xamir3on.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840514/; classtype:trojan-activity;sid:84703614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"root-cul.xamir3on.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840513/; classtype:trojan-activity;sid:84703613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.194.180"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840512/; classtype:trojan-activity;sid:84703612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"d3c0de-scope.xamir3on.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840511/; classtype:trojan-activity;sid:84703611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.110.39.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840510/; classtype:trojan-activity;sid:84703610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"5cri-logic.xamir3on.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840509/; classtype:trojan-activity;sid:84703609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.5.59"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840507/; classtype:trojan-activity;sid:84703607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.72.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840508/; classtype:trojan-activity;sid:84703608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"fvde.xamir3on.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840506/; classtype:trojan-activity;sid:84703606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.239.100.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840505/; classtype:trojan-activity;sid:84703605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"140.237.38.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840504/; classtype:trojan-activity;sid:84703604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"load-port.tavro6xel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840503/; classtype:trojan-activity;sid:84703603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.52.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840502/; classtype:trojan-activity;sid:84703602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"jrlcxt.zooblob.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840501/; classtype:trojan-activity;sid:84703601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sprounite.zooblob.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840500/; classtype:trojan-activity;sid:84703600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.88.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840499/; classtype:trojan-activity;sid:84703599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"trivaleum8.tavro6xel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840498/; classtype:trojan-activity;sid:84703598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.36.254"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840497/; classtype:trojan-activity;sid:84703597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"freightbird.rodrules.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840496/; classtype:trojan-activity;sid:84703596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"liche3-wave.tavro6xel.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840495/; classtype:trojan-activity;sid:84703595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=pzgmclfpxmyxvydy"; depth:27; endswith; nocase; http.host; content:"eciepxlt.solid5lowly.digital"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840494/; classtype:trojan-activity;sid:84703594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ohkmpt.tavro6xel.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840493/; classtype:trojan-activity;sid:84703593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"alt-me4sure.rodrules.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840492/; classtype:trojan-activity;sid:84703592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.125.42.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840491/; classtype:trojan-activity;sid:84703591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cirshift.portcry.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840490/; classtype:trojan-activity;sid:84703590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"5dk-array.tavro6xel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840489/; classtype:trojan-activity;sid:84703589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.93.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840488/; classtype:trojan-activity;sid:84703588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"duskamp.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840487/; classtype:trojan-activity;sid:84703587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"hypersprout.portcry.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840486/; classtype:trojan-activity;sid:84703586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.88.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840485/; classtype:trojan-activity;sid:84703585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.115.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840484/; classtype:trojan-activity;sid:84703584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"wolfcri.tavro6xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840483/; classtype:trojan-activity;sid:84703583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"targetcel.plsqlnew.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840482/; classtype:trojan-activity;sid:84703582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840474/; classtype:trojan-activity;sid:84703574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.arm7"; depth:38; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840475/; classtype:trojan-activity;sid:84703575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.arm5"; depth:38; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840476/; classtype:trojan-activity;sid:84703576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.i686"; depth:38; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840477/; classtype:trojan-activity;sid:84703577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.arm"; depth:37; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840478/; classtype:trojan-activity;sid:84703578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.arc"; depth:37; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840479/; classtype:trojan-activity;sid:84703579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.arm6"; depth:38; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840480/; classtype:trojan-activity;sid:84703580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.spc"; depth:37; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840481/; classtype:trojan-activity;sid:84703581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.m68k"; depth:38; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840470/; classtype:trojan-activity;sid:84703570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.sh4"; depth:37; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840471/; classtype:trojan-activity;sid:84703571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.x86_64"; depth:40; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840472/; classtype:trojan-activity;sid:84703572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.ppc"; depth:37; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840473/; classtype:trojan-activity;sid:84703573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.x86"; depth:37; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840468/; classtype:trojan-activity;sid:84703568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.mips"; depth:38; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840469/; classtype:trojan-activity;sid:84703569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidechaotic/ub8ehjsepafc9fyqzit6.mpsl"; depth:38; endswith; nocase; http.host; content:"176.65.139.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840467/; classtype:trojan-activity;sid:84703567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vorcore5ex.1zorelin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840466/; classtype:trojan-activity;sid:84703566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.136.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840465/; classtype:trojan-activity;sid:84703565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"nortideis9.plsqlnew.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840464/; classtype:trojan-activity;sid:84703564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.42.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840463/; classtype:trojan-activity;sid:84703563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"lummarkex8.noopcup.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840462/; classtype:trojan-activity;sid:84703562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"wintersubtle.1zorelin.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840461/; classtype:trojan-activity;sid:84703561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.93.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840460/; classtype:trojan-activity;sid:84703560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"normeshon6.1zorelin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840459/; classtype:trojan-activity;sid:84703559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=uxxbauyxkxelvvxp"; depth:27; endswith; nocase; http.host; content:"lz96krml.shim-windless.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840458/; classtype:trojan-activity;sid:84703558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"8rvi.noopcup.surf"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840457/; classtype:trojan-activity;sid:84703557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"quornexal.1zorelin.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840456/; classtype:trojan-activity;sid:84703556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.115.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840455/; classtype:trojan-activity;sid:84703555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"pine5-vector.godjava.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840454/; classtype:trojan-activity;sid:84703554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.136.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840453/; classtype:trojan-activity;sid:84703553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"arkvenex1.godjava.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840452/; classtype:trojan-activity;sid:84703552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sudclient.1zorelin.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840451/; classtype:trojan-activity;sid:84703551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.75.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840450/; classtype:trojan-activity;sid:84703550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"cnybvst9.1zorelin.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840449/; classtype:trojan-activity;sid:84703549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.181.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840448/; classtype:trojan-activity;sid:84703548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"pack-bar.1zorelin.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840447/; classtype:trojan-activity;sid:84703547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"handlerharvest.fewhtml.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840446/; classtype:trojan-activity;sid:84703546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"xscciae7.fewhtml.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840445/; classtype:trojan-activity;sid:84703545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.88.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840444/; classtype:trojan-activity;sid:84703544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.241.176.6"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840443/; classtype:trojan-activity;sid:84703543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"fxfa.dbuswet.surf"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840442/; classtype:trojan-activity;sid:84703542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"subt13-flow.qen9varol.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840441/; classtype:trojan-activity;sid:84703541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.238.239.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840440/; classtype:trojan-activity;sid:84703540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"fl4me-field.qen9varol.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840439/; classtype:trojan-activity;sid:84703539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.181.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840438/; classtype:trojan-activity;sid:84703538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.243.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840437/; classtype:trojan-activity;sid:84703537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"v0lt-sync.dbuswet.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840436/; classtype:trojan-activity;sid:84703536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"nrbxi7.qen9varol.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840435/; classtype:trojan-activity;sid:84703535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.238.239.252"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840434/; classtype:trojan-activity;sid:84703534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"wfvof3o.boxemoj.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840433/; classtype:trojan-activity;sid:84703533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"gnqv4r.boxemoj.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840432/; classtype:trojan-activity;sid:84703532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.88.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840431/; classtype:trojan-activity;sid:84703531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ipni4.qen9varol.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840430/; classtype:trojan-activity;sid:84703530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vxbe.qen9varol.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840429/; classtype:trojan-activity;sid:84703529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840428/; classtype:trojan-activity;sid:84703528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.202.79"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840427/; classtype:trojan-activity;sid:84703527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"lwbc.actsdks.surf"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840426/; classtype:trojan-activity;sid:84703526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"kelfluxum.actsdks.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840425/; classtype:trojan-activity;sid:84703525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"xttbd.qen9varol.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840424/; classtype:trojan-activity;sid:84703524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.240.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840423/; classtype:trojan-activity;sid:84703523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.102.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840422/; classtype:trojan-activity;sid:84703522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"res.cargowhy.surf"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840421/; classtype:trojan-activity;sid:84703521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"5udd-signal.qen9varol.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840420/; classtype:trojan-activity;sid:84703520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.104.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840419/; classtype:trojan-activity;sid:84703519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dnv.tonmixin.surf"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840418/; classtype:trojan-activity;sid:84703518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.23.87.246"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840417/; classtype:trojan-activity;sid:84703517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"buffer-switch.mav2lirex.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840416/; classtype:trojan-activity;sid:84703516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"signalenzy.mav2lirex.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840415/; classtype:trojan-activity;sid:84703515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.234.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840414/; classtype:trojan-activity;sid:84703514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.223.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840413/; classtype:trojan-activity;sid:84703513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"resolvrou.mav2lirex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840412/; classtype:trojan-activity;sid:84703512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.231.246.202"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840411/; classtype:trojan-activity;sid:84703511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.240.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840410/; classtype:trojan-activity;sid:84703510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"povver4-pulse.mav2lirex.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840409/; classtype:trojan-activity;sid:84703509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"gozozk.mav2lirex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840408/; classtype:trojan-activity;sid:84703508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvhubs.tonmixin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840407/; classtype:trojan-activity;sid:84703507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.166.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840406/; classtype:trojan-activity;sid:84703506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"tridraor.mav2lirex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840405/; classtype:trojan-activity;sid:84703505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"webcdnx.tonmixin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840404/; classtype:trojan-activity;sid:84703504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.179.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840403/; classtype:trojan-activity;sid:84703503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"netapis.tonmixin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840401/; classtype:trojan-activity;sid:84703501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.102.244"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840402/; classtype:trojan-activity;sid:84703502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.115.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840400/; classtype:trojan-activity;sid:84703500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"srvlogs.tonmixin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840399/; classtype:trojan-activity;sid:84703499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"imagedraw.mav2lirex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840398/; classtype:trojan-activity;sid:84703498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.196.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840397/; classtype:trojan-activity;sid:84703497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"neotcdk.7toralex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840396/; classtype:trojan-activity;sid:84703496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"devbits.tonmixin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840395/; classtype:trojan-activity;sid:84703495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"sp4rk-plate.7toralex.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840394/; classtype:trojan-activity;sid:84703494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"appboxs.tonmixin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840393/; classtype:trojan-activity;sid:84703493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.61.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840392/; classtype:trojan-activity;sid:84703492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.68.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840391/; classtype:trojan-activity;sid:84703491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.173.118.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840390/; classtype:trojan-activity;sid:84703490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"ieke13.7toralex.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840389/; classtype:trojan-activity;sid:84703489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dnswebs.sixunzip.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840388/; classtype:trojan-activity;sid:84703488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"vpsruns.sixunzip.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840387/; classtype:trojan-activity;sid:84703487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"thread-mark.7toralex.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840386/; classtype:trojan-activity;sid:84703486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.98.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840385/; classtype:trojan-activity;sid:84703485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.67.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840384/; classtype:trojan-activity;sid:84703484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.108.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840383/; classtype:trojan-activity;sid:84703483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.61.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840382/; classtype:trojan-activity;sid:84703482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.63.144"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840381/; classtype:trojan-activity;sid:84703481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.228.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840380/; classtype:trojan-activity;sid:84703480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"hgt3.7toralex.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840378/; classtype:trojan-activity;sid:84703478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cpupros.sixunzip.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840379/; classtype:trojan-activity;sid:84703479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"splitfleet.7toralex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840377/; classtype:trojan-activity;sid:84703477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"opsmgrs.sixunzip.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840376/; classtype:trojan-activity;sid:84703476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh1ne-apps-testsh-zec833-lives7z/put34b.camp"; depth:45; endswith; nocase; http.host; content:"vel-nexon.7toralex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840375/; classtype:trojan-activity;sid:84703475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"topsvcs.sixunzip.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840374/; classtype:trojan-activity;sid:84703474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"bitfoxs.sixunzip.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840373/; classtype:trojan-activity;sid:84703473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"gitlabh.ultrashiftnet.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840372/; classtype:trojan-activity;sid:84703472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apiopss.ultrashiftnet.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840371/; classtype:trojan-activity;sid:84703471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.218.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840370/; classtype:trojan-activity;sid:84703470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"hotfixs.cargowhy.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840369/; classtype:trojan-activity;sid:84703469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.14.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840368/; classtype:trojan-activity;sid:84703468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.127.100"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840367/; classtype:trojan-activity;sid:84703467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.39.85.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840366/; classtype:trojan-activity;sid:84703466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"logbins.ultrashiftnet.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840365/; classtype:trojan-activity;sid:84703465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.121.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840364/; classtype:trojan-activity;sid:84703464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.242.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840363/; classtype:trojan-activity;sid:84703463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"ipnodes.cargowhy.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840362/; classtype:trojan-activity;sid:84703462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840361/; classtype:trojan-activity;sid:84703461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"getcfgs.cargowhy.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840360/; classtype:trojan-activity;sid:84703460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.65.239"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840359/; classtype:trojan-activity;sid:84703459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appsrch.ultrashiftnet.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840358/; classtype:trojan-activity;sid:84703458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webdocs.ultrashiftnet.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840357/; classtype:trojan-activity;sid:84703457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sslkeys.cargowhy.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840356/; classtype:trojan-activity;sid:84703456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.39.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840355/; classtype:trojan-activity;sid:84703455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syskeys.ultrashiftnet.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840354/; classtype:trojan-activity;sid:84703454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.14.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840353/; classtype:trojan-activity;sid:84703453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.0.111"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840351/; classtype:trojan-activity;sid:84703451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.52.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840352/; classtype:trojan-activity;sid:84703452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"sshbins.cargowhy.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840350/; classtype:trojan-activity;sid:84703450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.242.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840349/; classtype:trojan-activity;sid:84703449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.cargowhy.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840348/; classtype:trojan-activity;sid:84703448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netmans.cybermetagrid.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840347/; classtype:trojan-activity;sid:84703447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"cmdsets.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840346/; classtype:trojan-activity;sid:84703446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.7.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840345/; classtype:trojan-activity;sid:84703445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tcpcons.cybermetagrid.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840344/; classtype:trojan-activity;sid:84703444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshpros.cybermetagrid.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840343/; classtype:trojan-activity;sid:84703443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.248.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840342/; classtype:trojan-activity;sid:84703442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840341/; classtype:trojan-activity;sid:84703441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840340/; classtype:trojan-activity;sid:84703440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.76.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840339/; classtype:trojan-activity;sid:84703439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.240.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840338/; classtype:trojan-activity;sid:84703438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vmlists.cybermetagrid.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840337/; classtype:trojan-activity;sid:84703437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"usrgrps.cybermetagrid.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840336/; classtype:trojan-activity;sid:84703436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dbinsts.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840335/; classtype:trojan-activity;sid:84703435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"dbinsts.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840334/; classtype:trojan-activity;sid:84703434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.52.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840333/; classtype:trojan-activity;sid:84703433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"apidocs.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840332/; classtype:trojan-activity;sid:84703432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.7.41.11"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840331/; classtype:trojan-activity;sid:84703431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"optwebs.cybermetagrid.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840330/; classtype:trojan-activity;sid:84703430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"metalts.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840329/; classtype:trojan-activity;sid:84703429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.21.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840328/; classtype:trojan-activity;sid:84703428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.180.31.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840327/; classtype:trojan-activity;sid:84703427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/draw-msft-cl0ud-acc-trust7934/gettwo.dll"; depth:41; endswith; nocase; http.host; content:"osbases.nodespit.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840325/; classtype:trojan-activity;sid:84703425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"proxyss.quantumtechbox.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840326/; classtype:trojan-activity;sid:84703426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.248.218"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840324/; classtype:trojan-activity;sid:84703424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.151.74.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840323/; classtype:trojan-activity;sid:84703423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.76.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840322/; classtype:trojan-activity;sid:84703422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.115.233"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840321/; classtype:trojan-activity;sid:84703421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"lanhops.quantumtechbox.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840320/; classtype:trojan-activity;sid:84703420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"subclis.quantumtechbox.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840319/; classtype:trojan-activity;sid:84703419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"logbins.zooblob.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840318/; classtype:trojan-activity;sid:84703418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.139.102.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840317/; classtype:trojan-activity;sid:84703417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitkits.quantumtechbox.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840316/; classtype:trojan-activity;sid:84703416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"appsrch.zooblob.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840315/; classtype:trojan-activity;sid:84703415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spz"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840314/; classtype:trojan-activity;sid:84703414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifvq"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840313/; classtype:trojan-activity;sid:84703413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbj"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840312/; classtype:trojan-activity;sid:84703412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpm"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840309/; classtype:trojan-activity;sid:84703409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h1lf"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840310/; classtype:trojan-activity;sid:84703410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e5fn"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840311/; classtype:trojan-activity;sid:84703411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.arm7"; depth:13; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840307/; classtype:trojan-activity;sid:84703407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.mips"; depth:13; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840308/; classtype:trojan-activity;sid:84703408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.i686"; depth:13; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840305/; classtype:trojan-activity;sid:84703405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.mips64"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840306/; classtype:trojan-activity;sid:84703406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.x86_64"; depth:15; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840301/; classtype:trojan-activity;sid:84703401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.arm5"; depth:13; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840302/; classtype:trojan-activity;sid:84703402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.sh4"; depth:12; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840303/; classtype:trojan-activity;sid:84703403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.arm6"; depth:13; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840304/; classtype:trojan-activity;sid:84703404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.m68k"; depth:13; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840296/; classtype:trojan-activity;sid:84703396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.arm"; depth:12; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840297/; classtype:trojan-activity;sid:84703397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.mpsl"; depth:13; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840298/; classtype:trojan-activity;sid:84703398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.sparc"; depth:14; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840299/; classtype:trojan-activity;sid:84703399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.arc"; depth:12; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840300/; classtype:trojan-activity;sid:84703400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.ppc"; depth:12; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840295/; classtype:trojan-activity;sid:84703395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"webdocs.zooblob.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840294/; classtype:trojan-activity;sid:84703394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envsets.quantumtechbox.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840293/; classtype:trojan-activity;sid:84703393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.151.74.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840292/; classtype:trojan-activity;sid:84703392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.205.166.231"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840291/; classtype:trojan-activity;sid:84703391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"syskeys.zooblob.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840290/; classtype:trojan-activity;sid:84703390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"doclabs.quantumtechbox.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840289/; classtype:trojan-activity;sid:84703389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syncits.primeflowspace.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840288/; classtype:trojan-activity;sid:84703388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"netmans.rodrules.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840287/; classtype:trojan-activity;sid:84703387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.31.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840286/; classtype:trojan-activity;sid:84703386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"tcpcons.rodrules.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840285/; classtype:trojan-activity;sid:84703385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reverse.ps1"; depth:12; endswith; nocase; http.host; content:"89.125.37.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840283/; classtype:trojan-activity;sid:84703383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project_brief.bat"; depth:18; endswith; nocase; http.host; content:"89.125.37.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840284/; classtype:trojan-activity;sid:84703384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ioflows.primeflowspace.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840282/; classtype:trojan-activity;sid:84703382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"taskids.primeflowspace.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840281/; classtype:trojan-activity;sid:84703381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sshpros.rodrules.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840280/; classtype:trojan-activity;sid:84703380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.116.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840279/; classtype:trojan-activity;sid:84703379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.232.13.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840278/; classtype:trojan-activity;sid:84703378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.8.88"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840277/; classtype:trojan-activity;sid:84703377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vmlists.rodrules.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840275/; classtype:trojan-activity;sid:84703375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"comwebs.primeflowspace.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840276/; classtype:trojan-activity;sid:84703376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"usrgrps.rodrules.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840274/; classtype:trojan-activity;sid:84703374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.240.16"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840273/; classtype:trojan-activity;sid:84703373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"refid-xs.primeflowspace.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840272/; classtype:trojan-activity;sid:84703372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.147.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840271/; classtype:trojan-activity;sid:84703371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.30.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840270/; classtype:trojan-activity;sid:84703370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"optwebs.rodrules.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840269/; classtype:trojan-activity;sid:84703369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autboxs.primeflowspace.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840268/; classtype:trojan-activity;sid:84703368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.68.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840267/; classtype:trojan-activity;sid:84703367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"domregs.masterlogicgrid.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840266/; classtype:trojan-activity;sid:84703366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"proxyss.portcry.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840265/; classtype:trojan-activity;sid:84703365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.9.254"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840264/; classtype:trojan-activity;sid:84703364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"lanhops.portcry.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840263/; classtype:trojan-activity;sid:84703363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pwrlogs.masterlogicgrid.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840262/; classtype:trojan-activity;sid:84703362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.151.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840261/; classtype:trojan-activity;sid:84703361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.116.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840260/; classtype:trojan-activity;sid:84703360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"extnets.masterlogicgrid.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840259/; classtype:trojan-activity;sid:84703359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"subclis.portcry.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840258/; classtype:trojan-activity;sid:84703358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pkgruns.masterlogicgrid.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840257/; classtype:trojan-activity;sid:84703357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.9.191"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840256/; classtype:trojan-activity;sid:84703356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"bitkits.portcry.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840255/; classtype:trojan-activity;sid:84703355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"envsets.portcry.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840254/; classtype:trojan-activity;sid:84703354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"modbuss.masterlogicgrid.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840253/; classtype:trojan-activity;sid:84703353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.5.8.88"; depth:9; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840252/; classtype:trojan-activity;sid:84703352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.151.33"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840251/; classtype:trojan-activity;sid:84703351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srcgets.masterlogicgrid.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840249/; classtype:trojan-activity;sid:84703349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"doclabs.portcry.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840250/; classtype:trojan-activity;sid:84703350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"uidmaps.infinitynodesys.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840248/; classtype:trojan-activity;sid:84703348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.126.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840247/; classtype:trojan-activity;sid:84703347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"syncits.plsqlnew.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840246/; classtype:trojan-activity;sid:84703346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.27.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840245/; classtype:trojan-activity;sid:84703345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ftpsrvs.infinitynodesys.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840244/; classtype:trojan-activity;sid:84703344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ioflows.plsqlnew.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840243/; classtype:trojan-activity;sid:84703343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"libsyss.infinitynodesys.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840242/; classtype:trojan-activity;sid:84703342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"taskids.plsqlnew.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840241/; classtype:trojan-activity;sid:84703341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"jobadms.infinitynodesys.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840240/; classtype:trojan-activity;sid:84703340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"comwebs.plsqlnew.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840239/; classtype:trojan-activity;sid:84703339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"refid-xs.plsqlnew.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840238/; classtype:trojan-activity;sid:84703338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdats.infinitynodesys.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840237/; classtype:trojan-activity;sid:84703337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"autboxs.plsqlnew.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840236/; classtype:trojan-activity;sid:84703336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6077499728/kozbo5k.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840233/; classtype:trojan-activity;sid:84703333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.93.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840234/; classtype:trojan-activity;sid:84703334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/2038862353/iay9b8g.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840235/; classtype:trojan-activity;sid:84703335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.126.248"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840232/; classtype:trojan-activity;sid:84703332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"domregs.noopcup.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840231/; classtype:trojan-activity;sid:84703331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ziparks.infinitynodesys.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840230/; classtype:trojan-activity;sid:84703330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"pwrlogs.noopcup.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840229/; classtype:trojan-activity;sid:84703329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"osbases.technovortexhub.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840228/; classtype:trojan-activity;sid:84703328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"extnets.noopcup.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840227/; classtype:trojan-activity;sid:84703327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.26.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840226/; classtype:trojan-activity;sid:84703326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"metalts.technovortexhub.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840225/; classtype:trojan-activity;sid:84703325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"pkgruns.noopcup.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840224/; classtype:trojan-activity;sid:84703324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.229.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840223/; classtype:trojan-activity;sid:84703323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"modbuss.noopcup.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840222/; classtype:trojan-activity;sid:84703322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidocs.technovortexhub.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840221/; classtype:trojan-activity;sid:84703321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"srcgets.noopcup.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840220/; classtype:trojan-activity;sid:84703320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dbinsts.technovortexhub.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840219/; classtype:trojan-activity;sid:84703319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"uidmaps.godjava.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840218/; classtype:trojan-activity;sid:84703318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840216/; classtype:trojan-activity;sid:84703316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"skyvpns.technovortexhub.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840217/; classtype:trojan-activity;sid:84703317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ftpsrvs.godjava.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840215/; classtype:trojan-activity;sid:84703315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cmdsets.technovortexhub.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840214/; classtype:trojan-activity;sid:84703314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840213/; classtype:trojan-activity;sid:84703313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.229.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840212/; classtype:trojan-activity;sid:84703312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.98.111"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840211/; classtype:trojan-activity;sid:84703311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"libsyss.godjava.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840210/; classtype:trojan-activity;sid:84703310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tmpdirs.globaldatastack.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840209/; classtype:trojan-activity;sid:84703309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"jobadms.godjava.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840208/; classtype:trojan-activity;sid:84703308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshbins.globaldatastack.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840207/; classtype:trojan-activity;sid:84703307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.202.66.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840206/; classtype:trojan-activity;sid:84703306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.29.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840205/; classtype:trojan-activity;sid:84703305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sslkeys.globaldatastack.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840204/; classtype:trojan-activity;sid:84703304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.188.138.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840203/; classtype:trojan-activity;sid:84703303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"rawdats.godjava.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840202/; classtype:trojan-activity;sid:84703302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"getcfgs.globaldatastack.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840201/; classtype:trojan-activity;sid:84703301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ziparks.godjava.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840200/; classtype:trojan-activity;sid:84703300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"osbases.fewhtml.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840199/; classtype:trojan-activity;sid:84703299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.42.119.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840198/; classtype:trojan-activity;sid:84703298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ipnodes.globaldatastack.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840197/; classtype:trojan-activity;sid:84703297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"hotfixs.globaldatastack.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840196/; classtype:trojan-activity;sid:84703296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"metalts.fewhtml.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840195/; classtype:trojan-activity;sid:84703295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840194/; classtype:trojan-activity;sid:84703294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitfoxs.securelinkpoint.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840193/; classtype:trojan-activity;sid:84703293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"apidocs.fewhtml.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840192/; classtype:trojan-activity;sid:84703292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.188.138.221"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840191/; classtype:trojan-activity;sid:84703291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"topsvcs.securelinkpoint.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840190/; classtype:trojan-activity;sid:84703290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"dbinsts.fewhtml.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840189/; classtype:trojan-activity;sid:84703289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"opsmgrs.securelinkpoint.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840188/; classtype:trojan-activity;sid:84703288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cpupros.securelinkpoint.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840186/; classtype:trojan-activity;sid:84703286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.fewhtml.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840187/; classtype:trojan-activity;sid:84703287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.42.119.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840185/; classtype:trojan-activity;sid:84703285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"cmdsets.fewhtml.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840184/; classtype:trojan-activity;sid:84703284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.223.175"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840183/; classtype:trojan-activity;sid:84703283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vpsruns.securelinkpoint.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840182/; classtype:trojan-activity;sid:84703282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.dbuswet.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840181/; classtype:trojan-activity;sid:84703281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dnswebs.securelinkpoint.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840180/; classtype:trojan-activity;sid:84703280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sshbins.dbuswet.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840179/; classtype:trojan-activity;sid:84703279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.143.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840178/; classtype:trojan-activity;sid:84703278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sslkeys.dbuswet.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840177/; classtype:trojan-activity;sid:84703277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appboxs.digitalcloudnet.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840176/; classtype:trojan-activity;sid:84703276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.115.119.45"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840175/; classtype:trojan-activity;sid:84703275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"getcfgs.dbuswet.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840174/; classtype:trojan-activity;sid:84703274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"devbits.digitalcloudnet.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840173/; classtype:trojan-activity;sid:84703273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.64.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840172/; classtype:trojan-activity;sid:84703272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ipnodes.dbuswet.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840171/; classtype:trojan-activity;sid:84703271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"hotfixs.dbuswet.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840170/; classtype:trojan-activity;sid:84703270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvlogs.digitalcloudnet.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840169/; classtype:trojan-activity;sid:84703269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"bitfoxs.boxemoj.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840168/; classtype:trojan-activity;sid:84703268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netapis.digitalcloudnet.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840167/; classtype:trojan-activity;sid:84703267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webcdnx.digitalcloudnet.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840166/; classtype:trojan-activity;sid:84703266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"topsvcs.boxemoj.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840165/; classtype:trojan-activity;sid:84703265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvhubs.digitalcloudnet.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840164/; classtype:trojan-activity;sid:84703264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.64.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840163/; classtype:trojan-activity;sid:84703263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"opsmgrs.boxemoj.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840162/; classtype:trojan-activity;sid:84703262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.57.227"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840161/; classtype:trojan-activity;sid:84703261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"gitlab.sorix2el.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840160/; classtype:trojan-activity;sid:84703260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"cpupros.boxemoj.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840159/; classtype:trojan-activity;sid:84703259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apiops.sorix2el.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840158/; classtype:trojan-activity;sid:84703258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vpsruns.boxemoj.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840157/; classtype:trojan-activity;sid:84703257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.31.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840156/; classtype:trojan-activity;sid:84703256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"dnswebs.boxemoj.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840155/; classtype:trojan-activity;sid:84703255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"logbin.sorix2el.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840154/; classtype:trojan-activity;sid:84703254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"appboxs.actsdks.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840153/; classtype:trojan-activity;sid:84703253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appsrc.sorix2el.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840152/; classtype:trojan-activity;sid:84703252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.42.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840151/; classtype:trojan-activity;sid:84703251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"devbits.actsdks.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840150/; classtype:trojan-activity;sid:84703250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webdoc.sorix2el.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840149/; classtype:trojan-activity;sid:84703249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.84.221"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840148/; classtype:trojan-activity;sid:84703248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syskey.sorix2el.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840146/; classtype:trojan-activity;sid:84703246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"srvlogs.actsdks.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840147/; classtype:trojan-activity;sid:84703247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"netapis.actsdks.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840145/; classtype:trojan-activity;sid:84703245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"net-man.8dorexin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840144/; classtype:trojan-activity;sid:84703244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.57.227"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840143/; classtype:trojan-activity;sid:84703243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"webcdnx.actsdks.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840142/; classtype:trojan-activity;sid:84703242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tcp-con.8dorexin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840141/; classtype:trojan-activity;sid:84703241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ssh-pro.8dorexin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840140/; classtype:trojan-activity;sid:84703240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"srvhubs.actsdks.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840139/; classtype:trojan-activity;sid:84703239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.112.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840138/; classtype:trojan-activity;sid:84703238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"gitlabh.lorex7in.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840137/; classtype:trojan-activity;sid:84703237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vm-list.8dorexin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840136/; classtype:trojan-activity;sid:84703236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"usr-grp.8dorexin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840135/; classtype:trojan-activity;sid:84703235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"apiopss.lorex7in.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840134/; classtype:trojan-activity;sid:84703234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.75.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840133/; classtype:trojan-activity;sid:84703233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.77.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840132/; classtype:trojan-activity;sid:84703232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.26.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840131/; classtype:trojan-activity;sid:84703231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"opt-web.8dorexin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840130/; classtype:trojan-activity;sid:84703230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"logbins.lorex7in.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840129/; classtype:trojan-activity;sid:84703229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"proxys.vexon4al.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840128/; classtype:trojan-activity;sid:84703228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"appsrch.lorex7in.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840127/; classtype:trojan-activity;sid:84703227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"lanhop.vexon4al.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840126/; classtype:trojan-activity;sid:84703226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"webdocs.lorex7in.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840125/; classtype:trojan-activity;sid:84703225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.142.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840124/; classtype:trojan-activity;sid:84703224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.28.179.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840123/; classtype:trojan-activity;sid:84703223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.38.86.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840122/; classtype:trojan-activity;sid:84703222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"subcli.vexon4al.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840121/; classtype:trojan-activity;sid:84703221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"syskeys.lorex7in.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840120/; classtype:trojan-activity;sid:84703220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitkit.vexon4al.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840119/; classtype:trojan-activity;sid:84703219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.31.154"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840118/; classtype:trojan-activity;sid:84703218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.77.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840117/; classtype:trojan-activity;sid:84703217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"netmans.mel2vrax.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840116/; classtype:trojan-activity;sid:84703216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.230.81"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840115/; classtype:trojan-activity;sid:84703215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envset.vexon4al.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840114/; classtype:trojan-activity;sid:84703214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.197.97"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840113/; classtype:trojan-activity;sid:84703213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"tcpcons.mel2vrax.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840112/; classtype:trojan-activity;sid:84703212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"doclab.vexon4al.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840111/; classtype:trojan-activity;sid:84703211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.28.179.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840110/; classtype:trojan-activity;sid:84703210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sshpros.mel2vrax.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840109/; classtype:trojan-activity;sid:84703209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syncit.pav3lorex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840108/; classtype:trojan-activity;sid:84703208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840107/; classtype:trojan-activity;sid:84703207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.209.14.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840106/; classtype:trojan-activity;sid:84703206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ioflow.pav3lorex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840105/; classtype:trojan-activity;sid:84703205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vmlists.mel2vrax.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840104/; classtype:trojan-activity;sid:84703204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.94.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840103/; classtype:trojan-activity;sid:84703203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"usrgrps.mel2vrax.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840102/; classtype:trojan-activity;sid:84703202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.166.199.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840101/; classtype:trojan-activity;sid:84703201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"task-id.pav3lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840100/; classtype:trojan-activity;sid:84703200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"optwebs.mel2vrax.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840099/; classtype:trojan-activity;sid:84703199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.166.199.148"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840098/; classtype:trojan-activity;sid:84703198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.195.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840096/; classtype:trojan-activity;sid:84703196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.147.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840097/; classtype:trojan-activity;sid:84703197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"com-web.pav3lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840095/; classtype:trojan-activity;sid:84703195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"proxyss.sorix9el.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840094/; classtype:trojan-activity;sid:84703194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.242.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840093/; classtype:trojan-activity;sid:84703193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"refid-x.pav3lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840092/; classtype:trojan-activity;sid:84703192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.14.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840091/; classtype:trojan-activity;sid:84703191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"lanhops.sorix9el.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840090/; classtype:trojan-activity;sid:84703190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.12.154"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840089/; classtype:trojan-activity;sid:84703189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autbox.pav3lorex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840088/; classtype:trojan-activity;sid:84703188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"subclis.sorix9el.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840087/; classtype:trojan-activity;sid:84703187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dom-reg.xamir9on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840086/; classtype:trojan-activity;sid:84703186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.221.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840085/; classtype:trojan-activity;sid:84703185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"bitkits.sorix9el.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840084/; classtype:trojan-activity;sid:84703184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pwr-log.xamir9on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840083/; classtype:trojan-activity;sid:84703183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"envsets.sorix9el.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840082/; classtype:trojan-activity;sid:84703182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.39.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840081/; classtype:trojan-activity;sid:84703181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.87.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840080/; classtype:trojan-activity;sid:84703180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ext-net.xamir9on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840079/; classtype:trojan-activity;sid:84703179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"doclabs.sorix9el.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840078/; classtype:trojan-activity;sid:84703178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.87.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840077/; classtype:trojan-activity;sid:84703177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pkg-run.xamir9on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840076/; classtype:trojan-activity;sid:84703176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.221.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840075/; classtype:trojan-activity;sid:84703175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"syncits.pav6lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840074/; classtype:trojan-activity;sid:84703174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840073/; classtype:trojan-activity;sid:84703173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"mod-bus.xamir9on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840072/; classtype:trojan-activity;sid:84703172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ioflows.pav6lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840071/; classtype:trojan-activity;sid:84703171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"taskids.pav6lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840070/; classtype:trojan-activity;sid:84703170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"src-get.xamir9on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840069/; classtype:trojan-activity;sid:84703169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.195.1"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840068/; classtype:trojan-activity;sid:84703168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"uidmap.tavro5xel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840067/; classtype:trojan-activity;sid:84703167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"comwebs.pav6lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_06; reference:url, urlhaus.abuse.ch/url/3840066/; classtype:trojan-activity;sid:84703166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.189.136.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840065/; classtype:trojan-activity;sid:84703165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ftpsrv.tavro5xel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840064/; classtype:trojan-activity;sid:84703164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"refid-xs.pav6lorex.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840063/; classtype:trojan-activity;sid:84703163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"libsys.tavro5xel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840062/; classtype:trojan-activity;sid:84703162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840061/; classtype:trojan-activity;sid:84703161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.236.149.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840060/; classtype:trojan-activity;sid:84703160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"autboxs.pav6lorex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840059/; classtype:trojan-activity;sid:84703159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"jobadm.tavro5xel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840058/; classtype:trojan-activity;sid:84703158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.16.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840057/; classtype:trojan-activity;sid:84703157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"domregs.xamir4on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840056/; classtype:trojan-activity;sid:84703156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"pwrlogs.xamir4on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840054/; classtype:trojan-activity;sid:84703154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdat.tavro5xel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840055/; classtype:trojan-activity;sid:84703155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"zipark.tavro5xel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840053/; classtype:trojan-activity;sid:84703153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"extnets.xamir4on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840052/; classtype:trojan-activity;sid:84703152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.117.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840051/; classtype:trojan-activity;sid:84703151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"pkgruns.xamir4on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840050/; classtype:trojan-activity;sid:84703150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840049/; classtype:trojan-activity;sid:84703149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"osbase.1zorelix.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840048/; classtype:trojan-activity;sid:84703148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"modbuss.xamir4on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840047/; classtype:trojan-activity;sid:84703147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.236.149.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840046/; classtype:trojan-activity;sid:84703146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"metalt.1zorelix.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840045/; classtype:trojan-activity;sid:84703145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.138.206.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840044/; classtype:trojan-activity;sid:84703144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.189.136.53"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840043/; classtype:trojan-activity;sid:84703143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.16.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840042/; classtype:trojan-activity;sid:84703142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"srcgets.xamir4on.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840041/; classtype:trojan-activity;sid:84703141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.57.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840040/; classtype:trojan-activity;sid:84703140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.180.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840039/; classtype:trojan-activity;sid:84703139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidoc.1zorelix.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840038/; classtype:trojan-activity;sid:84703138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.84.221"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840037/; classtype:trojan-activity;sid:84703137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"uidmaps.tavro8xel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840036/; classtype:trojan-activity;sid:84703136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dbinst.1zorelix.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840035/; classtype:trojan-activity;sid:84703135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.117.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840034/; classtype:trojan-activity;sid:84703134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.113.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840033/; classtype:trojan-activity;sid:84703133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"skyvpn.1zorelix.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840032/; classtype:trojan-activity;sid:84703132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ftpsrvs.tavro8xel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840031/; classtype:trojan-activity;sid:84703131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.57.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840030/; classtype:trojan-activity;sid:84703130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.196.88"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840029/; classtype:trojan-activity;sid:84703129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cmdset.1zorelix.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840028/; classtype:trojan-activity;sid:84703128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"libsyss.tavro8xel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840027/; classtype:trojan-activity;sid:84703127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.14.53.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840026/; classtype:trojan-activity;sid:84703126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tmpdir.qen2vrax.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840025/; classtype:trojan-activity;sid:84703125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"jobadms.tavro8xel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840024/; classtype:trojan-activity;sid:84703124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.200.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840023/; classtype:trojan-activity;sid:84703123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.180.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840022/; classtype:trojan-activity;sid:84703122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.13.208"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840021/; classtype:trojan-activity;sid:84703121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshbin.qen2vrax.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840020/; classtype:trojan-activity;sid:84703120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"rawdats.tavro8xel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840019/; classtype:trojan-activity;sid:84703119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sslkey.qen2vrax.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840018/; classtype:trojan-activity;sid:84703118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ziparks.tavro8xel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840017/; classtype:trojan-activity;sid:84703117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"getcfg.qen2vrax.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840016/; classtype:trojan-activity;sid:84703116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.2.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840015/; classtype:trojan-activity;sid:84703115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.58.95"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840014/; classtype:trojan-activity;sid:84703114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"osbases.2zorelin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840013/; classtype:trojan-activity;sid:84703113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ipnode.qen2vrax.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840012/; classtype:trojan-activity;sid:84703112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.41.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840011/; classtype:trojan-activity;sid:84703111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.222.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840010/; classtype:trojan-activity;sid:84703110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"metalts.2zorelin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840009/; classtype:trojan-activity;sid:84703109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"apidocs.2zorelin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840008/; classtype:trojan-activity;sid:84703108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"hotfix.qen2vrax.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840007/; classtype:trojan-activity;sid:84703107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.200.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840006/; classtype:trojan-activity;sid:84703106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.141.11.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840005/; classtype:trojan-activity;sid:84703105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bit-fox.mav7loren.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840004/; classtype:trojan-activity;sid:84703104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"dbinsts.2zorelin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840003/; classtype:trojan-activity;sid:84703103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"skyvpns.2zorelin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840002/; classtype:trojan-activity;sid:84703102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"top-svc.mav7loren.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840001/; classtype:trojan-activity;sid:84703101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3840000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.222.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3840000/; classtype:trojan-activity;sid:84703100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"cmdsets.2zorelin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839999/; classtype:trojan-activity;sid:84703099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ops-mgr.mav7loren.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839998/; classtype:trojan-activity;sid:84703098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.166.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839997/; classtype:trojan-activity;sid:84703097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cpu-pro.mav7loren.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839996/; classtype:trojan-activity;sid:84703096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"tmpdirs.qen7varol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839995/; classtype:trojan-activity;sid:84703095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vps-run.mav7loren.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839994/; classtype:trojan-activity;sid:84703094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sshbins.qen7varol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839993/; classtype:trojan-activity;sid:84703093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dns-web.mav7loren.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839992/; classtype:trojan-activity;sid:84703092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sslkeys.qen7varol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839991/; classtype:trojan-activity;sid:84703091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.139.15.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839990/; classtype:trojan-activity;sid:84703090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839978/; classtype:trojan-activity;sid:84703078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839979/; classtype:trojan-activity;sid:84703079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839980/; classtype:trojan-activity;sid:84703080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839981/; classtype:trojan-activity;sid:84703081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839982/; classtype:trojan-activity;sid:84703082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839983/; classtype:trojan-activity;sid:84703083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839984/; classtype:trojan-activity;sid:84703084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839985/; classtype:trojan-activity;sid:84703085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839986/; classtype:trojan-activity;sid:84703086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839987/; classtype:trojan-activity;sid:84703087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839988/; classtype:trojan-activity;sid:84703088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839989/; classtype:trojan-activity;sid:84703089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839975/; classtype:trojan-activity;sid:84703075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839976/; classtype:trojan-activity;sid:84703076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839977/; classtype:trojan-activity;sid:84703077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839969/; classtype:trojan-activity;sid:84703069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839970/; classtype:trojan-activity;sid:84703070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839971/; classtype:trojan-activity;sid:84703071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839972/; classtype:trojan-activity;sid:84703072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839973/; classtype:trojan-activity;sid:84703073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839974/; classtype:trojan-activity;sid:84703074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appbox.6toralex.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839968/; classtype:trojan-activity;sid:84703068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"getcfgs.qen7varol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839967/; classtype:trojan-activity;sid:84703067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tplink.sh"; depth:10; endswith; nocase; http.host; content:"185.132.53.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839962/; classtype:trojan-activity;sid:84703062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm4"; depth:5; endswith; nocase; http.host; content:"185.132.53.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839963/; classtype:trojan-activity;sid:84703063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"185.132.53.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839964/; classtype:trojan-activity;sid:84703064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"185.132.53.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839965/; classtype:trojan-activity;sid:84703065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"185.132.53.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839966/; classtype:trojan-activity;sid:84703066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"devbit.6toralex.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839960/; classtype:trojan-activity;sid:84703060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ipnodes.qen7varol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839961/; classtype:trojan-activity;sid:84703061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.119.177.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839959/; classtype:trojan-activity;sid:84703059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"hotfixs.qen7varol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839958/; classtype:trojan-activity;sid:84703058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvlog.6toralex.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839957/; classtype:trojan-activity;sid:84703057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.18.213.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839956/; classtype:trojan-activity;sid:84703056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"bitfoxs.mav3lirex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839955/; classtype:trojan-activity;sid:84703055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netapi.6toralex.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839954/; classtype:trojan-activity;sid:84703054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webcdn.6toralex.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839953/; classtype:trojan-activity;sid:84703053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"topsvcs.mav3lirex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839952/; classtype:trojan-activity;sid:84703052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.206.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839951/; classtype:trojan-activity;sid:84703051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvhub.6toralex.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839950/; classtype:trojan-activity;sid:84703050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839949/; classtype:trojan-activity;sid:84703049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"opsmgrs.mav3lirex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839948/; classtype:trojan-activity;sid:84703048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o.xml"; depth:6; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839935/; classtype:trojan-activity;sid:84703035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839936/; classtype:trojan-activity;sid:84703036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839937/; classtype:trojan-activity;sid:84703037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839938/; classtype:trojan-activity;sid:84703038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839939/; classtype:trojan-activity;sid:84703039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839940/; classtype:trojan-activity;sid:84703040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839941/; classtype:trojan-activity;sid:84703041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839942/; classtype:trojan-activity;sid:84703042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839943/; classtype:trojan-activity;sid:84703043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839944/; classtype:trojan-activity;sid:84703044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839945/; classtype:trojan-activity;sid:84703045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839946/; classtype:trojan-activity;sid:84703046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839947/; classtype:trojan-activity;sid:84703047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839933/; classtype:trojan-activity;sid:84703033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"31.58.87.160"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839934/; classtype:trojan-activity;sid:84703034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.176.164.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839931/; classtype:trojan-activity;sid:84703031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.119.177.139"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839932/; classtype:trojan-activity;sid:84703032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"gitlab.sori7xen.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839930/; classtype:trojan-activity;sid:84703030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"cpupros.mav3lirex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839929/; classtype:trojan-activity;sid:84703029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux.sh"; depth:9; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839928/; classtype:trojan-activity;sid:84703028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.143.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839927/; classtype:trojan-activity;sid:84703027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apiops.sori7xen.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839926/; classtype:trojan-activity;sid:84703026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vpsruns.mav3lirex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839925/; classtype:trojan-activity;sid:84703025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839924/; classtype:trojan-activity;sid:84703024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.180.31.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839923/; classtype:trojan-activity;sid:84703023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"logbin.sori7xen.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839922/; classtype:trojan-activity;sid:84703022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.21.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839921/; classtype:trojan-activity;sid:84703021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"dnswebs.mav3lirex.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839920/; classtype:trojan-activity;sid:84703020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.233.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839919/; classtype:trojan-activity;sid:84703019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appsrc.sori7xen.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839918/; classtype:trojan-activity;sid:84703018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"appboxs.9toravex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839917/; classtype:trojan-activity;sid:84703017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.206.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839916/; classtype:trojan-activity;sid:84703016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webdoc.sori7xen.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839915/; classtype:trojan-activity;sid:84703015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.232.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839914/; classtype:trojan-activity;sid:84703014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"devbits.9toravex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839913/; classtype:trojan-activity;sid:84703013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.148.7.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839912/; classtype:trojan-activity;sid:84703012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syskey.sori7xen.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839911/; classtype:trojan-activity;sid:84703011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"srvlogs.9toravex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839910/; classtype:trojan-activity;sid:84703010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"31.173.12.36"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839909/; classtype:trojan-activity;sid:84703009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839908/; classtype:trojan-activity;sid:84703008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.189.3.1"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839907/; classtype:trojan-activity;sid:84703007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"net-man.4dorexal.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839906/; classtype:trojan-activity;sid:84703006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"netapis.9toravex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839905/; classtype:trojan-activity;sid:84703005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.176.164.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839904/; classtype:trojan-activity;sid:84703004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tcp-con.4dorexal.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839903/; classtype:trojan-activity;sid:84703003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"webcdnx.9toravex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839902/; classtype:trojan-activity;sid:84703002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.119.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839901/; classtype:trojan-activity;sid:84703001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"srvhubs.9toravex.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839900/; classtype:trojan-activity;sid:84703000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ssh-pro.4dorexal.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839899/; classtype:trojan-activity;sid:84702999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.63.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839898/; classtype:trojan-activity;sid:84702998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.148.7.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839897/; classtype:trojan-activity;sid:84702997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vm-list.4dorexal.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839896/; classtype:trojan-activity;sid:84702996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vnchy.sorix7en.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839895/; classtype:trojan-activity;sid:84702995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.232.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839894/; classtype:trojan-activity;sid:84702994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.94.31.126"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839893/; classtype:trojan-activity;sid:84702993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.119.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839892/; classtype:trojan-activity;sid:84702992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"dzst.sorix7en.surf"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839891/; classtype:trojan-activity;sid:84702991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"usr-grp.4dorexal.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839890/; classtype:trojan-activity;sid:84702990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/bot.x86"; depth:12; endswith; nocase; http.host; content:"176.65.139.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839888/; classtype:trojan-activity;sid:84702988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"otntjfbp.sorix7en.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839889/; classtype:trojan-activity;sid:84702989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"opt-web.4dorexal.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839887/; classtype:trojan-activity;sid:84702987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.27.87"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839886/; classtype:trojan-activity;sid:84702986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"proxys.vexo3nar.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839885/; classtype:trojan-activity;sid:84702985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"mer-nexa.sorix7en.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839884/; classtype:trojan-activity;sid:84702984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"lanhop.vexo3nar.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839883/; classtype:trojan-activity;sid:84702983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vorvaleon3.sorix7en.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839882/; classtype:trojan-activity;sid:84702982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.175.205.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839881/; classtype:trojan-activity;sid:84702981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.146.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839880/; classtype:trojan-activity;sid:84702980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.175.205.150"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839879/; classtype:trojan-activity;sid:84702979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"subcli.vexo3nar.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839878/; classtype:trojan-activity;sid:84702978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"geo-tru3.sorix7en.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839877/; classtype:trojan-activity;sid:84702977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitkit.vexo3nar.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839876/; classtype:trojan-activity;sid:84702976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"echo-sync.sorix7en.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839875/; classtype:trojan-activity;sid:84702975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839874/; classtype:trojan-activity;sid:84702974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envset.vexo3nar.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839873/; classtype:trojan-activity;sid:84702973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=caiptbhwgkxuechy"; depth:27; endswith; nocase; http.host; content:"rl88qulx.izyob7rickets.digital"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839872/; classtype:trojan-activity;sid:84702972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ixc32.1dorelax.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839871/; classtype:trojan-activity;sid:84702971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.38.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839870/; classtype:trojan-activity;sid:84702970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.149.150.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839869/; classtype:trojan-activity;sid:84702969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"hyper-cr4te.1dorelax.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839867/; classtype:trojan-activity;sid:84702967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"doclab.vexo3nar.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839868/; classtype:trojan-activity;sid:84702968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.30.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839866/; classtype:trojan-activity;sid:84702966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.237.177.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839865/; classtype:trojan-activity;sid:84702965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"alig9-trail.1dorelax.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839864/; classtype:trojan-activity;sid:84702964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syncit.pavl9ore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839863/; classtype:trojan-activity;sid:84702963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.176.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839862/; classtype:trojan-activity;sid:84702962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.76.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839861/; classtype:trojan-activity;sid:84702961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.130.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839860/; classtype:trojan-activity;sid:84702960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.176.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839859/; classtype:trojan-activity;sid:84702959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"serforgeis.1dorelax.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839857/; classtype:trojan-activity;sid:84702957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ioflow.pavl9ore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839858/; classtype:trojan-activity;sid:84702958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"task-id.pavl9ore.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839856/; classtype:trojan-activity;sid:84702956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"refinspruc.1dorelax.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839855/; classtype:trojan-activity;sid:84702955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"com-web.pavl9ore.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839854/; classtype:trojan-activity;sid:84702954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.114.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839853/; classtype:trojan-activity;sid:84702953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"pr1rn-frame.1dorelax.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839852/; classtype:trojan-activity;sid:84702952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.23.87.246"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839851/; classtype:trojan-activity;sid:84702951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"iigbclf.1dorelax.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839850/; classtype:trojan-activity;sid:84702950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.157.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839849/; classtype:trojan-activity;sid:84702949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"refid-1.pavl9ore.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839848/; classtype:trojan-activity;sid:84702948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.26.202.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839847/; classtype:trojan-activity;sid:84702947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.54.130.57"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839846/; classtype:trojan-activity;sid:84702946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autbox.pavl9ore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839845/; classtype:trojan-activity;sid:84702945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"kelforgeor8.vexon3ar.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839844/; classtype:trojan-activity;sid:84702944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.43.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839843/; classtype:trojan-activity;sid:84702943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dom-reg.xam1riel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839842/; classtype:trojan-activity;sid:84702942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"9sgsurs.vexon3ar.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839841/; classtype:trojan-activity;sid:84702941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.114.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839840/; classtype:trojan-activity;sid:84702940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pwr-log.xam1riel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839839/; classtype:trojan-activity;sid:84702939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"crystalreef.vexon3ar.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839838/; classtype:trojan-activity;sid:84702938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.222.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839837/; classtype:trojan-activity;sid:84702937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"podcasdeliv.vexon3ar.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839836/; classtype:trojan-activity;sid:84702936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ext-net.xam1riel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839835/; classtype:trojan-activity;sid:84702935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pkg-run.xam1riel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839834/; classtype:trojan-activity;sid:84702934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"mod-bus.xam1riel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839833/; classtype:trojan-activity;sid:84702933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"quorvale4et.vexon3ar.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839832/; classtype:trojan-activity;sid:84702932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.42.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839831/; classtype:trojan-activity;sid:84702931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"oiyksxf.vexon3ar.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839830/; classtype:trojan-activity;sid:84702930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.56.148.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839829/; classtype:trojan-activity;sid:84702929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"src-get.xam1riel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839828/; classtype:trojan-activity;sid:84702928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"a1ig-vector.vexon3ar.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839827/; classtype:trojan-activity;sid:84702927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.61.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839826/; classtype:trojan-activity;sid:84702926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"uidmap.torex6lin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839825/; classtype:trojan-activity;sid:84702925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"plskl.pavlore9.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839824/; classtype:trojan-activity;sid:84702924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"uykfqn.pavlore9.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839823/; classtype:trojan-activity;sid:84702923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.178.99"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839822/; classtype:trojan-activity;sid:84702922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gg2"; depth:4; endswith; nocase; http.host; content:"209.99.186.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839820/; classtype:trojan-activity;sid:84702920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gg"; depth:3; endswith; nocase; http.host; content:"209.99.186.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839821/; classtype:trojan-activity;sid:84702921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/biwavani"; depth:9; endswith; nocase; http.host; content:"209.99.186.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839818/; classtype:trojan-activity;sid:84702918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kuhaderiy"; depth:10; endswith; nocase; http.host; content:"209.99.186.71"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839819/; classtype:trojan-activity;sid:84702919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ftpsrv.torex6lin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839817/; classtype:trojan-activity;sid:84702917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.24.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839816/; classtype:trojan-activity;sid:84702916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobe%20pdf%20reader.exe"; depth:25; endswith; nocase; http.host; content:"209.99.190.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839815/; classtype:trojan-activity;sid:84702915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobe%c4%b0nstaller.exe"; depth:24; endswith; nocase; http.host; content:"209.99.190.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839814/; classtype:trojan-activity;sid:84702914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.56.148.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839813/; classtype:trojan-activity;sid:84702913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft%20word.exe"; depth:21; endswith; nocase; http.host; content:"209.99.190.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839807/; classtype:trojan-activity;sid:84702907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"trendinspect.pavlore9.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839808/; classtype:trojan-activity;sid:84702908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"dawnsud.pavlore9.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839809/; classtype:trojan-activity;sid:84702909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdat.torex6lin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839810/; classtype:trojan-activity;sid:84702910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"libsys.torex6lin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839811/; classtype:trojan-activity;sid:84702911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-mips-hf"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839812/; classtype:trojan-activity;sid:84702912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"jobadm.torex6lin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839804/; classtype:trojan-activity;sid:84702904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft%20excel.exe"; depth:22; endswith; nocase; http.host; content:"209.99.190.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839805/; classtype:trojan-activity;sid:84702905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/excel.exe"; depth:10; endswith; nocase; http.host; content:"209.99.190.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839806/; classtype:trojan-activity;sid:84702906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-armv6"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839801/; classtype:trojan-activity;sid:84702901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-ppc64le"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839802/; classtype:trojan-activity;sid:84702902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-mips64"; depth:23; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839803/; classtype:trojan-activity;sid:84702903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-freebsd-arm64"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839794/; classtype:trojan-activity;sid:84702894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-mipsle"; depth:23; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839795/; classtype:trojan-activity;sid:84702895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-arm64"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839796/; classtype:trojan-activity;sid:84702896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-amd64"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839797/; classtype:trojan-activity;sid:84702897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-mips64le"; depth:25; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839798/; classtype:trojan-activity;sid:84702898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-darwin-arm64"; depth:23; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839799/; classtype:trojan-activity;sid:84702899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-mips"; depth:21; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839800/; classtype:trojan-activity;sid:84702900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"iontrai.pavlore9.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839790/; classtype:trojan-activity;sid:84702890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-ppc64"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839791/; classtype:trojan-activity;sid:84702891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-armv5"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839792/; classtype:trojan-activity;sid:84702892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-netbsd-amd64"; depth:23; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839793/; classtype:trojan-activity;sid:84702893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-riscv64"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839788/; classtype:trojan-activity;sid:84702888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-mipsle-hf"; depth:26; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839789/; classtype:trojan-activity;sid:84702889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-freebsd-amd64"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839787/; classtype:trojan-activity;sid:84702887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-386"; depth:20; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839786/; classtype:trojan-activity;sid:84702886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839768/; classtype:trojan-activity;sid:84702868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839769/; classtype:trojan-activity;sid:84702869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839770/; classtype:trojan-activity;sid:84702870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839771/; classtype:trojan-activity;sid:84702871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839772/; classtype:trojan-activity;sid:84702872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839773/; classtype:trojan-activity;sid:84702873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839774/; classtype:trojan-activity;sid:84702874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839775/; classtype:trojan-activity;sid:84702875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839776/; classtype:trojan-activity;sid:84702876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839777/; classtype:trojan-activity;sid:84702877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839778/; classtype:trojan-activity;sid:84702878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839779/; classtype:trojan-activity;sid:84702879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839780/; classtype:trojan-activity;sid:84702880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839781/; classtype:trojan-activity;sid:84702881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839782/; classtype:trojan-activity;sid:84702882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839783/; classtype:trojan-activity;sid:84702883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839784/; classtype:trojan-activity;sid:84702884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839785/; classtype:trojan-activity;sid:84702885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839767/; classtype:trojan-activity;sid:84702867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-openbsd-arm64"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839766/; classtype:trojan-activity;sid:84702866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-s390x"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839765/; classtype:trojan-activity;sid:84702865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmipsxnxn"; depth:30; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839764/; classtype:trojan-activity;sid:84702864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv6l"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839752/; classtype:trojan-activity;sid:84702852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxni386xnxn"; depth:30; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839753/; classtype:trojan-activity;sid:84702853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnx86_64xnxn"; depth:32; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839754/; classtype:trojan-activity;sid:84702854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839755/; classtype:trojan-activity;sid:84702855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv4l"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839756/; classtype:trojan-activity;sid:84702856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnmicroblazexnxn"; depth:36; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839757/; classtype:trojan-activity;sid:84702857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh2xnxn"; depth:29; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839758/; classtype:trojan-activity;sid:84702858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnsh4xnxn"; depth:29; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839759/; classtype:trojan-activity;sid:84702859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv32xnxn"; depth:33; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839760/; classtype:trojan-activity;sid:84702860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-linux-armv7"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839761/; classtype:trojan-activity;sid:84702861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnloongarch64xnxn"; depth:37; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839762/; classtype:trojan-activity;sid:84702862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839763/; classtype:trojan-activity;sid:84702863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-android-arm64"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839742/; classtype:trojan-activity;sid:84702842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-openbsd-386"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839743/; classtype:trojan-activity;sid:84702843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-darwin-amd64"; depth:23; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839744/; classtype:trojan-activity;sid:84702844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv7l"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839745/; classtype:trojan-activity;sid:84702845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnor1kxnxn"; depth:30; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839746/; classtype:trojan-activity;sid:84702846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv5l"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839747/; classtype:trojan-activity;sid:84702847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-openbsd-amd64"; depth:24; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839748/; classtype:trojan-activity;sid:84702848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/client-freebsd-386"; depth:22; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839749/; classtype:trojan-activity;sid:84702849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839750/; classtype:trojan-activity;sid:84702850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnriscv64xnxn"; depth:33; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839751/; classtype:trojan-activity;sid:84702851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839741/; classtype:trojan-activity;sid:84702841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnpowerpcxnxn"; depth:33; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839735/; classtype:trojan-activity;sid:84702835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839736/; classtype:trojan-activity;sid:84702836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839737/; classtype:trojan-activity;sid:84702837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839738/; classtype:trojan-activity;sid:84702838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnm68kxnxn"; depth:30; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839739/; classtype:trojan-activity;sid:84702839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xnxnxnxnxnxnxnxnaarch64xnxn"; depth:33; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839740/; classtype:trojan-activity;sid:84702840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839734/; classtype:trojan-activity;sid:84702834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"couri-shall.pavlore9.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839733/; classtype:trojan-activity;sid:84702833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"zipark.torex6lin.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839732/; classtype:trojan-activity;sid:84702832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"4dapt3-node.pavlore9.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839731/; classtype:trojan-activity;sid:84702831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.120.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839730/; classtype:trojan-activity;sid:84702830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"osbase.3zavlore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839729/; classtype:trojan-activity;sid:84702829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.26.202.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839728/; classtype:trojan-activity;sid:84702828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.102.39.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839727/; classtype:trojan-activity;sid:84702827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.221.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839726/; classtype:trojan-activity;sid:84702826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"prof9-point.xamir2el.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839725/; classtype:trojan-activity;sid:84702825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bec6"; depth:5; endswith; nocase; http.host; content:"83.147.18.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839721/; classtype:trojan-activity;sid:84702821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bo0oze-lat.exe"; depth:15; endswith; nocase; http.host; content:"83.147.18.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839722/; classtype:trojan-activity;sid:84702822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boz-poly.exe"; depth:13; endswith; nocase; http.host; content:"83.147.18.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839723/; classtype:trojan-activity;sid:84702823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobee.exe"; depth:11; endswith; nocase; http.host; content:"83.147.18.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839724/; classtype:trojan-activity;sid:84702824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"metalt.3zavlore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839720/; classtype:trojan-activity;sid:84702820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.arm5"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839713/; classtype:trojan-activity;sid:84702813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.s390"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839714/; classtype:trojan-activity;sid:84702814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.mpsl"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839715/; classtype:trojan-activity;sid:84702815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.arm5"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839716/; classtype:trojan-activity;sid:84702816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.i386"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839717/; classtype:trojan-activity;sid:84702817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.mps64"; depth:15; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839718/; classtype:trojan-activity;sid:84702818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.mps64"; depth:15; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839719/; classtype:trojan-activity;sid:84702819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.x86"; depth:13; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839698/; classtype:trojan-activity;sid:84702798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.x86"; depth:13; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839699/; classtype:trojan-activity;sid:84702799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/builder_ultimate.sh"; depth:25; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839700/; classtype:trojan-activity;sid:84702800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.ppc"; depth:13; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839701/; classtype:trojan-activity;sid:84702801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.mpsl"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839702/; classtype:trojan-activity;sid:84702802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.ppc"; depth:13; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839703/; classtype:trojan-activity;sid:84702803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.arm7"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839704/; classtype:trojan-activity;sid:84702804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.64"; depth:12; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839705/; classtype:trojan-activity;sid:84702805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.mips"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839706/; classtype:trojan-activity;sid:84702806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.arm7"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839707/; classtype:trojan-activity;sid:84702807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.s390"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839708/; classtype:trojan-activity;sid:84702808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.64"; depth:12; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839709/; classtype:trojan-activity;sid:84702809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bots/kaf.i386"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839710/; classtype:trojan-activity;sid:84702810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/unidrop_ultimate.sh"; depth:25; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839711/; classtype:trojan-activity;sid:84702811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kaf.mips"; depth:14; endswith; nocase; http.host; content:"185.242.3.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839712/; classtype:trojan-activity;sid:84702812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.120.64"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839697/; classtype:trojan-activity;sid:84702797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"port-mar.xamir2el.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839696/; classtype:trojan-activity;sid:84702796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidoc.3zavlore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839695/; classtype:trojan-activity;sid:84702795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"dyn-lithos.xamir2el.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839694/; classtype:trojan-activity;sid:84702794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.119.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839693/; classtype:trojan-activity;sid:84702793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dbinst.3zavlore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839692/; classtype:trojan-activity;sid:84702792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"mxqbq.xamir2el.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839691/; classtype:trojan-activity;sid:84702791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"salemacro.xamir2el.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839690/; classtype:trojan-activity;sid:84702790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.13.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839688/; classtype:trojan-activity;sid:84702788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.164.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839689/; classtype:trojan-activity;sid:84702789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"skyvpn.3zavlore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839687/; classtype:trojan-activity;sid:84702787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cmdset.3zavlore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839686/; classtype:trojan-activity;sid:84702786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"gladefirm.xamir2el.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839685/; classtype:trojan-activity;sid:84702785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tmpdir.qeni8ral.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839684/; classtype:trojan-activity;sid:84702784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.5.210.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839683/; classtype:trojan-activity;sid:84702783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"alt-b1oo.xamir2el.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839682/; classtype:trojan-activity;sid:84702782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.165.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839681/; classtype:trojan-activity;sid:84702781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.exe"; depth:9; endswith; nocase; http.host; content:"31.57.216.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839678/; classtype:trojan-activity;sid:84702778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bamlol.exe"; depth:11; endswith; nocase; http.host; content:"31.57.216.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839679/; classtype:trojan-activity;sid:84702779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft%20host.exe"; depth:21; endswith; nocase; http.host; content:"31.57.216.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839680/; classtype:trojan-activity;sid:84702780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.164.160"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839677/; classtype:trojan-activity;sid:84702777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"n3ur4-route.torex5lin.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839676/; classtype:trojan-activity;sid:84702776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.203.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839675/; classtype:trojan-activity;sid:84702775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.192.238.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839674/; classtype:trojan-activity;sid:84702774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"lyiqe.torex5lin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839673/; classtype:trojan-activity;sid:84702773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lc.exe"; depth:7; endswith; nocase; http.host; content:"185.177.239.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839671/; classtype:trojan-activity;sid:84702771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cheaker.exe"; depth:12; endswith; nocase; http.host; content:"185.177.239.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839672/; classtype:trojan-activity;sid:84702772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1lc.exe"; depth:8; endswith; nocase; http.host; content:"185.177.239.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839670/; classtype:trojan-activity;sid:84702770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/system.exe"; depth:11; endswith; nocase; http.host; content:"185.177.239.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839668/; classtype:trojan-activity;sid:84702768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamsetup_5449084542286.exe"; depth:29; endswith; nocase; http.host; content:"185.177.239.181"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839669/; classtype:trojan-activity;sid:84702769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.165.55"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839667/; classtype:trojan-activity;sid:84702767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sslkey.qeni8ral.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839666/; classtype:trojan-activity;sid:84702766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"5parr-forge.torex5lin.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839665/; classtype:trojan-activity;sid:84702765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.5.210.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839664/; classtype:trojan-activity;sid:84702764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.80.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839663/; classtype:trojan-activity;sid:84702763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"getcfg.qeni8ral.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839662/; classtype:trojan-activity;sid:84702762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"stacksurvey.torex5lin.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839661/; classtype:trojan-activity;sid:84702761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fo4translator.exe"; depth:18; endswith; nocase; http.host; content:"193.233.113.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839660/; classtype:trojan-activity;sid:84702760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.16.164.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839659/; classtype:trojan-activity;sid:84702759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ipnode.qeni8ral.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839658/; classtype:trojan-activity;sid:84702758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.243.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839657/; classtype:trojan-activity;sid:84702757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.192.238.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839656/; classtype:trojan-activity;sid:84702756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"grandprocess.torex5lin.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839655/; classtype:trojan-activity;sid:84702755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"oczl.torex5lin.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839654/; classtype:trojan-activity;sid:84702754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"hotfix.qeni8ral.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839653/; classtype:trojan-activity;sid:84702753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.203.58"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839652/; classtype:trojan-activity;sid:84702752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bit-fox.mav2terol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839651/; classtype:trojan-activity;sid:84702751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.116.128.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839650/; classtype:trojan-activity;sid:84702750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shell.exe"; depth:10; endswith; nocase; http.host; content:"130.94.41.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839649/; classtype:trojan-activity;sid:84702749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"top-svc.mav2terol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839648/; classtype:trojan-activity;sid:84702748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sprucevale.torex5lin.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839647/; classtype:trojan-activity;sid:84702747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.12.154"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839646/; classtype:trojan-activity;sid:84702746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"svvif8-sheet.2zavlore.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839645/; classtype:trojan-activity;sid:84702745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vk9sjiuh.2zavlore.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839644/; classtype:trojan-activity;sid:84702744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ops-mgr.mav2terol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839643/; classtype:trojan-activity;sid:84702743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cpu-pro.mav2terol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839642/; classtype:trojan-activity;sid:84702742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"open-lat.2zavlore.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839641/; classtype:trojan-activity;sid:84702741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usa.sh"; depth:8; endswith; nocase; http.host; content:"173.232.146.173"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839640/; classtype:trojan-activity;sid:84702740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"45.83.207.206"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839639/; classtype:trojan-activity;sid:84702739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usa.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839638/; classtype:trojan-activity;sid:84702738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.116.128.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839637/; classtype:trojan-activity;sid:84702737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.243.100"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839636/; classtype:trojan-activity;sid:84702736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"wvdaavfk.2zavlore.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839634/; classtype:trojan-activity;sid:84702734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vps-run.mav2terol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839635/; classtype:trojan-activity;sid:84702735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"hvkxevet.2zavlore.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839633/; classtype:trojan-activity;sid:84702733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dns-web.mav2terol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839632/; classtype:trojan-activity;sid:84702732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dns-web.mav2terol.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839631/; classtype:trojan-activity;sid:84702731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot"; depth:4; endswith; nocase; http.host; content:"46.151.182.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839630/; classtype:trojan-activity;sid:84702730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.x86_64"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839629/; classtype:trojan-activity;sid:84702729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.sh4"; depth:13; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839626/; classtype:trojan-activity;sid:84702726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bins.sh"; depth:13; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839627/; classtype:trojan-activity;sid:84702727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.powerpc-440fp"; depth:23; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839628/; classtype:trojan-activity;sid:84702728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.42.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839623/; classtype:trojan-activity;sid:84702723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.i486"; depth:14; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839624/; classtype:trojan-activity;sid:84702724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.mips64"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839625/; classtype:trojan-activity;sid:84702725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.powerpc"; depth:17; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839621/; classtype:trojan-activity;sid:84702721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.mipsel"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839622/; classtype:trojan-activity;sid:84702722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.i586"; depth:14; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839615/; classtype:trojan-activity;sid:84702715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv4tl"; depth:17; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839616/; classtype:trojan-activity;sid:84702716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.i686"; depth:14; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839617/; classtype:trojan-activity;sid:84702717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.mips"; depth:14; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839618/; classtype:trojan-activity;sid:84702718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv4eb"; depth:17; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839619/; classtype:trojan-activity;sid:84702719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.m68k"; depth:14; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839620/; classtype:trojan-activity;sid:84702720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv41"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839614/; classtype:trojan-activity;sid:84702714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv61"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839611/; classtype:trojan-activity;sid:84702711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv51"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839612/; classtype:trojan-activity;sid:84702712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.armv71"; depth:16; endswith; nocase; http.host; content:"46.151.182.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839613/; classtype:trojan-activity;sid:84702713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appbox.5lorexin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839610/; classtype:trojan-activity;sid:84702710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"mi5t-cache.2zavlore.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839609/; classtype:trojan-activity;sid:84702709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.241.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839608/; classtype:trojan-activity;sid:84702708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"devbit.5lorexin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839607/; classtype:trojan-activity;sid:84702707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"9thvfl.2zavlore.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839606/; classtype:trojan-activity;sid:84702706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvlog.5lorexin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839605/; classtype:trojan-activity;sid:84702705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"formreba.qeniral8.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839604/; classtype:trojan-activity;sid:84702704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.124.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839603/; classtype:trojan-activity;sid:84702703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromedriver.exe"; depth:17; endswith; nocase; http.host; content:"83.142.209.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839602/; classtype:trojan-activity;sid:84702702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=udqsogszviculnag"; depth:27; endswith; nocase; http.host; content:"dh4vdz12.doha-neutral.digital"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839601/; classtype:trojan-activity;sid:84702701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netapi.5lorexin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839600/; classtype:trojan-activity;sid:84702700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netapi.5lorexin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839598/; classtype:trojan-activity;sid:84702698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"7m5mdmsm.qeniral8.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839599/; classtype:trojan-activity;sid:84702699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"7m5mdmsm.qeniral8.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839597/; classtype:trojan-activity;sid:84702697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webcdn.5lorexin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839596/; classtype:trojan-activity;sid:84702696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"lum-cresta.qeniral8.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839595/; classtype:trojan-activity;sid:84702695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"lum-cresta.qeniral8.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839594/; classtype:trojan-activity;sid:84702694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.160.9.182"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839593/; classtype:trojan-activity;sid:84702693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.164.132"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839592/; classtype:trojan-activity;sid:84702692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.112.189.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839591/; classtype:trojan-activity;sid:84702691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/loader.sh"; depth:13; endswith; nocase; http.host; content:"niggerhitlerdidnothingwrong.alwaysdata.net"; depth:42; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839590/; classtype:trojan-activity;sid:84702690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.191.230.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839589/; classtype:trojan-activity;sid:84702689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.240.200.2"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839588/; classtype:trojan-activity;sid:84702688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839587/; classtype:trojan-activity;sid:84702687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.92.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839582/; classtype:trojan-activity;sid:84702682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.210.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839583/; classtype:trojan-activity;sid:84702683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.117.241"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839584/; classtype:trojan-activity;sid:84702684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.14.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839585/; classtype:trojan-activity;sid:84702685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.20.227"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839586/; classtype:trojan-activity;sid:84702686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.16.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839568/; classtype:trojan-activity;sid:84702668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.173.87.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839569/; classtype:trojan-activity;sid:84702669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"213.66.254.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839570/; classtype:trojan-activity;sid:84702670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.108.0"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839571/; classtype:trojan-activity;sid:84702671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.124.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839572/; classtype:trojan-activity;sid:84702672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.19.6"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839573/; classtype:trojan-activity;sid:84702673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.245.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839574/; classtype:trojan-activity;sid:84702674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.110.143"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839575/; classtype:trojan-activity;sid:84702675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.76.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839576/; classtype:trojan-activity;sid:84702676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.150.252.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839577/; classtype:trojan-activity;sid:84702677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839578/; classtype:trojan-activity;sid:84702678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.133.116.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839579/; classtype:trojan-activity;sid:84702679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.35.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839580/; classtype:trojan-activity;sid:84702680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.233.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839581/; classtype:trojan-activity;sid:84702681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.150.252.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839566/; classtype:trojan-activity;sid:84702666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.76.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839567/; classtype:trojan-activity;sid:84702667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.168.103.203"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839561/; classtype:trojan-activity;sid:84702661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"103.82.195.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839562/; classtype:trojan-activity;sid:84702662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839563/; classtype:trojan-activity;sid:84702663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839564/; classtype:trojan-activity;sid:84702664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.99.85.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839565/; classtype:trojan-activity;sid:84702665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.242.155.81"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839557/; classtype:trojan-activity;sid:84702657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.102.149.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839558/; classtype:trojan-activity;sid:84702658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.160.83"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839559/; classtype:trojan-activity;sid:84702659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.150.252.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839560/; classtype:trojan-activity;sid:84702660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.185.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839546/; classtype:trojan-activity;sid:84702646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.151.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839547/; classtype:trojan-activity;sid:84702647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.245.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839548/; classtype:trojan-activity;sid:84702648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.104.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839549/; classtype:trojan-activity;sid:84702649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.13.248.58"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839550/; classtype:trojan-activity;sid:84702650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.163.221.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839551/; classtype:trojan-activity;sid:84702651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.31.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839552/; classtype:trojan-activity;sid:84702652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.12.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839553/; classtype:trojan-activity;sid:84702653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.179.230.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839554/; classtype:trojan-activity;sid:84702654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.191.230.61"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839555/; classtype:trojan-activity;sid:84702655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.10.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839556/; classtype:trojan-activity;sid:84702656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/all.sh"; depth:7; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839543/; classtype:trojan-activity;sid:84702643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.197.85"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839544/; classtype:trojan-activity;sid:84702644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839545/; classtype:trojan-activity;sid:84702645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839542/; classtype:trojan-activity;sid:84702642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvhub.5lorexin.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839539/; classtype:trojan-activity;sid:84702639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.202.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839540/; classtype:trojan-activity;sid:84702640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.151.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839541/; classtype:trojan-activity;sid:84702641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.183.196.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839538/; classtype:trojan-activity;sid:84702638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839537/; classtype:trojan-activity;sid:84702637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.37.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839536/; classtype:trojan-activity;sid:84702636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.37.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839532/; classtype:trojan-activity;sid:84702632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.22.135"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839533/; classtype:trojan-activity;sid:84702633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.97.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839534/; classtype:trojan-activity;sid:84702634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.23.89.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839535/; classtype:trojan-activity;sid:84702635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.114.213.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839528/; classtype:trojan-activity;sid:84702628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.245.139.161"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839529/; classtype:trojan-activity;sid:84702629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.231.205.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839530/; classtype:trojan-activity;sid:84702630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.102.129.206"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839531/; classtype:trojan-activity;sid:84702631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.150.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839526/; classtype:trojan-activity;sid:84702626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.245.87"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839527/; classtype:trojan-activity;sid:84702627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"223.112.189.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839523/; classtype:trojan-activity;sid:84702623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.151.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839524/; classtype:trojan-activity;sid:84702624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.104.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839525/; classtype:trojan-activity;sid:84702625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.163.221.207"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839520/; classtype:trojan-activity;sid:84702620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.12.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839521/; classtype:trojan-activity;sid:84702621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.183.196.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839522/; classtype:trojan-activity;sid:84702622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.146.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839517/; classtype:trojan-activity;sid:84702617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.221.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839518/; classtype:trojan-activity;sid:84702618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.245.141.1"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839519/; classtype:trojan-activity;sid:84702619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.3.109.195"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839516/; classtype:trojan-activity;sid:84702616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.104.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839515/; classtype:trojan-activity;sid:84702615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sbg86o.qeniral8.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839513/; classtype:trojan-activity;sid:84702613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.76.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839514/; classtype:trojan-activity;sid:84702614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.180.94.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839510/; classtype:trojan-activity;sid:84702610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.31.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839511/; classtype:trojan-activity;sid:84702611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.99.85.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839512/; classtype:trojan-activity;sid:84702612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.138.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839508/; classtype:trojan-activity;sid:84702608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.77.248.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839509/; classtype:trojan-activity;sid:84702609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.123.244"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839507/; classtype:trojan-activity;sid:84702607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sbg86o.qeniral8.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839503/; classtype:trojan-activity;sid:84702603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.5.93.47"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839504/; classtype:trojan-activity;sid:84702604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.185.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839505/; classtype:trojan-activity;sid:84702605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.173.77.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839506/; classtype:trojan-activity;sid:84702606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.154.118.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839502/; classtype:trojan-activity;sid:84702602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.150.97.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839499/; classtype:trojan-activity;sid:84702599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.3.109.195"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839500/; classtype:trojan-activity;sid:84702600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.67.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839501/; classtype:trojan-activity;sid:84702601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.127.153.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839498/; classtype:trojan-activity;sid:84702598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.236.185"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839496/; classtype:trojan-activity;sid:84702596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.133.116.29"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839497/; classtype:trojan-activity;sid:84702597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.122.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839490/; classtype:trojan-activity;sid:84702590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.29.223.148"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839491/; classtype:trojan-activity;sid:84702591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.185.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839492/; classtype:trojan-activity;sid:84702592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.224.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839493/; classtype:trojan-activity;sid:84702593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.154.118.223"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839494/; classtype:trojan-activity;sid:84702594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.85.115.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839495/; classtype:trojan-activity;sid:84702595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.241.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839489/; classtype:trojan-activity;sid:84702589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sampl-boo.qeniral8.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839488/; classtype:trojan-activity;sid:84702588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.129.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839487/; classtype:trojan-activity;sid:84702587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.124.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839486/; classtype:trojan-activity;sid:84702586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.144.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839485/; classtype:trojan-activity;sid:84702585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"kfshh.qeniral8.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839484/; classtype:trojan-activity;sid:84702584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.183.55.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839483/; classtype:trojan-activity;sid:84702583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"rnoon-panel.qeniral8.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839482/; classtype:trojan-activity;sid:84702582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.84.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839481/; classtype:trojan-activity;sid:84702581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"balance4-array.mav3torel.surf"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839480/; classtype:trojan-activity;sid:84702580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"gitlab.primevortexbox.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839479/; classtype:trojan-activity;sid:84702579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ot2k.mav3torel.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839478/; classtype:trojan-activity;sid:84702578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"muhwtwa.mav3torel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839477/; classtype:trojan-activity;sid:84702577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"muhwtwa.mav3torel.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839476/; classtype:trojan-activity;sid:84702576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apiops.primevortexbox.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839475/; classtype:trojan-activity;sid:84702575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.144.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839474/; classtype:trojan-activity;sid:84702574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.183.55.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839473/; classtype:trojan-activity;sid:84702573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"logbin.primevortexbox.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839472/; classtype:trojan-activity;sid:84702572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"logbin.primevortexbox.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839471/; classtype:trojan-activity;sid:84702571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kworker_u8"; depth:16; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839470/; classtype:trojan-activity;sid:84702570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839466/; classtype:trojan-activity;sid:84702566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/edac_polld"; depth:16; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839467/; classtype:trojan-activity;sid:84702567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ksoftirqd0"; depth:16; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839468/; classtype:trojan-activity;sid:84702568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/rcuop_0"; depth:13; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839469/; classtype:trojan-activity;sid:84702569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/devfreq_wq"; depth:16; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839465/; classtype:trojan-activity;sid:84702565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bioset0"; depth:13; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839460/; classtype:trojan-activity;sid:84702560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ecryptfsd"; depth:15; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839461/; classtype:trojan-activity;sid:84702561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/cfg80211d"; depth:15; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839462/; classtype:trojan-activity;sid:84702562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kblockd0"; depth:14; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839463/; classtype:trojan-activity;sid:84702563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/xfsaild_sda"; depth:17; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839464/; classtype:trojan-activity;sid:84702564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/zswap_shrinkd"; depth:19; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839456/; classtype:trojan-activity;sid:84702556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jbd2_sda1d"; depth:16; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839457/; classtype:trojan-activity;sid:84702557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/kswapd0"; depth:13; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839458/; classtype:trojan-activity;sid:84702558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/scsi_tmf_0"; depth:16; endswith; nocase; http.host; content:"77.221.136.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839459/; classtype:trojan-activity;sid:84702559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ovjcwn.mav3torel.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839454/; classtype:trojan-activity;sid:84702554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appsrc.primevortexbox.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839453/; classtype:trojan-activity;sid:84702553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.251.169"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839452/; classtype:trojan-activity;sid:84702552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"r3ba-field.mav3torel.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839451/; classtype:trojan-activity;sid:84702551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm6"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839450/; classtype:trojan-activity;sid:84702550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mpsl"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839448/; classtype:trojan-activity;sid:84702548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.sh4"; depth:20; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839449/; classtype:trojan-activity;sid:84702549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arc"; depth:20; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839447/; classtype:trojan-activity;sid:84702547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.mips"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839446/; classtype:trojan-activity;sid:84702546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm5"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839445/; classtype:trojan-activity;sid:84702545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.m68k"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839436/; classtype:trojan-activity;sid:84702536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86_64"; depth:23; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839437/; classtype:trojan-activity;sid:84702537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.x86"; depth:20; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839438/; classtype:trojan-activity;sid:84702538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.ppc"; depth:20; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839439/; classtype:trojan-activity;sid:84702539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i686"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839440/; classtype:trojan-activity;sid:84702540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.spc"; depth:20; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839441/; classtype:trojan-activity;sid:84702541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm"; depth:20; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839442/; classtype:trojan-activity;sid:84702542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.arm7"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839443/; classtype:trojan-activity;sid:84702543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/helper.sh"; depth:10; endswith; nocase; http.host; content:"193.32.208.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839444/; classtype:trojan-activity;sid:84702544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luxzzxzzx/luxzz.i468"; depth:21; endswith; nocase; http.host; content:"207.180.196.125"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839435/; classtype:trojan-activity;sid:84702535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.24.53"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839434/; classtype:trojan-activity;sid:84702534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.0.111"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839433/; classtype:trojan-activity;sid:84702533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webdoc.primevortexbox.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839432/; classtype:trojan-activity;sid:84702532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"nimblecoral.mav3torel.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839431/; classtype:trojan-activity;sid:84702531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kikimora-arch/solid-doodle/releases/download/realease/kikikmoralibrary.exe"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839430/; classtype:trojan-activity;sid:84702530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.51.82.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839429/; classtype:trojan-activity;sid:84702529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ehtpff9z.mav3torel.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839428/; classtype:trojan-activity;sid:84702528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syskey.primevortexbox.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839427/; classtype:trojan-activity;sid:84702527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"cor38-loop.7lorexan.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839426/; classtype:trojan-activity;sid:84702526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.86.188.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839425/; classtype:trojan-activity;sid:84702525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"faithfulresolver.7lorexan.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839424/; classtype:trojan-activity;sid:84702524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netman.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839423/; classtype:trojan-activity;sid:84702523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"anchocav.7lorexan.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839422/; classtype:trojan-activity;sid:84702522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"anchocav.7lorexan.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839421/; classtype:trojan-activity;sid:84702521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tcpcon.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839420/; classtype:trojan-activity;sid:84702520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tcpcon.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839419/; classtype:trojan-activity;sid:84702519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.192.254.101"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839418/; classtype:trojan-activity;sid:84702518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"wagonsummi.7lorexan.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839417/; classtype:trojan-activity;sid:84702517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"flovv-zone.7lorexan.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839416/; classtype:trojan-activity;sid:84702516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.51.82.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839415/; classtype:trojan-activity;sid:84702515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshpro.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839414/; classtype:trojan-activity;sid:84702514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vmlist.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839413/; classtype:trojan-activity;sid:84702513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.28.176.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839412/; classtype:trojan-activity;sid:84702512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"casuashor.7lorexan.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839411/; classtype:trojan-activity;sid:84702511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.221.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839410/; classtype:trojan-activity;sid:84702510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.138.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839409/; classtype:trojan-activity;sid:84702509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.121.214"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839408/; classtype:trojan-activity;sid:84702508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"gcaeobl.7lorexan.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839407/; classtype:trojan-activity;sid:84702507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"usrgrp.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839406/; classtype:trojan-activity;sid:84702506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"pkgrun.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839405/; classtype:trojan-activity;sid:84702505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"optweb.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839404/; classtype:trojan-activity;sid:84702504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"optweb.ultradatastack.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839403/; classtype:trojan-activity;sid:84702503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.94.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839402/; classtype:trojan-activity;sid:84702502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"extnet.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839401/; classtype:trojan-activity;sid:84702501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"proxys.masterpowerweb.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839400/; classtype:trojan-activity;sid:84702500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"pwrlog.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839399/; classtype:trojan-activity;sid:84702499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"domreg.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839398/; classtype:trojan-activity;sid:84702498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.63.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839397/; classtype:trojan-activity;sid:84702497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"subcli.masterpowerweb.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839396/; classtype:trojan-activity;sid:84702496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"autbox.vertexpointlinknet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839395/; classtype:trojan-activity;sid:84702495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"refid.vertexpointlinknet.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839394/; classtype:trojan-activity;sid:84702494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.134.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839393/; classtype:trojan-activity;sid:84702493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.117.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839392/; classtype:trojan-activity;sid:84702492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitkit.masterpowerweb.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839391/; classtype:trojan-activity;sid:84702491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.150.115.215"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839390/; classtype:trojan-activity;sid:84702490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"171.38.86.177"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839389/; classtype:trojan-activity;sid:84702489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"comweb.vertexpointlinknet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839388/; classtype:trojan-activity;sid:84702488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envset.masterpowerweb.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839387/; classtype:trojan-activity;sid:84702487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envset.masterpowerweb.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839386/; classtype:trojan-activity;sid:84702486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"taskid.vertexpointlinknet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839385/; classtype:trojan-activity;sid:84702485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.94.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839384/; classtype:trojan-activity;sid:84702484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"taskid.vertexpointlinknet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839383/; classtype:trojan-activity;sid:84702483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"doclab.masterpowerweb.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839382/; classtype:trojan-activity;sid:84702482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.42.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839381/; classtype:trojan-activity;sid:84702481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.209.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839380/; classtype:trojan-activity;sid:84702480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.146.251"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839379/; classtype:trojan-activity;sid:84702479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ioflow.vertexpointlinknet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839378/; classtype:trojan-activity;sid:84702478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syncit.vertexshifthub.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839377/; classtype:trojan-activity;sid:84702477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"ioflow.vertexpointlinknet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839376/; classtype:trojan-activity;sid:84702476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/khgphib.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839374/; classtype:trojan-activity;sid:84702474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/nahddao.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839375/; classtype:trojan-activity;sid:84702475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/kmnrrkd.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839373/; classtype:trojan-activity;sid:84702473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/knjhkif.txt"; depth:12; endswith; nocase; http.host; content:"0011.s3.cubbit.eu"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839372/; classtype:trojan-activity;sid:84702472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hgfheeeeee/fhfgh/downloads/1.jpg"; depth:33; endswith; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839370/; classtype:trojan-activity;sid:84702470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vid_01052026_134423.mp4.apk"; depth:28; endswith; nocase; http.host; content:"max-videos.site"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839371/; classtype:trojan-activity;sid:84702471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/refs/heads/main/khgphib.txt"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839368/; classtype:trojan-activity;sid:84702468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soa/1.jpg"; depth:10; endswith; nocase; http.host; content:"sdlxmetal.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839369/; classtype:trojan-activity;sid:84702469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/ambdami.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839366/; classtype:trojan-activity;sid:84702466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/emfbgio.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839367/; classtype:trojan-activity;sid:84702467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/ibamkbk.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839365/; classtype:trojan-activity;sid:84702465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/ciohora.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839361/; classtype:trojan-activity;sid:84702461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/ckgropb.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839362/; classtype:trojan-activity;sid:84702462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/dojfbeo.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839363/; classtype:trojan-activity;sid:84702463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setup.msi"; depth:10; endswith; nocase; http.host; content:"193.233.198.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839364/; classtype:trojan-activity;sid:84702464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/bppsffp.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839359/; classtype:trojan-activity;sid:84702459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/porkiporki362-web/datess/blob/main/fignkeg.txt"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839360/; classtype:trojan-activity;sid:84702460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ioflow.vertexshifthub.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839358/; classtype:trojan-activity;sid:84702458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.149.82.89"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839357/; classtype:trojan-activity;sid:84702457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.117.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839356/; classtype:trojan-activity;sid:84702456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"syncit.vertexpointlinknet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839355/; classtype:trojan-activity;sid:84702455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"178.141.30.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839354/; classtype:trojan-activity;sid:84702454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"taskid.vertexshifthub.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839353/; classtype:trojan-activity;sid:84702453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"doclab.masterhypernodehub.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839352/; classtype:trojan-activity;sid:84702452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"doclab.masterhypernodehub.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839351/; classtype:trojan-activity;sid:84702451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"envset.masterhypernodehub.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839350/; classtype:trojan-activity;sid:84702450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"comweb.vertexshifthub.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839349/; classtype:trojan-activity;sid:84702449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.133.93.245"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839348/; classtype:trojan-activity;sid:84702448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"refid.vertexshifthub.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839347/; classtype:trojan-activity;sid:84702447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"refid.vertexshifthub.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839346/; classtype:trojan-activity;sid:84702446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"bitkit.masterhypernodehub.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839345/; classtype:trojan-activity;sid:84702445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autbox.vertexshifthub.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839344/; classtype:trojan-activity;sid:84702444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.63.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839343/; classtype:trojan-activity;sid:84702443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"subcli.masterhypernodehub.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839342/; classtype:trojan-activity;sid:84702442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.234.9.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839341/; classtype:trojan-activity;sid:84702441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"domreg.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839340/; classtype:trojan-activity;sid:84702440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"domreg.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839339/; classtype:trojan-activity;sid:84702439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"lanhop.masterhypernodehub.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839338/; classtype:trojan-activity;sid:84702438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839337/; classtype:trojan-activity;sid:84702437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pwrlog.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839336/; classtype:trojan-activity;sid:84702436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"proxys.masterhypernodehub.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839335/; classtype:trojan-activity;sid:84702435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.235.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839334/; classtype:trojan-activity;sid:84702434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.232.13.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839333/; classtype:trojan-activity;sid:84702433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.234.9.227"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839332/; classtype:trojan-activity;sid:84702432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839331/; classtype:trojan-activity;sid:84702431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"optweb.ultratechstackweb.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839328/; classtype:trojan-activity;sid:84702428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"optweb.ultratechstackweb.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839329/; classtype:trojan-activity;sid:84702429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"extnet.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839330/; classtype:trojan-activity;sid:84702430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pkgrun.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839327/; classtype:trojan-activity;sid:84702427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"usrgrp.ultratechstackweb.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839325/; classtype:trojan-activity;sid:84702425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pkgrun.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839326/; classtype:trojan-activity;sid:84702426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.10.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839324/; classtype:trojan-activity;sid:84702424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"modbus.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839323/; classtype:trojan-activity;sid:84702423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"vmlist.ultratechstackweb.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839322/; classtype:trojan-activity;sid:84702422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.88.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839321/; classtype:trojan-activity;sid:84702421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.80.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839320/; classtype:trojan-activity;sid:84702420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"sshpro.ultratechstackweb.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839319/; classtype:trojan-activity;sid:84702419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srcget.quantumlinkpoint.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839318/; classtype:trojan-activity;sid:84702418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.153.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839317/; classtype:trojan-activity;sid:84702417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"tcpcon.ultratechstackweb.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839316/; classtype:trojan-activity;sid:84702416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"uidmap.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839315/; classtype:trojan-activity;sid:84702415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"uidmap.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839314/; classtype:trojan-activity;sid:84702414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839313/; classtype:trojan-activity;sid:84702413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"netman.ultratechstackweb.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839312/; classtype:trojan-activity;sid:84702412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ftpsrv.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839311/; classtype:trojan-activity;sid:84702411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.88.46"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839310/; classtype:trojan-activity;sid:84702410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.153.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839309/; classtype:trojan-activity;sid:84702409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.57.168"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839308/; classtype:trojan-activity;sid:84702408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"libsys.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839307/; classtype:trojan-activity;sid:84702407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"syskey.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839306/; classtype:trojan-activity;sid:84702406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"jobadm.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839305/; classtype:trojan-activity;sid:84702405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.130.77.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839304/; classtype:trojan-activity;sid:84702404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839303/; classtype:trojan-activity;sid:84702403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"webdoc.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839302/; classtype:trojan-activity;sid:84702402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.209.88.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839301/; classtype:trojan-activity;sid:84702401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.113.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839300/; classtype:trojan-activity;sid:84702400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdat.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839298/; classtype:trojan-activity;sid:84702398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdat.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839299/; classtype:trojan-activity;sid:84702399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"appsrc.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839297/; classtype:trojan-activity;sid:84702397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"logbin.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839296/; classtype:trojan-activity;sid:84702396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"logbin.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839295/; classtype:trojan-activity;sid:84702395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.57.168"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839294/; classtype:trojan-activity;sid:84702394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"zipark.infinitydatagrid.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839293/; classtype:trojan-activity;sid:84702393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839292/; classtype:trojan-activity;sid:84702392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"apiops.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839291/; classtype:trojan-activity;sid:84702391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"osbase.cyberlogicspace.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839290/; classtype:trojan-activity;sid:84702390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.116.55.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839289/; classtype:trojan-activity;sid:84702389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"metalt.cyberlogicspace.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839288/; classtype:trojan-activity;sid:84702388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"gitlab.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839287/; classtype:trojan-activity;sid:84702387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kiss-m0dem-defndr-myrai-sdf934/kwtor.dll"; depth:41; endswith; nocase; http.host; content:"gitlab.primevortextechbox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839286/; classtype:trojan-activity;sid:84702386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.108.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839285/; classtype:trojan-activity;sid:84702385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidoc.cyberlogicspace.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839284/; classtype:trojan-activity;sid:84702384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidoc.cyberlogicspace.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839283/; classtype:trojan-activity;sid:84702383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"modbus.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839282/; classtype:trojan-activity;sid:84702382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"modbus.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839281/; classtype:trojan-activity;sid:84702381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dbinst.cyberlogicspace.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839280/; classtype:trojan-activity;sid:84702380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.127.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839279/; classtype:trojan-activity;sid:84702379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srcget.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839278/; classtype:trojan-activity;sid:84702378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srcget.quantummetadatabox.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839277/; classtype:trojan-activity;sid:84702377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"skyvpn.cyberlogicspace.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839276/; classtype:trojan-activity;sid:84702376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.179.216.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839275/; classtype:trojan-activity;sid:84702375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cmdset.cyberlogicspace.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839274/; classtype:trojan-activity;sid:84702374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"uidmap.cryptoshiftgridsys.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839273/; classtype:trojan-activity;sid:84702373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.108.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839272/; classtype:trojan-activity;sid:84702372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.114.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839271/; classtype:trojan-activity;sid:84702371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ftpsrv.cryptoshiftgridsys.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839270/; classtype:trojan-activity;sid:84702370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ftpsrv.cryptoshiftgridsys.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839269/; classtype:trojan-activity;sid:84702369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tmpdir.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839268/; classtype:trojan-activity;sid:84702368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"libsys.cryptoshiftgridsys.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839267/; classtype:trojan-activity;sid:84702367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshbin.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839266/; classtype:trojan-activity;sid:84702366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshbin.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839265/; classtype:trojan-activity;sid:84702365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.127.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839264/; classtype:trojan-activity;sid:84702364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"jobadm.cryptoshiftgridsys.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839263/; classtype:trojan-activity;sid:84702363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sslkey.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839262/; classtype:trojan-activity;sid:84702362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sslkey.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839261/; classtype:trojan-activity;sid:84702361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.204.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839260/; classtype:trojan-activity;sid:84702360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"getcfg.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839259/; classtype:trojan-activity;sid:84702359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"122.156.143.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839258/; classtype:trojan-activity;sid:84702358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"rawdat.cryptoshiftgridsys.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839257/; classtype:trojan-activity;sid:84702357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ipnode.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839256/; classtype:trojan-activity;sid:84702356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.149.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839254/; classtype:trojan-activity;sid:84702354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.146.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839255/; classtype:trojan-activity;sid:84702355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.193.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839252/; classtype:trojan-activity;sid:84702352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"zipark.cryptoshiftgridsys.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839253/; classtype:trojan-activity;sid:84702353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.239.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839251/; classtype:trojan-activity;sid:84702351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"osbase.logicflowspacehub.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839250/; classtype:trojan-activity;sid:84702350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"220.184.22.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839249/; classtype:trojan-activity;sid:84702349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"hotfix.securestreamnode.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839248/; classtype:trojan-activity;sid:84702348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"metalt.logicflowspacehub.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839247/; classtype:trojan-activity;sid:84702347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.173.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839246/; classtype:trojan-activity;sid:84702346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"winupd.technoglobalnet.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839245/; classtype:trojan-activity;sid:84702345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"apidoc.logicflowspacehub.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839244/; classtype:trojan-activity;sid:84702344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"topsvc.technoglobalnet.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839243/; classtype:trojan-activity;sid:84702343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"dbinst.logicflowspacehub.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839242/; classtype:trojan-activity;sid:84702342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.149.255"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839241/; classtype:trojan-activity;sid:84702341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"devbox.technoglobalnet.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839240/; classtype:trojan-activity;sid:84702340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"skyvpn.logicflowspacehub.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839239/; classtype:trojan-activity;sid:84702339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.136.87.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839238/; classtype:trojan-activity;sid:84702338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vpsrun.technoglobalnet.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839237/; classtype:trojan-activity;sid:84702337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"cmdset.logicflowspacehub.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839236/; classtype:trojan-activity;sid:84702336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dnsapi.technoglobalnet.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839235/; classtype:trojan-activity;sid:84702335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"tmpdir.extremesecureline.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839234/; classtype:trojan-activity;sid:84702334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.77.248.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839233/; classtype:trojan-activity;sid:84702333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"applog.technoglobalnet.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839232/; classtype:trojan-activity;sid:84702332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sshbin.extremesecureline.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839231/; classtype:trojan-activity;sid:84702331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.53.159.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839230/; classtype:trojan-activity;sid:84702330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cdnpro.digitalcloudsys.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839229/; classtype:trojan-activity;sid:84702329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.126.13.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839228/; classtype:trojan-activity;sid:84702328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sslkey.extremesecureline.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839227/; classtype:trojan-activity;sid:84702327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.136.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839226/; classtype:trojan-activity;sid:84702326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.28.176.153"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839225/; classtype:trojan-activity;sid:84702325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"getcfg.extremesecureline.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839224/; classtype:trojan-activity;sid:84702324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.107.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839223/; classtype:trojan-activity;sid:84702323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitly.digitalcloudsys.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839222/; classtype:trojan-activity;sid:84702322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.136.87.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839221/; classtype:trojan-activity;sid:84702321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.126.13.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839220/; classtype:trojan-activity;sid:84702320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ipnode.extremesecureline.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839219/; classtype:trojan-activity;sid:84702319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sysops.digitalcloudsys.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839218/; classtype:trojan-activity;sid:84702318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839217/; classtype:trojan-activity;sid:84702317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.53.159.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839216/; classtype:trojan-activity;sid:84702316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webcpu.digitalcloudsys.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839215/; classtype:trojan-activity;sid:84702315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webcpu.digitalcloudsys.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839214/; classtype:trojan-activity;sid:84702314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"hotfix.extremesecureline.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839213/; classtype:trojan-activity;sid:84702313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"hotfix.extremesecureline.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839212/; classtype:trojan-activity;sid:84702312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"winupd.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839211/; classtype:trojan-activity;sid:84702311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"winupd.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839210/; classtype:trojan-activity;sid:84702310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.64.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839209/; classtype:trojan-activity;sid:84702309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netfox.digitalcloudsys.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839208/; classtype:trojan-activity;sid:84702308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.203.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839207/; classtype:trojan-activity;sid:84702307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.246.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839206/; classtype:trojan-activity;sid:84702306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"108.57.48.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839205/; classtype:trojan-activity;sid:84702305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"topsvc.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839204/; classtype:trojan-activity;sid:84702304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/hcwzsz9.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839201/; classtype:trojan-activity;sid:84702301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/7hlvvgn.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839202/; classtype:trojan-activity;sid:84702302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public_files/mvtyuyb.txt"; depth:25; endswith; nocase; http.host; content:"62.60.226.200"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839203/; classtype:trojan-activity;sid:84702303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvhub.digitalcloudsys.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839200/; classtype:trojan-activity;sid:84702300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"gitlab.faro7qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839199/; classtype:trojan-activity;sid:84702299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"devbox.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839198/; classtype:trojan-activity;sid:84702298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"devbox.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839197/; classtype:trojan-activity;sid:84702297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verifedd"; depth:9; endswith; nocase; http.host; content:"193.233.198.176"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839196/; classtype:trojan-activity;sid:84702296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"108.57.48.104"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839195/; classtype:trojan-activity;sid:84702295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"vpsrun.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839194/; classtype:trojan-activity;sid:84702294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.64.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839192/; classtype:trojan-activity;sid:84702292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.246.101"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839193/; classtype:trojan-activity;sid:84702293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apiops.faro7qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839191/; classtype:trojan-activity;sid:84702291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"dnsapi.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839190/; classtype:trojan-activity;sid:84702290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.exe"; depth:6; endswith; nocase; http.host; content:"mecatrankil.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839189/; classtype:trojan-activity;sid:84702289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chrome_144.exe"; depth:15; endswith; nocase; http.host; content:"mecatrankil.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839188/; classtype:trojan-activity;sid:84702288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"dnsapi.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839187/; classtype:trojan-activity;sid:84702287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"logbin.faro7qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839186/; classtype:trojan-activity;sid:84702286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"applog.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839185/; classtype:trojan-activity;sid:84702285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"applog.smartcloudstorageset.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839184/; classtype:trojan-activity;sid:84702284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appsrc.faro7qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839183/; classtype:trojan-activity;sid:84702283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"cdnpro.globaldatanetworksys.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839182/; classtype:trojan-activity;sid:84702282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.140.185.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839181/; classtype:trojan-activity;sid:84702281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"bitly.globaldatanetworksys.lat"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839180/; classtype:trojan-activity;sid:84702280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webdoc.faro7qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839179/; classtype:trojan-activity;sid:84702279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syskey.faro7qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839178/; classtype:trojan-activity;sid:84702278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sysops.globaldatanetworksys.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839177/; classtype:trojan-activity;sid:84702277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netman.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839176/; classtype:trojan-activity;sid:84702276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netman.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839175/; classtype:trojan-activity;sid:84702275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"webcpu.globaldatanetworksys.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839174/; classtype:trojan-activity;sid:84702274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.ps1"; depth:12; endswith; nocase; http.host; content:"pureclaw-biz.purepage.one"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839173/; classtype:trojan-activity;sid:84702273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.sh"; depth:11; endswith; nocase; http.host; content:"pureclaw-biz.purepage.one"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839172/; classtype:trojan-activity;sid:84702272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"netfox.globaldatanetworksys.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839171/; classtype:trojan-activity;sid:84702271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.176.241"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839170/; classtype:trojan-activity;sid:84702270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tcpcon.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839169/; classtype:trojan-activity;sid:84702269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clubcampestrededurango.zip"; depth:27; endswith; nocase; http.host; content:"clubcampestrededurango.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839168/; classtype:trojan-activity;sid:84702268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshpro.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839167/; classtype:trojan-activity;sid:84702267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srvhub.globaldatanetworksys.lat"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839166/; classtype:trojan-activity;sid:84702266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshpro.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839165/; classtype:trojan-activity;sid:84702265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/g1jzdce.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839164/; classtype:trojan-activity;sid:84702264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/ljylfoz.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839156/; classtype:trojan-activity;sid:84702256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/mario/random.exe"; depth:23; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839157/; classtype:trojan-activity;sid:84702257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8486657653/qlnwgmz.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839158/; classtype:trojan-activity;sid:84702258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/0kdscaq.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839159/; classtype:trojan-activity;sid:84702259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6099399783/8b7bebr.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839160/; classtype:trojan-activity;sid:84702260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/ta7alrm.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839161/; classtype:trojan-activity;sid:84702261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/csy5cn4.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839162/; classtype:trojan-activity;sid:84702262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/oyvkqip.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839163/; classtype:trojan-activity;sid:84702263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/la2lgm7.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839155/; classtype:trojan-activity;sid:84702255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/m0tnsci.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839147/; classtype:trojan-activity;sid:84702247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/j7qvkqe.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839148/; classtype:trojan-activity;sid:84702248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/lnzq0q9.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839149/; classtype:trojan-activity;sid:84702249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/7fo0cfp.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839150/; classtype:trojan-activity;sid:84702250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/krdojq1.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839151/; classtype:trojan-activity;sid:84702251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/aavdtgl.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839152/; classtype:trojan-activity;sid:84702252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8486657653/epwswys.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839153/; classtype:trojan-activity;sid:84702253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6081785963/f32txki.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839154/; classtype:trojan-activity;sid:84702254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/2038862353/h1tiruy.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839146/; classtype:trojan-activity;sid:84702246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"gitlab.verdi7rax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839145/; classtype:trojan-activity;sid:84702245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.90.191.103"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839144/; classtype:trojan-activity;sid:84702244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vmlist.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839143/; classtype:trojan-activity;sid:84702243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"apiops.verdi7rax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839142/; classtype:trojan-activity;sid:84702242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"usrgrp.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839141/; classtype:trojan-activity;sid:84702241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.141.166.195"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839140/; classtype:trojan-activity;sid:84702240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"optweb.xena4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839139/; classtype:trojan-activity;sid:84702239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"logbin.verdi7rax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839138/; classtype:trojan-activity;sid:84702238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.67.80.43"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839137/; classtype:trojan-activity;sid:84702237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"proxys.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839136/; classtype:trojan-activity;sid:84702236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"appsrc.verdi7rax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839135/; classtype:trojan-activity;sid:84702235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.90.191.103"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839134/; classtype:trojan-activity;sid:84702234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"lanhop.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839133/; classtype:trojan-activity;sid:84702233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"webdoc.verdi7rax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839132/; classtype:trojan-activity;sid:84702232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.240.53.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839131/; classtype:trojan-activity;sid:84702231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.97.184.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839130/; classtype:trojan-activity;sid:84702230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"subcli.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839128/; classtype:trojan-activity;sid:84702228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"syskey.verdi7rax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839129/; classtype:trojan-activity;sid:84702229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"syskey.verdi7rax.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839127/; classtype:trojan-activity;sid:84702227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"subcli.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839126/; classtype:trojan-activity;sid:84702226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.6.226"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839125/; classtype:trojan-activity;sid:84702225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.70.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839124/; classtype:trojan-activity;sid:84702224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.25.169"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839123/; classtype:trojan-activity;sid:84702223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.98.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839122/; classtype:trojan-activity;sid:84702222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitkit.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839121/; classtype:trojan-activity;sid:84702221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"netman.flen3qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839120/; classtype:trojan-activity;sid:84702220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.24.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839119/; classtype:trojan-activity;sid:84702219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.70.8"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839118/; classtype:trojan-activity;sid:84702218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.240.53.77"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839117/; classtype:trojan-activity;sid:84702217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envset.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839116/; classtype:trojan-activity;sid:84702216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envset.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839115/; classtype:trojan-activity;sid:84702215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"tcpcon.flen3qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839114/; classtype:trojan-activity;sid:84702214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sshpro.flen3qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839113/; classtype:trojan-activity;sid:84702213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"doclab.gavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839112/; classtype:trojan-activity;sid:84702212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"202.97.184.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839111/; classtype:trojan-activity;sid:84702211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"vmlist.flen3qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839110/; classtype:trojan-activity;sid:84702210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syncit.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839109/; classtype:trojan-activity;sid:84702209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.98.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839108/; classtype:trojan-activity;sid:84702208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.250.229"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839107/; classtype:trojan-activity;sid:84702207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.82.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839106/; classtype:trojan-activity;sid:84702206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"usrgrp.flen3qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839105/; classtype:trojan-activity;sid:84702205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.189.238.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839104/; classtype:trojan-activity;sid:84702204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ioflow.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839103/; classtype:trojan-activity;sid:84702203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.17.24.76"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839102/; classtype:trojan-activity;sid:84702202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.6.32.18"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839101/; classtype:trojan-activity;sid:84702201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"taskid.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839099/; classtype:trojan-activity;sid:84702199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"taskid.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839100/; classtype:trojan-activity;sid:84702200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"optweb.flen3qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839098/; classtype:trojan-activity;sid:84702198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.104.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839097/; classtype:trojan-activity;sid:84702197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.176.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839096/; classtype:trojan-activity;sid:84702196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"proxys.grov6lira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839095/; classtype:trojan-activity;sid:84702195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"comweb.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839094/; classtype:trojan-activity;sid:84702194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"comweb.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839093/; classtype:trojan-activity;sid:84702193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.250.229"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839092/; classtype:trojan-activity;sid:84702192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"lanhop.grov6lira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839091/; classtype:trojan-activity;sid:84702191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839090/; classtype:trojan-activity;sid:84702190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"refid.brix9mira.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839089/; classtype:trojan-activity;sid:84702189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autbox.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839088/; classtype:trojan-activity;sid:84702188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autbox.brix9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839087/; classtype:trojan-activity;sid:84702187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"domreg.telo5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839086/; classtype:trojan-activity;sid:84702186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"subcli.grov6lira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839085/; classtype:trojan-activity;sid:84702185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"bitkit.grov6lira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839084/; classtype:trojan-activity;sid:84702184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"envset.grov6lira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839083/; classtype:trojan-activity;sid:84702183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pwrlog.telo5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839082/; classtype:trojan-activity;sid:84702182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"extnet.telo5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839081/; classtype:trojan-activity;sid:84702181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839080/; classtype:trojan-activity;sid:84702180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"doclab.grov6lira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839079/; classtype:trojan-activity;sid:84702179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pkgrun.telo5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839078/; classtype:trojan-activity;sid:84702178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"syncit.pavi1xen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839077/; classtype:trojan-activity;sid:84702177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.43.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839076/; classtype:trojan-activity;sid:84702176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.148.198.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839075/; classtype:trojan-activity;sid:84702175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"modbus.telo5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839074/; classtype:trojan-activity;sid:84702174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ioflow.pavi1xen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839073/; classtype:trojan-activity;sid:84702173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.165.185.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839072/; classtype:trojan-activity;sid:84702172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"taskid.pavi1xen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839071/; classtype:trojan-activity;sid:84702171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srcget.telo5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839070/; classtype:trojan-activity;sid:84702170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"uidmap.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839069/; classtype:trojan-activity;sid:84702169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"comweb.pavi1xen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839068/; classtype:trojan-activity;sid:84702168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.141.43.192"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839067/; classtype:trojan-activity;sid:84702167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.185.188.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839066/; classtype:trojan-activity;sid:84702166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.109.211.168"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839065/; classtype:trojan-activity;sid:84702165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"refid.pavi1xen.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839064/; classtype:trojan-activity;sid:84702164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.224.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839063/; classtype:trojan-activity;sid:84702163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ftpsrv.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839062/; classtype:trojan-activity;sid:84702162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.sh4"; depth:12; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839061/; classtype:trojan-activity;sid:84702161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.ppc"; depth:12; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839059/; classtype:trojan-activity;sid:84702159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.mips"; depth:13; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839060/; classtype:trojan-activity;sid:84702160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.x86"; depth:12; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839056/; classtype:trojan-activity;sid:84702156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm7"; depth:13; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839057/; classtype:trojan-activity;sid:84702157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.x86_64"; depth:15; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839058/; classtype:trojan-activity;sid:84702158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm7"; depth:13; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839055/; classtype:trojan-activity;sid:84702155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm6"; depth:13; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839052/; classtype:trojan-activity;sid:84702152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.ppc"; depth:12; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839053/; classtype:trojan-activity;sid:84702153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.x86"; depth:12; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839054/; classtype:trojan-activity;sid:84702154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.sh4"; depth:12; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839051/; classtype:trojan-activity;sid:84702151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm5"; depth:13; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839039/; classtype:trojan-activity;sid:84702139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.mpsl"; depth:13; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839040/; classtype:trojan-activity;sid:84702140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm5"; depth:13; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839041/; classtype:trojan-activity;sid:84702141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.spc"; depth:12; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839042/; classtype:trojan-activity;sid:84702142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.spc"; depth:12; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839043/; classtype:trojan-activity;sid:84702143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.mpsl"; depth:13; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839044/; classtype:trojan-activity;sid:84702144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arc"; depth:12; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839045/; classtype:trojan-activity;sid:84702145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.x86_64"; depth:15; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839046/; classtype:trojan-activity;sid:84702146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm6"; depth:13; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839047/; classtype:trojan-activity;sid:84702147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.m68k"; depth:13; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839048/; classtype:trojan-activity;sid:84702148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm"; depth:12; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839049/; classtype:trojan-activity;sid:84702149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arc"; depth:12; endswith; nocase; http.host; content:"199.98.88.92.rev.sfr.net"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839050/; classtype:trojan-activity;sid:84702150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.mips"; depth:13; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839036/; classtype:trojan-activity;sid:84702136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.m68k"; depth:13; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839037/; classtype:trojan-activity;sid:84702137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/akido.arm"; depth:12; endswith; nocase; http.host; content:"92.88.98.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839038/; classtype:trojan-activity;sid:84702138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"autbox.pavi1xen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839035/; classtype:trojan-activity;sid:84702135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.224.244.88"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839034/; classtype:trojan-activity;sid:84702134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"libsys.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839033/; classtype:trojan-activity;sid:84702133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"libsys.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839032/; classtype:trojan-activity;sid:84702132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"domreg.sali8mor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839031/; classtype:trojan-activity;sid:84702131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"jobadm.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839030/; classtype:trojan-activity;sid:84702130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"pwrlog.sali8mor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839029/; classtype:trojan-activity;sid:84702129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdat.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839027/; classtype:trojan-activity;sid:84702127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdat.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839028/; classtype:trojan-activity;sid:84702128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.168.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839026/; classtype:trojan-activity;sid:84702126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"extnet.sali8mor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839025/; classtype:trojan-activity;sid:84702125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"zipark.nira6qen.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839024/; classtype:trojan-activity;sid:84702124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"osbase.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839023/; classtype:trojan-activity;sid:84702123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"osbase.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839022/; classtype:trojan-activity;sid:84702122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"pkgrun.sali8mor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839021/; classtype:trojan-activity;sid:84702121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"pkgrun.sali8mor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839020/; classtype:trojan-activity;sid:84702120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.185.240.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839019/; classtype:trojan-activity;sid:84702119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"modbus.sali8mor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839018/; classtype:trojan-activity;sid:84702118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.168.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839017/; classtype:trojan-activity;sid:84702117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"metalt.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839016/; classtype:trojan-activity;sid:84702116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.92.150.57"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839015/; classtype:trojan-activity;sid:84702115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.224.62"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839014/; classtype:trojan-activity;sid:84702114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidoc.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839013/; classtype:trojan-activity;sid:84702113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidoc.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839012/; classtype:trojan-activity;sid:84702112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srcget.sali8mor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839011/; classtype:trojan-activity;sid:84702111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.94.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839010/; classtype:trojan-activity;sid:84702110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dbinst.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839009/; classtype:trojan-activity;sid:84702109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"uidmap.thora5ven.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839008/; classtype:trojan-activity;sid:84702108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"skyvpn.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839007/; classtype:trojan-activity;sid:84702107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ftpsrv.thora5ven.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839006/; classtype:trojan-activity;sid:84702106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.70.142.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839005/; classtype:trojan-activity;sid:84702105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.51.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839004/; classtype:trojan-activity;sid:84702104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"libsys.thora5ven.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839003/; classtype:trojan-activity;sid:84702103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cmdset.pano2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839002/; classtype:trojan-activity;sid:84702102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.203.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839001/; classtype:trojan-activity;sid:84702101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3839000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"jobadm.thora5ven.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3839000/; classtype:trojan-activity;sid:84702100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.166.190"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838999/; classtype:trojan-activity;sid:84702099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.160.171.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838998/; classtype:trojan-activity;sid:84702098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"rawdat.thora5ven.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838997/; classtype:trojan-activity;sid:84702097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"rawdat.thora5ven.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838996/; classtype:trojan-activity;sid:84702096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tmpdir.sora8lin.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838995/; classtype:trojan-activity;sid:84702095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.71.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838994/; classtype:trojan-activity;sid:84702094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshbin.sora8lin.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838993/; classtype:trojan-activity;sid:84702093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.150.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838992/; classtype:trojan-activity;sid:84702092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"zipark.thora5ven.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838991/; classtype:trojan-activity;sid:84702091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"osbase.nelo2qir.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838990/; classtype:trojan-activity;sid:84702090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sslkey.sora8lin.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838989/; classtype:trojan-activity;sid:84702089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"metalt.nelo2qir.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838988/; classtype:trojan-activity;sid:84702088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"getcfg.sora8lin.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838987/; classtype:trojan-activity;sid:84702087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.203.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838986/; classtype:trojan-activity;sid:84702086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.23.134.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838985/; classtype:trojan-activity;sid:84702085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ipnode.sora8lin.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838984/; classtype:trojan-activity;sid:84702084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.221.153"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838983/; classtype:trojan-activity;sid:84702083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"apidoc.nelo2qir.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838982/; classtype:trojan-activity;sid:84702082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.150.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838981/; classtype:trojan-activity;sid:84702081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.41.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838980/; classtype:trojan-activity;sid:84702080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/o55b34pl01"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838968/; classtype:trojan-activity;sid:84702068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/ypjaz9m7zm"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838969/; classtype:trojan-activity;sid:84702069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/lvhzydmszg"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838970/; classtype:trojan-activity;sid:84702070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/xy5kfgbcmo"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838971/; classtype:trojan-activity;sid:84702071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/ot9mp1gqyi"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838972/; classtype:trojan-activity;sid:84702072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/vvaca2tezz"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838973/; classtype:trojan-activity;sid:84702073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/byss13zs25"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838974/; classtype:trojan-activity;sid:84702074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/fh1087hgdz"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838975/; classtype:trojan-activity;sid:84702075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/kzvvrh7yxr"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838976/; classtype:trojan-activity;sid:84702076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/du58n7n20j"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838977/; classtype:trojan-activity;sid:84702077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/b49kz4atvj"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838978/; classtype:trojan-activity;sid:84702078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/lrniu3qql5"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838979/; classtype:trojan-activity;sid:84702079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/lt6hrf3f3y"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838966/; classtype:trojan-activity;sid:84702066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/v3c634hv2z"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838967/; classtype:trojan-activity;sid:84702067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/w4p2jw7oxl"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838963/; classtype:trojan-activity;sid:84702063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/68200rimlm"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838964/; classtype:trojan-activity;sid:84702064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/fkrh9nd7jk"; depth:32; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838965/; classtype:trojan-activity;sid:84702065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"dbinst.nelo2qir.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838961/; classtype:trojan-activity;sid:84702061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payload/a6i3khk75wgf/su9wyp.sh"; depth:31; endswith; nocase; http.host; content:"168.220.248.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838962/; classtype:trojan-activity;sid:84702062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"hotfix.sora8lin.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_05; reference:url, urlhaus.abuse.ch/url/3838960/; classtype:trojan-activity;sid:84702060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"skyvpn.nelo2qir.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838959/; classtype:trojan-activity;sid:84702059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"winupd.lumo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838958/; classtype:trojan-activity;sid:84702058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"cmdset.nelo2qir.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838957/; classtype:trojan-activity;sid:84702057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"topsvc.lumo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838956/; classtype:trojan-activity;sid:84702056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.160.171.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838955/; classtype:trojan-activity;sid:84702055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"183.23.134.230"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838954/; classtype:trojan-activity;sid:84702054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaws.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838953/; classtype:trojan-activity;sid:84702053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.223.142.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838952/; classtype:trojan-activity;sid:84702052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"devbox.lumo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838951/; classtype:trojan-activity;sid:84702051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.166.212.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838950/; classtype:trojan-activity;sid:84702050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"tmpdir.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838949/; classtype:trojan-activity;sid:84702049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vpsrun.lumo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838948/; classtype:trojan-activity;sid:84702048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vpsrun.lumo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838947/; classtype:trojan-activity;sid:84702047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.mpsl"; depth:11; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838945/; classtype:trojan-activity;sid:84702045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.arm4"; depth:11; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838946/; classtype:trojan-activity;sid:84702046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sshbin.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838943/; classtype:trojan-activity;sid:84702043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dnsapi.lumo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838942/; classtype:trojan-activity;sid:84702042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sslkey.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838941/; classtype:trojan-activity;sid:84702041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"applog.lumo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838939/; classtype:trojan-activity;sid:84702039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sslkey.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838940/; classtype:trojan-activity;sid:84702040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"getcfg.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838938/; classtype:trojan-activity;sid:84702038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"getcfg.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838937/; classtype:trojan-activity;sid:84702037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.223.142.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838936/; classtype:trojan-activity;sid:84702036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ipnode.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838935/; classtype:trojan-activity;sid:84702035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.195.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838934/; classtype:trojan-activity;sid:84702034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.12.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838933/; classtype:trojan-activity;sid:84702033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.116.56.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838932/; classtype:trojan-activity;sid:84702032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cdnpro.kira7vex.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838931/; classtype:trojan-activity;sid:84702031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig_g"; depth:8; endswith; nocase; http.host; content:"103.213.248.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838930/; classtype:trojan-activity;sid:84702030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig_86"; depth:9; endswith; nocase; http.host; content:"103.213.248.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838929/; classtype:trojan-activity;sid:84702029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig_m"; depth:8; endswith; nocase; http.host; content:"103.213.248.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838928/; classtype:trojan-activity;sid:84702028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig_86c3"; depth:11; endswith; nocase; http.host; content:"103.213.248.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838927/; classtype:trojan-activity;sid:84702027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.245.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838926/; classtype:trojan-activity;sid:84702026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sex.sh"; depth:7; endswith; nocase; http.host; content:"103.213.248.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838925/; classtype:trojan-activity;sid:84702025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitly.kira7vex.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838924/; classtype:trojan-activity;sid:84702024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.166.212.110"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838923/; classtype:trojan-activity;sid:84702023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"hotfix.zori9vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838920/; classtype:trojan-activity;sid:84702020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838921/; classtype:trojan-activity;sid:84702021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838922/; classtype:trojan-activity;sid:84702022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.arm5"; depth:11; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838918/; classtype:trojan-activity;sid:84702018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.mips"; depth:11; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838919/; classtype:trojan-activity;sid:84702019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.x86_64"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838915/; classtype:trojan-activity;sid:84702015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.m68k"; depth:11; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838916/; classtype:trojan-activity;sid:84702016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.x86_32"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838917/; classtype:trojan-activity;sid:84702017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.ppc"; depth:10; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838914/; classtype:trojan-activity;sid:84702014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.sh4"; depth:10; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838913/; classtype:trojan-activity;sid:84702013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.arm7"; depth:11; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838911/; classtype:trojan-activity;sid:84702011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.arm6"; depth:11; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838912/; classtype:trojan-activity;sid:84702012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/wget.sh"; depth:10; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838910/; classtype:trojan-activity;sid:84702010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sysops.kira7vex.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838909/; classtype:trojan-activity;sid:84702009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"winupd.mira4then.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838908/; classtype:trojan-activity;sid:84702008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"116.138.107.15"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838907/; classtype:trojan-activity;sid:84702007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.211.135"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838906/; classtype:trojan-activity;sid:84702006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.53.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838905/; classtype:trojan-activity;sid:84702005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.12.4"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838904/; classtype:trojan-activity;sid:84702004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"topsvc.mira4then.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838903/; classtype:trojan-activity;sid:84702003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webcpu.kira7vex.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838902/; classtype:trojan-activity;sid:84702002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"devbox.mira4then.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838901/; classtype:trojan-activity;sid:84702001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netfox.kira7vex.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838900/; classtype:trojan-activity;sid:84702000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.28.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838899/; classtype:trojan-activity;sid:84701999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.178.236.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838898/; classtype:trojan-activity;sid:84701998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"vpsrun.mira4then.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838897/; classtype:trojan-activity;sid:84701997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srvhub.kira7vex.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838896/; classtype:trojan-activity;sid:84701996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.6.32.18"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838895/; classtype:trojan-activity;sid:84701995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"dnsapi.mira4then.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838894/; classtype:trojan-activity;sid:84701994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"gitlab.coop-san.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838893/; classtype:trojan-activity;sid:84701993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.239.190"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838892/; classtype:trojan-activity;sid:84701992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.213.159.213"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838890/; classtype:trojan-activity;sid:84701990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.34.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838891/; classtype:trojan-activity;sid:84701991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.203.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838889/; classtype:trojan-activity;sid:84701989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.134.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838888/; classtype:trojan-activity;sid:84701988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.236.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838887/; classtype:trojan-activity;sid:84701987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"applog.mira4then.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838886/; classtype:trojan-activity;sid:84701986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apiops.coop-san.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838885/; classtype:trojan-activity;sid:84701985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"cdnpro.vexo7larn.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838884/; classtype:trojan-activity;sid:84701984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"logbin.coop-san.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838883/; classtype:trojan-activity;sid:84701983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"bitly.vexo7larn.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838882/; classtype:trojan-activity;sid:84701982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.202.66.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838881/; classtype:trojan-activity;sid:84701981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.53.145"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838880/; classtype:trojan-activity;sid:84701980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"appsrc.coop-san.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838879/; classtype:trojan-activity;sid:84701979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sysops.vexo7larn.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838878/; classtype:trojan-activity;sid:84701978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.203.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838877/; classtype:trojan-activity;sid:84701977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webdoc.coop-san.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838876/; classtype:trojan-activity;sid:84701976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"webdoc.coop-san.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838875/; classtype:trojan-activity;sid:84701975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"webcpu.vexo7larn.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838874/; classtype:trojan-activity;sid:84701974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syskey.coop-san.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838873/; classtype:trojan-activity;sid:84701973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"netfox.vexo7larn.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838872/; classtype:trojan-activity;sid:84701972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"netfox.vexo7larn.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838871/; classtype:trojan-activity;sid:84701971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"netman.decepdisor8anize.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838870/; classtype:trojan-activity;sid:84701970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dck"; depth:4; endswith; nocase; http.host; content:"87.121.79.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838869/; classtype:trojan-activity;sid:84701969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srvhub.vexo7larn.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838868/; classtype:trojan-activity;sid:84701968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"117.209.20.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838867/; classtype:trojan-activity;sid:84701967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srvhub.vexo7larn.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838866/; classtype:trojan-activity;sid:84701966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838865/; classtype:trojan-activity;sid:84701965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tcpcon.decepdisor8anize.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838864/; classtype:trojan-activity;sid:84701964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"gitlab.barchon-virtue.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838863/; classtype:trojan-activity;sid:84701963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"apiops.barchon-virtue.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838862/; classtype:trojan-activity;sid:84701962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshpro.decepdisor8anize.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838861/; classtype:trojan-activity;sid:84701961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"vmlist.decepdisor8anize.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838860/; classtype:trojan-activity;sid:84701960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"logbin.barchon-virtue.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838859/; classtype:trojan-activity;sid:84701959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"usrgrp.decepdisor8anize.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838858/; classtype:trojan-activity;sid:84701958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"appsrc.barchon-virtue.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838857/; classtype:trojan-activity;sid:84701957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"appsrc.barchon-virtue.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838856/; classtype:trojan-activity;sid:84701956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.91.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838855/; classtype:trojan-activity;sid:84701955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"webdoc.barchon-virtue.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838854/; classtype:trojan-activity;sid:84701954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"optweb.decepdisor8anize.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838853/; classtype:trojan-activity;sid:84701953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.204.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838851/; classtype:trojan-activity;sid:84701951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.233.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838852/; classtype:trojan-activity;sid:84701952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"proxys.scooper5dabria.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838850/; classtype:trojan-activity;sid:84701950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"syskey.barchon-virtue.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838849/; classtype:trojan-activity;sid:84701949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"lanhop.scooper5dabria.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838848/; classtype:trojan-activity;sid:84701948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"lanhop.scooper5dabria.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838847/; classtype:trojan-activity;sid:84701947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"netman.other5epsis.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838846/; classtype:trojan-activity;sid:84701946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.55.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838845/; classtype:trojan-activity;sid:84701945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"tcpcon.other5epsis.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838844/; classtype:trojan-activity;sid:84701944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"subcli.scooper5dabria.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838843/; classtype:trojan-activity;sid:84701943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sshpro.other5epsis.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838842/; classtype:trojan-activity;sid:84701942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitkit.scooper5dabria.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838841/; classtype:trojan-activity;sid:84701941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.200.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838839/; classtype:trojan-activity;sid:84701939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.233.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838840/; classtype:trojan-activity;sid:84701940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"98.252.87.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838838/; classtype:trojan-activity;sid:84701938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.204.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838837/; classtype:trojan-activity;sid:84701937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"envset.scooper5dabria.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838836/; classtype:trojan-activity;sid:84701936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.248.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838835/; classtype:trojan-activity;sid:84701935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"doclab.scooper5dabria.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838834/; classtype:trojan-activity;sid:84701934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"vmlist.other5epsis.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838833/; classtype:trojan-activity;sid:84701933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.75.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838832/; classtype:trojan-activity;sid:84701932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.140.44.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838831/; classtype:trojan-activity;sid:84701931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"usrgrp.other5epsis.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838830/; classtype:trojan-activity;sid:84701930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syncit.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838829/; classtype:trojan-activity;sid:84701929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"syncit.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838828/; classtype:trojan-activity;sid:84701928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.71.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838827/; classtype:trojan-activity;sid:84701927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"optweb.other5epsis.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838826/; classtype:trojan-activity;sid:84701926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"optweb.other5epsis.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838825/; classtype:trojan-activity;sid:84701925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.75.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838824/; classtype:trojan-activity;sid:84701924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ioflow.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838822/; classtype:trojan-activity;sid:84701922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838823/; classtype:trojan-activity;sid:84701923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"proxys.cottonwat-bad.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838821/; classtype:trojan-activity;sid:84701921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.55.204"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838820/; classtype:trojan-activity;sid:84701920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"85.140.44.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838819/; classtype:trojan-activity;sid:84701919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"lanhop.cottonwat-bad.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838818/; classtype:trojan-activity;sid:84701918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"taskid.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838817/; classtype:trojan-activity;sid:84701917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"comweb.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838816/; classtype:trojan-activity;sid:84701916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"comweb.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838814/; classtype:trojan-activity;sid:84701914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"subcli.cottonwat-bad.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838815/; classtype:trojan-activity;sid:84701915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.248.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838813/; classtype:trojan-activity;sid:84701913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"refid.datingu1tra.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838812/; classtype:trojan-activity;sid:84701912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.176.203"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838811/; classtype:trojan-activity;sid:84701911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"bitkit.cottonwat-bad.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838810/; classtype:trojan-activity;sid:84701910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.71.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838809/; classtype:trojan-activity;sid:84701909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autbox.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838807/; classtype:trojan-activity;sid:84701907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"autbox.datingu1tra.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838808/; classtype:trojan-activity;sid:84701908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"envset.cottonwat-bad.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838806/; classtype:trojan-activity;sid:84701906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"domreg.shocked-darken.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838805/; classtype:trojan-activity;sid:84701905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"doclab.cottonwat-bad.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838802/; classtype:trojan-activity;sid:84701902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.184.236.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838803/; classtype:trojan-activity;sid:84701903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"domreg.shocked-darken.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838804/; classtype:trojan-activity;sid:84701904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.244.36.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838801/; classtype:trojan-activity;sid:84701901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.132.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838800/; classtype:trojan-activity;sid:84701900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pwrlog.shocked-darken.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838799/; classtype:trojan-activity;sid:84701899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"syncit.authorize5ilky.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838798/; classtype:trojan-activity;sid:84701898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.200.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838797/; classtype:trojan-activity;sid:84701897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ioflow.authorize5ilky.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838796/; classtype:trojan-activity;sid:84701896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"extnet.shocked-darken.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838795/; classtype:trojan-activity;sid:84701895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"176.65.139.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838794/; classtype:trojan-activity;sid:84701894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.8.107.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838793/; classtype:trojan-activity;sid:84701893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"pkgrun.shocked-darken.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838792/; classtype:trojan-activity;sid:84701892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"taskid.authorize5ilky.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838791/; classtype:trojan-activity;sid:84701891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"modbus.shocked-darken.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838788/; classtype:trojan-activity;sid:84701888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.244.36.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838789/; classtype:trojan-activity;sid:84701889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.194.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838790/; classtype:trojan-activity;sid:84701890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"comweb.authorize5ilky.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838787/; classtype:trojan-activity;sid:84701887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"srcget.shocked-darken.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838786/; classtype:trojan-activity;sid:84701886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"refid.authorize5ilky.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838785/; classtype:trojan-activity;sid:84701885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.114.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838784/; classtype:trojan-activity;sid:84701884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"autbox.authorize5ilky.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838783/; classtype:trojan-activity;sid:84701883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"uidmap.slothwhee1s.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838782/; classtype:trojan-activity;sid:84701882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.28.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838780/; classtype:trojan-activity;sid:84701880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.122.232.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838781/; classtype:trojan-activity;sid:84701881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ftpsrv.slothwhee1s.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838779/; classtype:trojan-activity;sid:84701879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"domreg.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838778/; classtype:trojan-activity;sid:84701878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.194.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838777/; classtype:trojan-activity;sid:84701877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"pwrlog.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838776/; classtype:trojan-activity;sid:84701876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"libsys.slothwhee1s.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838775/; classtype:trojan-activity;sid:84701875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.217.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838774/; classtype:trojan-activity;sid:84701874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.8.107.22"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838773/; classtype:trojan-activity;sid:84701873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"jobadm.slothwhee1s.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838772/; classtype:trojan-activity;sid:84701872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"extnet.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838771/; classtype:trojan-activity;sid:84701871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.218.57.14"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838770/; classtype:trojan-activity;sid:84701870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.64.176"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838769/; classtype:trojan-activity;sid:84701869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"rawdat.slothwhee1s.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838766/; classtype:trojan-activity;sid:84701866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"pkgrun.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838767/; classtype:trojan-activity;sid:84701867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"pkgrun.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838768/; classtype:trojan-activity;sid:84701868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"modbus.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838765/; classtype:trojan-activity;sid:84701865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"modbus.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838764/; classtype:trojan-activity;sid:84701864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"zipark.slothwhee1s.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838763/; classtype:trojan-activity;sid:84701863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.226.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838762/; classtype:trojan-activity;sid:84701862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srcget.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838761/; classtype:trojan-activity;sid:84701861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"srcget.yellow-obdirk.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838760/; classtype:trojan-activity;sid:84701860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.226.173"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838759/; classtype:trojan-activity;sid:84701859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"osbase.bureauc-diachiha.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838758/; classtype:trojan-activity;sid:84701858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"metalt.bureauc-diachiha.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838757/; classtype:trojan-activity;sid:84701857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"uidmap.goldembr0idery.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838756/; classtype:trojan-activity;sid:84701856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.253.104.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838755/; classtype:trojan-activity;sid:84701855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"ftpsrv.goldembr0idery.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838754/; classtype:trojan-activity;sid:84701854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.250.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838753/; classtype:trojan-activity;sid:84701853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"apidoc.bureauc-diachiha.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838752/; classtype:trojan-activity;sid:84701852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.217.70"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838751/; classtype:trojan-activity;sid:84701851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.102.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838750/; classtype:trojan-activity;sid:84701850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"libsys.goldembr0idery.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838749/; classtype:trojan-activity;sid:84701849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/p6qauik.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838745/; classtype:trojan-activity;sid:84701845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/gmktiha.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838746/; classtype:trojan-activity;sid:84701846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/2fh2tbr.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838747/; classtype:trojan-activity;sid:84701847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8183300806/szm66qy.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838748/; classtype:trojan-activity;sid:84701848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"dbinst.bureauc-diachiha.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838744/; classtype:trojan-activity;sid:84701844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"jobadm.goldembr0idery.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838743/; classtype:trojan-activity;sid:84701843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.68.239"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838742/; classtype:trojan-activity;sid:84701842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"skyvpn.bureauc-diachiha.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838741/; classtype:trojan-activity;sid:84701841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"rawdat.goldembr0idery.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838740/; classtype:trojan-activity;sid:84701840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"rawdat.goldembr0idery.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838739/; classtype:trojan-activity;sid:84701839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.114.213.208"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838738/; classtype:trojan-activity;sid:84701838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cmdset.bureauc-diachiha.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838737/; classtype:trojan-activity;sid:84701837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.253.104.117"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838736/; classtype:trojan-activity;sid:84701836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"218.61.110.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838735/; classtype:trojan-activity;sid:84701835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"tmpdir.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838734/; classtype:trojan-activity;sid:84701834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"zipark.goldembr0idery.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838733/; classtype:trojan-activity;sid:84701833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.236.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838732/; classtype:trojan-activity;sid:84701832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshbin.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838731/; classtype:trojan-activity;sid:84701831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sshbin.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838730/; classtype:trojan-activity;sid:84701830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"osbase.rollers-faced.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838729/; classtype:trojan-activity;sid:84701829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.238.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838728/; classtype:trojan-activity;sid:84701828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.195.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838727/; classtype:trojan-activity;sid:84701827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.92.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838726/; classtype:trojan-activity;sid:84701826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"sslkey.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838725/; classtype:trojan-activity;sid:84701825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.250.31"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838724/; classtype:trojan-activity;sid:84701824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"metalt.rollers-faced.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838723/; classtype:trojan-activity;sid:84701823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"apidoc.rollers-faced.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838722/; classtype:trojan-activity;sid:84701822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.58.92.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838721/; classtype:trojan-activity;sid:84701821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"apidoc.rollers-faced.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838720/; classtype:trojan-activity;sid:84701820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"getcfg.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838719/; classtype:trojan-activity;sid:84701819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"dbinst.rollers-faced.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838718/; classtype:trojan-activity;sid:84701818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"ipnode.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838717/; classtype:trojan-activity;sid:84701817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.162.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838716/; classtype:trojan-activity;sid:84701816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.237.17.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838715/; classtype:trojan-activity;sid:84701815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.61.110.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838714/; classtype:trojan-activity;sid:84701814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.236.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838713/; classtype:trojan-activity;sid:84701813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"skyvpn.rollers-faced.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838712/; classtype:trojan-activity;sid:84701812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"hotfix.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838711/; classtype:trojan-activity;sid:84701811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"hotfix.potion5vealy.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838710/; classtype:trojan-activity;sid:84701810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.238.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838709/; classtype:trojan-activity;sid:84701809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"bitfox.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838708/; classtype:trojan-activity;sid:84701808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"cmdset.rollers-faced.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838707/; classtype:trojan-activity;sid:84701807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8212392349/ksgiucn.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838706/; classtype:trojan-activity;sid:84701806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/yosef/random.exe"; depth:23; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838705/; classtype:trojan-activity;sid:84701805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"topsvc.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838704/; classtype:trojan-activity;sid:84701804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"topsvc.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838703/; classtype:trojan-activity;sid:84701803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"tmpdir.pas5eruharsky.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838702/; classtype:trojan-activity;sid:84701802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.120.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838701/; classtype:trojan-activity;sid:84701801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"opsmgr.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838700/; classtype:trojan-activity;sid:84701800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"opsmgr.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838699/; classtype:trojan-activity;sid:84701799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sshbin.pas5eruharsky.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838698/; classtype:trojan-activity;sid:84701798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.162.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838697/; classtype:trojan-activity;sid:84701797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/klpq2ia-77q9xy8b-kiew9b-vkd6-8aiuqtv/access-id9245.filter"; depth:58; endswith; nocase; http.host; content:"sslkey.pas5eruharsky.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838696/; classtype:trojan-activity;sid:84701796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh5hne-c8b9b4-sskjy-znq2k2of-ybay3z/usr294-verif.confirm"; depth:57; endswith; nocase; http.host; content:"cpupro.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838695/; classtype:trojan-activity;sid:84701795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.23.132.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838694/; classtype:trojan-activity;sid:84701794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.203.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838693/; classtype:trojan-activity;sid:84701793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.94.31.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838692/; classtype:trojan-activity;sid:84701792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.120.80"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838691/; classtype:trojan-activity;sid:84701791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vpsrun.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838690/; classtype:trojan-activity;sid:84701790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"getcfg.pas5eruharsky.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838689/; classtype:trojan-activity;sid:84701789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.121.157"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838688/; classtype:trojan-activity;sid:84701788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"121.23.132.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838687/; classtype:trojan-activity;sid:84701787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dnsweb.quirky-shedding.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838686/; classtype:trojan-activity;sid:84701786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"ipnode.pas5eruharsky.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838685/; classtype:trojan-activity;sid:84701785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"appbox.diafilm5mour.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838684/; classtype:trojan-activity;sid:84701784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"hotfix.pas5eruharsky.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838683/; classtype:trojan-activity;sid:84701783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.128.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838682/; classtype:trojan-activity;sid:84701782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.94.31.197"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838681/; classtype:trojan-activity;sid:84701781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"devbit.diafilm5mour.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838680/; classtype:trojan-activity;sid:84701780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"winupd.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838679/; classtype:trojan-activity;sid:84701779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.177.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838678/; classtype:trojan-activity;sid:84701778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"srvlog.diafilm5mour.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838677/; classtype:trojan-activity;sid:84701777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"topsvc.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838676/; classtype:trojan-activity;sid:84701776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"topsvc.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838675/; classtype:trojan-activity;sid:84701775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.128.99"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838674/; classtype:trojan-activity;sid:84701774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.152.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838673/; classtype:trojan-activity;sid:84701773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"netapi.diafilm5mour.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838672/; classtype:trojan-activity;sid:84701772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"devbox.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838671/; classtype:trojan-activity;sid:84701771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"webcdn.diafilm5mour.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838670/; classtype:trojan-activity;sid:84701770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.199.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838669/; classtype:trojan-activity;sid:84701769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"vpsrun.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838668/; classtype:trojan-activity;sid:84701768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.124.214"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838667/; classtype:trojan-activity;sid:84701767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"vpsrun.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838666/; classtype:trojan-activity;sid:84701766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"dnsapi.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838665/; classtype:trojan-activity;sid:84701765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"syshub.diafilm5mour.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838664/; classtype:trojan-activity;sid:84701764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"syshub.diafilm5mour.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838663/; classtype:trojan-activity;sid:84701763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.24.183"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838662/; classtype:trojan-activity;sid:84701762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"spool1-scope.verdi7qor.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838661/; classtype:trojan-activity;sid:84701761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"applog.canon-cumulative.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838660/; classtype:trojan-activity;sid:84701760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"spool1-scope.verdi7qor.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838659/; classtype:trojan-activity;sid:84701759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ynzps.verdi7qor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838658/; classtype:trojan-activity;sid:84701758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"cdnpro.fitful1yrid.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838657/; classtype:trojan-activity;sid:84701757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rywiyw.verdi7qor.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838656/; classtype:trojan-activity;sid:84701756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.37.24.183"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838655/; classtype:trojan-activity;sid:84701755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.185.240.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838654/; classtype:trojan-activity;sid:84701754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"bitly.fitful1yrid.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838653/; classtype:trojan-activity;sid:84701753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"hyper-i5l3.verdi7qor.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838652/; classtype:trojan-activity;sid:84701752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"demand3-logic.verdi7qor.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838651/; classtype:trojan-activity;sid:84701751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.188.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838650/; classtype:trojan-activity;sid:84701750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"sysops.fitful1yrid.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838649/; classtype:trojan-activity;sid:84701749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.82.151"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838648/; classtype:trojan-activity;sid:84701748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"webcpu.fitful1yrid.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838647/; classtype:trojan-activity;sid:84701747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.122.232.128"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838646/; classtype:trojan-activity;sid:84701746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.210.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838645/; classtype:trojan-activity;sid:84701745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"winadapt.verdi7qor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838644/; classtype:trojan-activity;sid:84701744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"netfox.fitful1yrid.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838643/; classtype:trojan-activity;sid:84701743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"netfox.fitful1yrid.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838642/; classtype:trojan-activity;sid:84701742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"solmarkex.flen4vax.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838641/; classtype:trojan-activity;sid:84701741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"srvhub.fitful1yrid.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838640/; classtype:trojan-activity;sid:84701740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"srvhub.fitful1yrid.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838639/; classtype:trojan-activity;sid:84701739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zentide8on.flen4vax.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838638/; classtype:trojan-activity;sid:84701738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zentide8on.flen4vax.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838637/; classtype:trojan-activity;sid:84701737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.191.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838636/; classtype:trojan-activity;sid:84701736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.221.41"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838634/; classtype:trojan-activity;sid:84701734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"fpbmngh4.fira6dox.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838635/; classtype:trojan-activity;sid:84701735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.136.105"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838633/; classtype:trojan-activity;sid:84701733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"2qfqpi.flen4vax.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838632/; classtype:trojan-activity;sid:84701732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"xtq8.flen4vax.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838630/; classtype:trojan-activity;sid:84701730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"swioute.fira6dox.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838631/; classtype:trojan-activity;sid:84701731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.188.146"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838629/; classtype:trojan-activity;sid:84701729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=xzbrcjukgnfqpfat"; depth:27; endswith; nocase; http.host; content:"xm06vmby.repu1sivebrazen.digital"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838628/; classtype:trojan-activity;sid:84701728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8212392349/1jrewgd.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838627/; classtype:trojan-activity;sid:84701727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"circu3-line.fira6dox.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838626/; classtype:trojan-activity;sid:84701726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"dynmarkos6.fira6dox.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838625/; classtype:trojan-activity;sid:84701725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.191.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838624/; classtype:trojan-activity;sid:84701724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"hvzu.flen4vax.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838623/; classtype:trojan-activity;sid:84701723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"dynmarkos6.fira6dox.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838622/; classtype:trojan-activity;sid:84701722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.210.180"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838621/; classtype:trojan-activity;sid:84701721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"yrz2.flen4vax.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838620/; classtype:trojan-activity;sid:84701720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"t66l.fira6dox.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838619/; classtype:trojan-activity;sid:84701719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.142.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838618/; classtype:trojan-activity;sid:84701718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"markbra.fira6dox.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838617/; classtype:trojan-activity;sid:84701717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.35.88.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838616/; classtype:trojan-activity;sid:84701716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"neo-rura1.grov9mira.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838615/; classtype:trojan-activity;sid:84701715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.251.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838614/; classtype:trojan-activity;sid:84701714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"tr8tupu.xano4mel.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838613/; classtype:trojan-activity;sid:84701713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tdoqrd.grov9mira.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838612/; classtype:trojan-activity;sid:84701712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.189.96.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838611/; classtype:trojan-activity;sid:84701711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.210.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838610/; classtype:trojan-activity;sid:84701710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"n0de-stream.grov9mira.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838608/; classtype:trojan-activity;sid:84701708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"n0de-stream.grov9mira.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838609/; classtype:trojan-activity;sid:84701709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"f0rm8-index.xano4mel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838607/; classtype:trojan-activity;sid:84701707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.200.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838606/; classtype:trojan-activity;sid:84701706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"reg1str-dock.grov9mira.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838605/; classtype:trojan-activity;sid:84701705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"reg1str-dock.grov9mira.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838604/; classtype:trojan-activity;sid:84701704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.142.113"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838603/; classtype:trojan-activity;sid:84701703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"harcar.xano4mel.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838602/; classtype:trojan-activity;sid:84701702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.154.29.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838601/; classtype:trojan-activity;sid:84701701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"ark-draum.xano4mel.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838600/; classtype:trojan-activity;sid:84701700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"letteropen.grov9mira.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838599/; classtype:trojan-activity;sid:84701699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.115.37.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838598/; classtype:trojan-activity;sid:84701698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flarn-forge.grov9mira.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838597/; classtype:trojan-activity;sid:84701697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"xswqyg.xano4mel.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838596/; classtype:trojan-activity;sid:84701696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"cy75lpfn.xano4mel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838595/; classtype:trojan-activity;sid:84701695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"moralaudio.pavi1lor.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838594/; classtype:trojan-activity;sid:84701694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838593/; classtype:trojan-activity;sid:84701693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.200.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838592/; classtype:trojan-activity;sid:84701692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"profitopen.brix9qen.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838591/; classtype:trojan-activity;sid:84701691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"west-cedar.pavi1lor.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838590/; classtype:trojan-activity;sid:84701690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"podccam.brix9qen.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838589/; classtype:trojan-activity;sid:84701689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"yeqxnp.pavi1lor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838588/; classtype:trojan-activity;sid:84701688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"inspect5-signal.brix9qen.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838587/; classtype:trojan-activity;sid:84701687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"inspect5-signal.brix9qen.lat"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838586/; classtype:trojan-activity;sid:84701686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"arkcrestor7.pavi1lor.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838585/; classtype:trojan-activity;sid:84701685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"vwhn.brix9qen.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838584/; classtype:trojan-activity;sid:84701684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vormeshex7.pavi1lor.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838583/; classtype:trojan-activity;sid:84701683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.188.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838582/; classtype:trojan-activity;sid:84701682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.154.29.133"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838581/; classtype:trojan-activity;sid:84701681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.97.251.253"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838580/; classtype:trojan-activity;sid:84701680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"uq449.pavi1lor.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838579/; classtype:trojan-activity;sid:84701679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"repaigatewa.brix9qen.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838578/; classtype:trojan-activity;sid:84701678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.179.253.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838577/; classtype:trojan-activity;sid:84701677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.188.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838576/; classtype:trojan-activity;sid:84701676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"macswi.sola5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838575/; classtype:trojan-activity;sid:84701675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.244.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838574/; classtype:trojan-activity;sid:84701674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"macswi.sola5reth.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838573/; classtype:trojan-activity;sid:84701673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"owobk.brix9qen.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838572/; classtype:trojan-activity;sid:84701672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"193.233.139.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838571/; classtype:trojan-activity;sid:84701671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.233.139.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838570/; classtype:trojan-activity;sid:84701670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.204.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838569/; classtype:trojan-activity;sid:84701669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"72abbjf.gela1vor.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838568/; classtype:trojan-activity;sid:84701668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"72abbjf.gela1vor.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838567/; classtype:trojan-activity;sid:84701667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zenfluxos.sola5reth.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838566/; classtype:trojan-activity;sid:84701666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"sortsha.gela1vor.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838565/; classtype:trojan-activity;sid:84701665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"norflux9a.sola5reth.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838564/; classtype:trojan-activity;sid:84701664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"road-hold.sola5reth.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838563/; classtype:trojan-activity;sid:84701663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"scansail.gela1vor.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838562/; classtype:trojan-activity;sid:84701662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"lumdraet.sola5reth.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838561/; classtype:trojan-activity;sid:84701661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.133.13"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838560/; classtype:trojan-activity;sid:84701660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"nornexon1.gela1vor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838559/; classtype:trojan-activity;sid:84701659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.244.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838558/; classtype:trojan-activity;sid:84701658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.103.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838557/; classtype:trojan-activity;sid:84701657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"cl34r-crest.gela1vor.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838556/; classtype:trojan-activity;sid:84701656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"med1a-trail.sola5reth.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838555/; classtype:trojan-activity;sid:84701655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.152.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838553/; classtype:trojan-activity;sid:84701653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.12.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838554/; classtype:trojan-activity;sid:84701654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.31.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838552/; classtype:trojan-activity;sid:84701652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vorcrest2ar.miri7qen.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838551/; classtype:trojan-activity;sid:84701651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"sailcompi.gela1vor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838550/; classtype:trojan-activity;sid:84701650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.244.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838549/; classtype:trojan-activity;sid:84701649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"00ocektx.taro5lin.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838548/; classtype:trojan-activity;sid:84701648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"2dvs.miri7qen.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838547/; classtype:trojan-activity;sid:84701647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.118.248.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838546/; classtype:trojan-activity;sid:84701646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ark-coreos.miri7qen.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838545/; classtype:trojan-activity;sid:84701645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"workerruntime.taro5lin.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838544/; classtype:trojan-activity;sid:84701644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.39.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838543/; classtype:trojan-activity;sid:84701643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"senso-gri.taro5lin.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838542/; classtype:trojan-activity;sid:84701642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"edbhftl.miri7qen.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838541/; classtype:trojan-activity;sid:84701641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.31.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838540/; classtype:trojan-activity;sid:84701640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.103.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838539/; classtype:trojan-activity;sid:84701639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"cwu211x.taro5lin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838538/; classtype:trojan-activity;sid:84701638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"eotdjma.miri7qen.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838537/; classtype:trojan-activity;sid:84701637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.97.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838536/; classtype:trojan-activity;sid:84701636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.106.225.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838535/; classtype:trojan-activity;sid:84701635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.106.225.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838534/; classtype:trojan-activity;sid:84701634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838533/; classtype:trojan-activity;sid:84701633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838530/; classtype:trojan-activity;sid:84701630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838531/; classtype:trojan-activity;sid:84701631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838532/; classtype:trojan-activity;sid:84701632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838526/; classtype:trojan-activity;sid:84701626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838527/; classtype:trojan-activity;sid:84701627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838528/; classtype:trojan-activity;sid:84701628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838529/; classtype:trojan-activity;sid:84701629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838522/; classtype:trojan-activity;sid:84701622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838523/; classtype:trojan-activity;sid:84701623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838524/; classtype:trojan-activity;sid:84701624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"5.180.82.181"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838525/; classtype:trojan-activity;sid:84701625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.33.246.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838521/; classtype:trojan-activity;sid:84701621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vitpc.miri7qen.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838520/; classtype:trojan-activity;sid:84701620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"pitchactive.taro5lin.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838519/; classtype:trojan-activity;sid:84701619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.ppc"; depth:12; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838518/; classtype:trojan-activity;sid:84701618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.ppc440fp"; depth:19; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838517/; classtype:trojan-activity;sid:84701617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838512/; classtype:trojan-activity;sid:84701612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838513/; classtype:trojan-activity;sid:84701613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm5"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838514/; classtype:trojan-activity;sid:84701614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm6"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838515/; classtype:trojan-activity;sid:84701615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.m68k"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838516/; classtype:trojan-activity;sid:84701616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_32"; depth:15; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838508/; classtype:trojan-activity;sid:84701608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838509/; classtype:trojan-activity;sid:84701609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838510/; classtype:trojan-activity;sid:84701610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838511/; classtype:trojan-activity;sid:84701611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.sh4"; depth:12; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838507/; classtype:trojan-activity;sid:84701607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l"; depth:7; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838500/; classtype:trojan-activity;sid:84701600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838501/; classtype:trojan-activity;sid:84701601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838502/; classtype:trojan-activity;sid:84701602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838503/; classtype:trojan-activity;sid:84701603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838504/; classtype:trojan-activity;sid:84701604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.x86_64"; depth:15; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838505/; classtype:trojan-activity;sid:84701605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm7"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838506/; classtype:trojan-activity;sid:84701606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.118.248.141"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838496/; classtype:trojan-activity;sid:84701596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838497/; classtype:trojan-activity;sid:84701597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838498/; classtype:trojan-activity;sid:84701598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838499/; classtype:trojan-activity;sid:84701599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mpsl"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838494/; classtype:trojan-activity;sid:84701594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.mips"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838495/; classtype:trojan-activity;sid:84701595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titanjr.arm4"; depth:13; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838493/; classtype:trojan-activity;sid:84701593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.96.136.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838492/; classtype:trojan-activity;sid:84701592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"42f1.taro5lin.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838491/; classtype:trojan-activity;sid:84701591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"uvley.nexa2vor.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838490/; classtype:trojan-activity;sid:84701590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"jqs3295y.nexa2vor.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838489/; classtype:trojan-activity;sid:84701589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"clea-route.novi7xel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838488/; classtype:trojan-activity;sid:84701588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vel-lineum.nexa2vor.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838487/; classtype:trojan-activity;sid:84701587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vel-lineum.nexa2vor.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838486/; classtype:trojan-activity;sid:84701586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.119.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838485/; classtype:trojan-activity;sid:84701585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.234.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838484/; classtype:trojan-activity;sid:84701584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"geo-ve1v.novi7xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838483/; classtype:trojan-activity;sid:84701583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.228.182"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838482/; classtype:trojan-activity;sid:84701582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"apa0dv.nexa2vor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838481/; classtype:trojan-activity;sid:84701581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.39.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838480/; classtype:trojan-activity;sid:84701580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.33.246.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838479/; classtype:trojan-activity;sid:84701579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.96.136.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838478/; classtype:trojan-activity;sid:84701578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tal-draet.nexa2vor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838477/; classtype:trojan-activity;sid:84701577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tal-draet.nexa2vor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838476/; classtype:trojan-activity;sid:84701576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"dhnupmwq.novi7xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838475/; classtype:trojan-activity;sid:84701575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.140.5.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838474/; classtype:trojan-activity;sid:84701574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.97.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838473/; classtype:trojan-activity;sid:84701573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"gdv3zpg.novi7xel.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838472/; classtype:trojan-activity;sid:84701572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.4.24.71"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838471/; classtype:trojan-activity;sid:84701571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.238.123.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838470/; classtype:trojan-activity;sid:84701570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"kelnex4a.novi7xel.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838469/; classtype:trojan-activity;sid:84701569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"trusted-capi.nexa2vor.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838468/; classtype:trojan-activity;sid:84701568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"ftz730n.novi7xel.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838467/; classtype:trojan-activity;sid:84701567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pru2xh.thora8lin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838465/; classtype:trojan-activity;sid:84701565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pru2xh.thora8lin.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838466/; classtype:trojan-activity;sid:84701566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.234.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838464/; classtype:trojan-activity;sid:84701564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.1.162"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838463/; classtype:trojan-activity;sid:84701563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.252.135.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838462/; classtype:trojan-activity;sid:84701562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"p1lo-vector.mira2tal.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838461/; classtype:trojan-activity;sid:84701561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"data-glow.thora8lin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838460/; classtype:trojan-activity;sid:84701560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"quorspire1al.thora8lin.lat"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838459/; classtype:trojan-activity;sid:84701559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.65.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838458/; classtype:trojan-activity;sid:84701558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"sjlol.mira2tal.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838457/; classtype:trojan-activity;sid:84701557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"matr-broo.thora8lin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838456/; classtype:trojan-activity;sid:84701556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"sub-4zur.mira2tal.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838455/; classtype:trojan-activity;sid:84701555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"matr-broo.thora8lin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838454/; classtype:trojan-activity;sid:84701554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"catalrail.thora8lin.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838453/; classtype:trojan-activity;sid:84701553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"0sjbo.mira2tal.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838452/; classtype:trojan-activity;sid:84701552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"0sjbo.mira2tal.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838451/; classtype:trojan-activity;sid:84701551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.203.86.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838450/; classtype:trojan-activity;sid:84701550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.238.123.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838449/; classtype:trojan-activity;sid:84701549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"1fphynv.mira2tal.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838448/; classtype:trojan-activity;sid:84701548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"lumcoreet3.thora8lin.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838447/; classtype:trojan-activity;sid:84701547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.137.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838446/; classtype:trojan-activity;sid:84701546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"meta-sc4n.mira2tal.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838445/; classtype:trojan-activity;sid:84701545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pr1nt-crest.milo3ren.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838444/; classtype:trojan-activity;sid:84701544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.175.207.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838443/; classtype:trojan-activity;sid:84701543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"hub1-layer.pavo8rex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838442/; classtype:trojan-activity;sid:84701542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"hub1-layer.pavo8rex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838441/; classtype:trojan-activity;sid:84701541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.51.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838440/; classtype:trojan-activity;sid:84701540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.252.135.94"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838439/; classtype:trojan-activity;sid:84701539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"deliverycave.milo3ren.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838438/; classtype:trojan-activity;sid:84701538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.113.30.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838437/; classtype:trojan-activity;sid:84701537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.203.86.55"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838436/; classtype:trojan-activity;sid:84701536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"byt32-ring.pavo8rex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838435/; classtype:trojan-activity;sid:84701535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"byt32-ring.pavo8rex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838434/; classtype:trojan-activity;sid:84701534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"hn40pz.milo3ren.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838433/; classtype:trojan-activity;sid:84701533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"1ab-grid.pavo8rex.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838432/; classtype:trojan-activity;sid:84701532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"moun4-plate.milo3ren.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838431/; classtype:trojan-activity;sid:84701531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.34.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838430/; classtype:trojan-activity;sid:84701530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.62.188.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838429/; classtype:trojan-activity;sid:84701529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"labelswitch.milo3ren.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838428/; classtype:trojan-activity;sid:84701528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"wintercoupon.pavo8rex.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838427/; classtype:trojan-activity;sid:84701527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"adapter-pal.milo3ren.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838426/; classtype:trojan-activity;sid:84701526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"alt-trad3.pavo8rex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838425/; classtype:trojan-activity;sid:84701525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"alt-trad3.pavo8rex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838424/; classtype:trojan-activity;sid:84701524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"encoderfreight.daro6vex.lat"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838423/; classtype:trojan-activity;sid:84701523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.62.188.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838422/; classtype:trojan-activity;sid:84701522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"dynmeshor.pavo8rex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838421/; classtype:trojan-activity;sid:84701521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.139.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838420/; classtype:trojan-activity;sid:84701520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.104.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838418/; classtype:trojan-activity;sid:84701518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.110.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838419/; classtype:trojan-activity;sid:84701519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"campai-thor.daro6vex.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838417/; classtype:trojan-activity;sid:84701517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"campai-thor.daro6vex.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838416/; classtype:trojan-activity;sid:84701516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838415/; classtype:trojan-activity;sid:84701515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"70bcr.lena3qit.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838414/; classtype:trojan-activity;sid:84701514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.34.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838413/; classtype:trojan-activity;sid:84701513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1"; depth:2; endswith; nocase; http.host; content:"138.124.18.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838412/; classtype:trojan-activity;sid:84701512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b"; depth:2; endswith; nocase; http.host; content:"138.124.18.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838410/; classtype:trojan-activity;sid:84701510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2"; depth:2; endswith; nocase; http.host; content:"138.124.18.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838411/; classtype:trojan-activity;sid:84701511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"linkcasc.lena3qit.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838409/; classtype:trojan-activity;sid:84701509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.119.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838408/; classtype:trojan-activity;sid:84701508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.185.125"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838407/; classtype:trojan-activity;sid:84701507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"buzawgn.daro6vex.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838406/; classtype:trojan-activity;sid:84701506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"quantquery.daro6vex.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838405/; classtype:trojan-activity;sid:84701505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"dockfilter.lena3qit.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838404/; classtype:trojan-activity;sid:84701504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.165.24.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838403/; classtype:trojan-activity;sid:84701503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"screenser.daro6vex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838402/; classtype:trojan-activity;sid:84701502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"e75usda.lena3qit.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838401/; classtype:trojan-activity;sid:84701501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.104.144"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838400/; classtype:trojan-activity;sid:84701500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-x86_64"; depth:11; endswith; nocase; http.host; content:"5.182.87.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838399/; classtype:trojan-activity;sid:84701499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-armv7l"; depth:11; endswith; nocase; http.host; content:"5.182.87.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838397/; classtype:trojan-activity;sid:84701497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot-aarch64"; depth:12; endswith; nocase; http.host; content:"5.182.87.118"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838398/; classtype:trojan-activity;sid:84701498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.235.169.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838396/; classtype:trojan-activity;sid:84701496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.23.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838395/; classtype:trojan-activity;sid:84701495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"b534.lena3qit.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838394/; classtype:trojan-activity;sid:84701494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"offerparc.daro6vex.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838393/; classtype:trojan-activity;sid:84701493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.113.30.27"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838392/; classtype:trojan-activity;sid:84701492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"lock.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838391/; classtype:trojan-activity;sid:84701491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"d4rk2-trail.lena3qit.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838390/; classtype:trojan-activity;sid:84701490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.215.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838389/; classtype:trojan-activity;sid:84701489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.58.78.214"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838388/; classtype:trojan-activity;sid:84701488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.235.169.230"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838387/; classtype:trojan-activity;sid:84701487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wo1"; depth:4; endswith; nocase; http.host; content:"217.60.241.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838386/; classtype:trojan-activity;sid:84701486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mass.cryptobase.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838385/; classtype:trojan-activity;sid:84701485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y11"; depth:4; endswith; nocase; http.host; content:"217.60.241.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838384/; classtype:trojan-activity;sid:84701484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"035mhrpl.zori6mav.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838383/; classtype:trojan-activity;sid:84701483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wo"; depth:3; endswith; nocase; http.host; content:"217.60.241.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838382/; classtype:trojan-activity;sid:84701482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"columnclient.zori6mav.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838381/; classtype:trojan-activity;sid:84701481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"area.cryptobase.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838380/; classtype:trojan-activity;sid:84701480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"hard.cryptobase.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838379/; classtype:trojan-activity;sid:84701479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.165.183.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838378/; classtype:trojan-activity;sid:84701478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.224.16.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838377/; classtype:trojan-activity;sid:84701477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"islsta.zori6mav.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838376/; classtype:trojan-activity;sid:84701476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.165.183.83"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838375/; classtype:trojan-activity;sid:84701475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"travelprair.zori6mav.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838374/; classtype:trojan-activity;sid:84701474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"base.cryptobase.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838373/; classtype:trojan-activity;sid:84701473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838372/; classtype:trojan-activity;sid:84701472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"179.108.89.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838371/; classtype:trojan-activity;sid:84701471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.80.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838370/; classtype:trojan-activity;sid:84701470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.215.152"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838369/; classtype:trojan-activity;sid:84701469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.212.121.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838368/; classtype:trojan-activity;sid:84701468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rock.cryptobase.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838367/; classtype:trojan-activity;sid:84701467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rock.cryptobase.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838366/; classtype:trojan-activity;sid:84701466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"r3ef9-point.zori6mav.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838365/; classtype:trojan-activity;sid:84701465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"105.224.16.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838364/; classtype:trojan-activity;sid:84701464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.130.77.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838363/; classtype:trojan-activity;sid:84701463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.80.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838362/; classtype:trojan-activity;sid:84701462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"ultra-d1scov.zori6mav.lat"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838361/; classtype:trojan-activity;sid:84701461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.98.97.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838360/; classtype:trojan-activity;sid:84701460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"iron.cryptobase.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838359/; classtype:trojan-activity;sid:84701459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wild.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838358/; classtype:trojan-activity;sid:84701458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"grass.solidlink.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838357/; classtype:trojan-activity;sid:84701457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"park.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838356/; classtype:trojan-activity;sid:84701456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"park.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838355/; classtype:trojan-activity;sid:84701455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.233.204.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838354/; classtype:trojan-activity;sid:84701454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.212.121.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838353/; classtype:trojan-activity;sid:84701453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.65.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838352/; classtype:trojan-activity;sid:84701452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wood.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838351/; classtype:trojan-activity;sid:84701451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"mass.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838350/; classtype:trojan-activity;sid:84701450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tree.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838349/; classtype:trojan-activity;sid:84701449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"root.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838347/; classtype:trojan-activity;sid:84701447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"area.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838348/; classtype:trojan-activity;sid:84701448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.38.209.204"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838346/; classtype:trojan-activity;sid:84701446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.126.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838345/; classtype:trojan-activity;sid:84701445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.77.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838344/; classtype:trojan-activity;sid:84701444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"hard.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838343/; classtype:trojan-activity;sid:84701443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.113.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838342/; classtype:trojan-activity;sid:84701442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"leaf.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838341/; classtype:trojan-activity;sid:84701441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"leaf.terraview.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838340/; classtype:trojan-activity;sid:84701440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"base.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838339/; classtype:trojan-activity;sid:84701439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.3.121"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838338/; classtype:trojan-activity;sid:84701438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.233.204.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838337/; classtype:trojan-activity;sid:84701437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.122.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838336/; classtype:trojan-activity;sid:84701436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.126.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838334/; classtype:trojan-activity;sid:84701434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.192.240"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838335/; classtype:trojan-activity;sid:84701435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"rock.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838333/; classtype:trojan-activity;sid:84701433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838332/; classtype:trojan-activity;sid:84701432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wind.frostpoint.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838331/; classtype:trojan-activity;sid:84701431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.37.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838330/; classtype:trojan-activity;sid:84701430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"iron.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838329/; classtype:trojan-activity;sid:84701429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"iron.solidlink.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838328/; classtype:trojan-activity;sid:84701428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zone.frostpoint.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838327/; classtype:trojan-activity;sid:84701427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zone.frostpoint.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838326/; classtype:trojan-activity;sid:84701426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"wild.brightpath.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838325/; classtype:trojan-activity;sid:84701425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"temp.frostpoint.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838324/; classtype:trojan-activity;sid:84701424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"park.brightpath.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838323/; classtype:trojan-activity;sid:84701423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"frost.frostpoint.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838322/; classtype:trojan-activity;sid:84701422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.3.121"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838321/; classtype:trojan-activity;sid:84701421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"wood.brightpath.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838320/; classtype:trojan-activity;sid:84701420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.122.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838319/; classtype:trojan-activity;sid:84701419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ice.frostpoint.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838318/; classtype:trojan-activity;sid:84701418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"tree.brightpath.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838317/; classtype:trojan-activity;sid:84701417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.173.118.18"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838316/; classtype:trojan-activity;sid:84701416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838315/; classtype:trojan-activity;sid:84701415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"root.brightpath.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838314/; classtype:trojan-activity;sid:84701414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"leaf.brightpath.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838313/; classtype:trojan-activity;sid:84701413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"leaf.brightpath.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838312/; classtype:trojan-activity;sid:84701412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"cold.frostpoint.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838311/; classtype:trojan-activity;sid:84701411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.140.108"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838310/; classtype:trojan-activity;sid:84701410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.104.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838309/; classtype:trojan-activity;sid:84701409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"wind.oceanblue.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838308/; classtype:trojan-activity;sid:84701408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rush.powerdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838307/; classtype:trojan-activity;sid:84701407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.29.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838306/; classtype:trojan-activity;sid:84701406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kick.powerdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838305/; classtype:trojan-activity;sid:84701405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"106.4.65.173"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838303/; classtype:trojan-activity;sid:84701403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"zone.oceanblue.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838304/; classtype:trojan-activity;sid:84701404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.53.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838302/; classtype:trojan-activity;sid:84701402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838301/; classtype:trojan-activity;sid:84701401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"temp.oceanblue.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838300/; classtype:trojan-activity;sid:84701400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.85.110.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838299/; classtype:trojan-activity;sid:84701399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.229.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838298/; classtype:trojan-activity;sid:84701398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"frost.oceanblue.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838297/; classtype:trojan-activity;sid:84701397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"jump.powerdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838296/; classtype:trojan-activity;sid:84701396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fast.powerdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838295/; classtype:trojan-activity;sid:84701395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838294/; classtype:trojan-activity;sid:84701394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"ice.oceanblue.surf"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838293/; classtype:trojan-activity;sid:84701393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"run.powerdrift.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838292/; classtype:trojan-activity;sid:84701392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.255.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838291/; classtype:trojan-activity;sid:84701391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.104.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838290/; classtype:trojan-activity;sid:84701390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"cold.oceanblue.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838289/; classtype:trojan-activity;sid:84701389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fire.powerdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838288/; classtype:trojan-activity;sid:84701388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.229.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838287/; classtype:trojan-activity;sid:84701387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"high.logicreef.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838286/; classtype:trojan-activity;sid:84701386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.23.157.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838285/; classtype:trojan-activity;sid:84701385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.201.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838284/; classtype:trojan-activity;sid:84701384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57oe-aget-358671-chess-345msdn01/take.dll"; depth:42; endswith; nocase; http.host; content:"kick.darktrace.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838283/; classtype:trojan-activity;sid:84701383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"airy.logicreef.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838282/; classtype:trojan-activity;sid:84701382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838280/; classtype:trojan-activity;sid:84701380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.14.53.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838281/; classtype:trojan-activity;sid:84701381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.94.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838279/; classtype:trojan-activity;sid:84701379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.85.110.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838278/; classtype:trojan-activity;sid:84701378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.218"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838277/; classtype:trojan-activity;sid:84701377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.57.232.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838276/; classtype:trojan-activity;sid:84701376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"view.logicreef.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838275/; classtype:trojan-activity;sid:84701375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"blue.logicreef.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838274/; classtype:trojan-activity;sid:84701374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.23.157.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838273/; classtype:trojan-activity;sid:84701373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"star.logicreef.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838272/; classtype:trojan-activity;sid:84701372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sky.logicreef.surf"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838271/; classtype:trojan-activity;sid:84701371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.232.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838270/; classtype:trojan-activity;sid:84701370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.x86_32"; depth:20; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838268/; classtype:trojan-activity;sid:84701368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.i686"; depth:18; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838269/; classtype:trojan-activity;sid:84701369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gear.pixelstep.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838267/; classtype:trojan-activity;sid:84701367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.137.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838266/; classtype:trojan-activity;sid:84701366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download.php"; depth:13; endswith; nocase; http.host; content:"maxtuberussia.lol"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838265/; classtype:trojan-activity;sid:84701365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usercenterplugin.dll"; depth:21; endswith; nocase; http.host; content:"bolt.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838262/; classtype:trojan-activity;sid:84701362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usercenterplugin.dll"; depth:21; endswith; nocase; http.host; content:"ultra.novi7xel.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838263/; classtype:trojan-activity;sid:84701363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usercenterplugin.dll"; depth:21; endswith; nocase; http.host; content:"echo.neonstream.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838264/; classtype:trojan-activity;sid:84701364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usercenterplugin.dll"; depth:21; endswith; nocase; http.host; content:"flow.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838260/; classtype:trojan-activity;sid:84701360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usercenterplugin.dll"; depth:21; endswith; nocase; http.host; content:"zeno.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838261/; classtype:trojan-activity;sid:84701361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8635093259/jbfqssu.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838257/; classtype:trojan-activity;sid:84701357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_6cfb5baf4de72734.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838258/; classtype:trojan-activity;sid:84701358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usercenterplugin.dll"; depth:21; endswith; nocase; http.host; content:"echo.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838259/; classtype:trojan-activity;sid:84701359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setup.msi"; depth:10; endswith; nocase; http.host; content:"mybuddyone.b-cdn.net"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838256/; classtype:trojan-activity;sid:84701356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"snap.pixelstep.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838254/; classtype:trojan-activity;sid:84701354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/6849343518/wsmcrde.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838248/; classtype:trojan-activity;sid:84701348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_5241ac07ddb70336.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838249/; classtype:trojan-activity;sid:84701349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/1781548144/rqdfssh.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838250/; classtype:trojan-activity;sid:84701350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_a46ce3f4b9e389a1.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838251/; classtype:trojan-activity;sid:84701351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_f7f19e796291105f.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838252/; classtype:trojan-activity;sid:84701352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_3e2830fa7d31655a.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838253/; classtype:trojan-activity;sid:84701353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838247/; classtype:trojan-activity;sid:84701347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dash.pixelstep.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838246/; classtype:trojan-activity;sid:84701346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mode.pixelstep.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838245/; classtype:trojan-activity;sid:84701345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.20.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838244/; classtype:trojan-activity;sid:84701344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.37.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838243/; classtype:trojan-activity;sid:84701343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"skip.pixelstep.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838242/; classtype:trojan-activity;sid:84701342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"echo.pixelstep.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838241/; classtype:trojan-activity;sid:84701341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.45.66.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838240/; classtype:trojan-activity;sid:84701340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flow.nanologic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838239/; classtype:trojan-activity;sid:84701339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeno.nanologic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838238/; classtype:trojan-activity;sid:84701338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bolt.nanologic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838237/; classtype:trojan-activity;sid:84701337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.214.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838236/; classtype:trojan-activity;sid:84701336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.90.147.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838234/; classtype:trojan-activity;sid:84701334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.67.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838235/; classtype:trojan-activity;sid:84701335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"key.nanologic.surf"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838233/; classtype:trojan-activity;sid:84701333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"194.41.112.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838232/; classtype:trojan-activity;sid:84701332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.20.69"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838231/; classtype:trojan-activity;sid:84701331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pure.nanologic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838230/; classtype:trojan-activity;sid:84701330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"atom.nanologic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838229/; classtype:trojan-activity;sid:84701329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xx.sh"; depth:6; endswith; nocase; http.host; content:"217.60.241.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838228/; classtype:trojan-activity;sid:84701328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.112.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838227/; classtype:trojan-activity;sid:84701327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bj"; depth:3; endswith; nocase; http.host; content:"217.60.241.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838226/; classtype:trojan-activity;sid:84701326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"site.metadrive.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838225/; classtype:trojan-activity;sid:84701325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.214.172"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838224/; classtype:trojan-activity;sid:84701324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838222/; classtype:trojan-activity;sid:84701322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838223/; classtype:trojan-activity;sid:84701323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86"; depth:8; endswith; nocase; http.host; content:"204.76.203.30"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838220/; classtype:trojan-activity;sid:84701320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"101.29.21.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838221/; classtype:trojan-activity;sid:84701321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"host.metadrive.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838218/; classtype:trojan-activity;sid:84701318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.38.211.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838219/; classtype:trojan-activity;sid:84701319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.sh4"; depth:11; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838217/; classtype:trojan-activity;sid:84701317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.67.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838216/; classtype:trojan-activity;sid:84701316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.mips"; depth:12; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838207/; classtype:trojan-activity;sid:84701307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.arm7"; depth:12; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838208/; classtype:trojan-activity;sid:84701308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.x86"; depth:11; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838209/; classtype:trojan-activity;sid:84701309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.arm6"; depth:12; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838210/; classtype:trojan-activity;sid:84701310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.x86_64"; depth:14; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838211/; classtype:trojan-activity;sid:84701311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.arm5"; depth:12; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838212/; classtype:trojan-activity;sid:84701312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.ppc"; depth:11; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838213/; classtype:trojan-activity;sid:84701313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.mpsl"; depth:12; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838214/; classtype:trojan-activity;sid:84701314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; endswith; nocase; http.host; content:"217.60.241.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838215/; classtype:trojan-activity;sid:84701315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.mpsl"; depth:12; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838205/; classtype:trojan-activity;sid:84701305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.arm7"; depth:12; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838206/; classtype:trojan-activity;sid:84701306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838204/; classtype:trojan-activity;sid:84701304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.x86_64"; depth:14; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838198/; classtype:trojan-activity;sid:84701298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.mips"; depth:12; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838199/; classtype:trojan-activity;sid:84701299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.sh4"; depth:11; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838200/; classtype:trojan-activity;sid:84701300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.arm5"; depth:12; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838201/; classtype:trojan-activity;sid:84701301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.arm6"; depth:12; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838202/; classtype:trojan-activity;sid:84701302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.ppc"; depth:11; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838203/; classtype:trojan-activity;sid:84701303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8usdaf.x86"; depth:11; endswith; nocase; http.host; content:"grandtheftauto6.cc"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838197/; classtype:trojan-activity;sid:84701297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838196/; classtype:trojan-activity;sid:84701296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"core.metadrive.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838195/; classtype:trojan-activity;sid:84701295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.30.145.243"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838194/; classtype:trojan-activity;sid:84701294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gate.metadrive.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838193/; classtype:trojan-activity;sid:84701293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.79.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838192/; classtype:trojan-activity;sid:84701292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.39.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838191/; classtype:trojan-activity;sid:84701291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"192.109.200.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838189/; classtype:trojan-activity;sid:84701289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.109.200.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838190/; classtype:trojan-activity;sid:84701290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.112.251"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838188/; classtype:trojan-activity;sid:84701288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.m68k"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838177/; classtype:trojan-activity;sid:84701277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.arm4"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838178/; classtype:trojan-activity;sid:84701278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.ppc"; depth:14; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838179/; classtype:trojan-activity;sid:84701279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.mips"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838180/; classtype:trojan-activity;sid:84701280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.arm5"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838181/; classtype:trojan-activity;sid:84701281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.i586"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838182/; classtype:trojan-activity;sid:84701282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.arm6"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838183/; classtype:trojan-activity;sid:84701283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.mpsl"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838184/; classtype:trojan-activity;sid:84701284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.x86"; depth:14; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838185/; classtype:trojan-activity;sid:84701285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.arm7"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838186/; classtype:trojan-activity;sid:84701286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.sh4"; depth:14; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838187/; classtype:trojan-activity;sid:84701287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.sparc"; depth:16; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838175/; classtype:trojan-activity;sid:84701275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assailant.i686"; depth:15; endswith; nocase; http.host; content:"192.109.200.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838176/; classtype:trojan-activity;sid:84701276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"edge.metadrive.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838174/; classtype:trojan-activity;sid:84701274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.120.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838173/; classtype:trojan-activity;sid:84701273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"apex.metadrive.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838172/; classtype:trojan-activity;sid:84701272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"node.cyberlayer.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838171/; classtype:trojan-activity;sid:84701271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"beta.cyberlayer.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838170/; classtype:trojan-activity;sid:84701270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.11.90.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838169/; classtype:trojan-activity;sid:84701269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mobi.cyberlayer.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838168/; classtype:trojan-activity;sid:84701268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.24.71"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838167/; classtype:trojan-activity;sid:84701267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.151.87.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838166/; classtype:trojan-activity;sid:84701266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"grid.cyberlayer.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838165/; classtype:trojan-activity;sid:84701265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sync.cyberlayer.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838164/; classtype:trojan-activity;sid:84701264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.225.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838163/; classtype:trojan-activity;sid:84701263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838162/; classtype:trojan-activity;sid:84701262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nova.cyberlayer.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838161/; classtype:trojan-activity;sid:84701261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.10.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838160/; classtype:trojan-activity;sid:84701260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"omni.urbanpulse.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838159/; classtype:trojan-activity;sid:84701259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.193.45.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838158/; classtype:trojan-activity;sid:84701258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.151.87.10"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838157/; classtype:trojan-activity;sid:84701257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"link.urbanpulse.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838156/; classtype:trojan-activity;sid:84701256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838155/; classtype:trojan-activity;sid:84701255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.10.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838154/; classtype:trojan-activity;sid:84701254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.36.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838153/; classtype:trojan-activity;sid:84701253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.10.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838152/; classtype:trojan-activity;sid:84701252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.45.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838150/; classtype:trojan-activity;sid:84701250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"byte.urbanpulse.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838151/; classtype:trojan-activity;sid:84701251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.254.82"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838149/; classtype:trojan-activity;sid:84701249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.10.171"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838148/; classtype:trojan-activity;sid:84701248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.7.158"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838147/; classtype:trojan-activity;sid:84701247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flux.urbanpulse.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838146/; classtype:trojan-activity;sid:84701246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.24.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838145/; classtype:trojan-activity;sid:84701245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeta.urbanpulse.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838144/; classtype:trojan-activity;sid:84701244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.11.107.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838143/; classtype:trojan-activity;sid:84701243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.227.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838142/; classtype:trojan-activity;sid:84701242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vibe.urbanpulse.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838141/; classtype:trojan-activity;sid:84701241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mass.solidcore.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838140/; classtype:trojan-activity;sid:84701240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.36.213"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838139/; classtype:trojan-activity;sid:84701239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.165.149.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838138/; classtype:trojan-activity;sid:84701238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.165.24.160"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838137/; classtype:trojan-activity;sid:84701237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"area.solidcore.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838136/; classtype:trojan-activity;sid:84701236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.8.118.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838135/; classtype:trojan-activity;sid:84701235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.49.7.158"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838134/; classtype:trojan-activity;sid:84701234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.8.118.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838133/; classtype:trojan-activity;sid:84701233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"hard.solidcore.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838132/; classtype:trojan-activity;sid:84701232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.11.107.180"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838131/; classtype:trojan-activity;sid:84701231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.218.170"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838130/; classtype:trojan-activity;sid:84701230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.65.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838129/; classtype:trojan-activity;sid:84701229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"base.solidcore.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838128/; classtype:trojan-activity;sid:84701228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.165.149.178"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838127/; classtype:trojan-activity;sid:84701227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rock.solidcore.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838126/; classtype:trojan-activity;sid:84701226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"iron.solidcore.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838125/; classtype:trojan-activity;sid:84701225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wild.greenforest.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838124/; classtype:trojan-activity;sid:84701224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.122.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838123/; classtype:trojan-activity;sid:84701223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.65.212"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838122/; classtype:trojan-activity;sid:84701222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"park.greenforest.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838121/; classtype:trojan-activity;sid:84701221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.229.65.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838120/; classtype:trojan-activity;sid:84701220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wood.greenforest.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838119/; classtype:trojan-activity;sid:84701219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.114.121.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838117/; classtype:trojan-activity;sid:84701217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.58.132.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838118/; classtype:trojan-activity;sid:84701218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tree.greenforest.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838116/; classtype:trojan-activity;sid:84701216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"root.greenforest.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838115/; classtype:trojan-activity;sid:84701215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.114.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838114/; classtype:trojan-activity;sid:84701214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.7.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838113/; classtype:trojan-activity;sid:84701213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"leaf.greenforest.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838112/; classtype:trojan-activity;sid:84701212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wind.winterpeak.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838111/; classtype:trojan-activity;sid:84701211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.114.121.130"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838110/; classtype:trojan-activity;sid:84701210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zone.winterpeak.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838109/; classtype:trojan-activity;sid:84701209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.88.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838108/; classtype:trojan-activity;sid:84701208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.58.132.26"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838107/; classtype:trojan-activity;sid:84701207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"temp.winterpeak.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838106/; classtype:trojan-activity;sid:84701206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.7.199"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838105/; classtype:trojan-activity;sid:84701205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"frost.winterpeak.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838104/; classtype:trojan-activity;sid:84701204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.227.184"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838103/; classtype:trojan-activity;sid:84701203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.26.86.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838102/; classtype:trojan-activity;sid:84701202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ice.winterpeak.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838101/; classtype:trojan-activity;sid:84701201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"cold.winterpeak.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838100/; classtype:trojan-activity;sid:84701200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.99.201.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838099/; classtype:trojan-activity;sid:84701199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rush.rapidstorm.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838098/; classtype:trojan-activity;sid:84701198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kick.rapidstorm.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838097/; classtype:trojan-activity;sid:84701197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"45.158.23.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838096/; classtype:trojan-activity;sid:84701196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/spc"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838095/; classtype:trojan-activity;sid:84701195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"jump.rapidstorm.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838094/; classtype:trojan-activity;sid:84701194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm6"; depth:10; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838093/; classtype:trojan-activity;sid:84701193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/bin.mipsel"; depth:16; endswith; nocase; http.host; content:"178.18.147.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838090/; classtype:trojan-activity;sid:84701190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.sh4"; depth:13; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838091/; classtype:trojan-activity;sid:84701191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838092/; classtype:trojan-activity;sid:84701192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.26.86.218"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838089/; classtype:trojan-activity;sid:84701189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.141.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838088/; classtype:trojan-activity;sid:84701188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838087/; classtype:trojan-activity;sid:84701187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838086/; classtype:trojan-activity;sid:84701186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838085/; classtype:trojan-activity;sid:84701185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fast.rapidstorm.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838084/; classtype:trojan-activity;sid:84701184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.99.201.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838083/; classtype:trojan-activity;sid:84701183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"run.rapidstorm.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838082/; classtype:trojan-activity;sid:84701182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.63.185.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838081/; classtype:trojan-activity;sid:84701181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fire.rapidstorm.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838080/; classtype:trojan-activity;sid:84701180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"high.brightreef.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838079/; classtype:trojan-activity;sid:84701179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.141.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838078/; classtype:trojan-activity;sid:84701178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.209.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838077/; classtype:trojan-activity;sid:84701177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"airy.brightreef.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838076/; classtype:trojan-activity;sid:84701176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.31.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838075/; classtype:trojan-activity;sid:84701175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm6"; depth:18; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838073/; classtype:trojan-activity;sid:84701173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm7"; depth:18; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838074/; classtype:trojan-activity;sid:84701174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.spc"; depth:17; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838070/; classtype:trojan-activity;sid:84701170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.arm"; depth:17; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838071/; classtype:trojan-activity;sid:84701171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/titanjr.ppc440"; depth:20; endswith; nocase; http.host; content:"216.9.225.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838072/; classtype:trojan-activity;sid:84701172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.209.60"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838069/; classtype:trojan-activity;sid:84701169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"view.brightreef.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838068/; classtype:trojan-activity;sid:84701168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"blue.brightreef.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_04; reference:url, urlhaus.abuse.ch/url/3838067/; classtype:trojan-activity;sid:84701167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"star.brightreef.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838066/; classtype:trojan-activity;sid:84701166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ameliajeen/push/-/raw/main/s8d70ipcznaa.exe"; depth:44; endswith; nocase; http.host; content:"gitlab.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838065/; classtype:trojan-activity;sid:84701165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sky.brightreef.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838064/; classtype:trojan-activity;sid:84701164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.146.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838063/; classtype:trojan-activity;sid:84701163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gear.neonstream.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838062/; classtype:trojan-activity;sid:84701162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.202.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838061/; classtype:trojan-activity;sid:84701161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"snap.neonstream.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838060/; classtype:trojan-activity;sid:84701160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.12.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838059/; classtype:trojan-activity;sid:84701159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dash.neonstream.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838058/; classtype:trojan-activity;sid:84701158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.17.158.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838057/; classtype:trojan-activity;sid:84701157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.138.44"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838056/; classtype:trojan-activity;sid:84701156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mode.neonstream.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838055/; classtype:trojan-activity;sid:84701155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.146.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838054/; classtype:trojan-activity;sid:84701154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.80.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838053/; classtype:trojan-activity;sid:84701153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"skip.neonstream.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838052/; classtype:trojan-activity;sid:84701152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.12.172"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838051/; classtype:trojan-activity;sid:84701151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"echo.neonstream.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838050/; classtype:trojan-activity;sid:84701150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.54.156.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838049/; classtype:trojan-activity;sid:84701149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flow.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838048/; classtype:trojan-activity;sid:84701148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.240.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838047/; classtype:trojan-activity;sid:84701147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeno.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838046/; classtype:trojan-activity;sid:84701146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bolt.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838045/; classtype:trojan-activity;sid:84701145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"key.purelogic.surf"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838044/; classtype:trojan-activity;sid:84701144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.179.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838043/; classtype:trojan-activity;sid:84701143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.240.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838042/; classtype:trojan-activity;sid:84701142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pure.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838041/; classtype:trojan-activity;sid:84701141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"atom.purelogic.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838040/; classtype:trojan-activity;sid:84701140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.98.188"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838039/; classtype:trojan-activity;sid:84701139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"site.digitaltide.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838038/; classtype:trojan-activity;sid:84701138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.102.39.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838037/; classtype:trojan-activity;sid:84701137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.200.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838036/; classtype:trojan-activity;sid:84701136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.179.198"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838035/; classtype:trojan-activity;sid:84701135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"host.digitaltide.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838034/; classtype:trojan-activity;sid:84701134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.38.47"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838033/; classtype:trojan-activity;sid:84701133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.69.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838032/; classtype:trojan-activity;sid:84701132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"core.digitaltide.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838031/; classtype:trojan-activity;sid:84701131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.67.80.43"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838030/; classtype:trojan-activity;sid:84701130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.163.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838029/; classtype:trojan-activity;sid:84701129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.98.188"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838028/; classtype:trojan-activity;sid:84701128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gate.digitaltide.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838027/; classtype:trojan-activity;sid:84701127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.186.208.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838026/; classtype:trojan-activity;sid:84701126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"edge.digitaltide.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838025/; classtype:trojan-activity;sid:84701125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.207.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838024/; classtype:trojan-activity;sid:84701124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"apex.digitaltide.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838023/; classtype:trojan-activity;sid:84701123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.239.246.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838022/; classtype:trojan-activity;sid:84701122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"node.cyberdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838021/; classtype:trojan-activity;sid:84701121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.35.235"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838020/; classtype:trojan-activity;sid:84701120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.186.208.9"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838019/; classtype:trojan-activity;sid:84701119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"beta.cyberdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838017/; classtype:trojan-activity;sid:84701117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.230.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838018/; classtype:trojan-activity;sid:84701118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.244.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838015/; classtype:trojan-activity;sid:84701115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.58.78.214"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838016/; classtype:trojan-activity;sid:84701116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.137.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838014/; classtype:trojan-activity;sid:84701114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.223.137.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838013/; classtype:trojan-activity;sid:84701113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.69.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838012/; classtype:trojan-activity;sid:84701112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.207.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838011/; classtype:trojan-activity;sid:84701111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mobi.cyberdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838010/; classtype:trojan-activity;sid:84701110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838009/; classtype:trojan-activity;sid:84701109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838008/; classtype:trojan-activity;sid:84701108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838006/; classtype:trojan-activity;sid:84701106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838007/; classtype:trojan-activity;sid:84701107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838005/; classtype:trojan-activity;sid:84701105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"31.56.209.125"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838004/; classtype:trojan-activity;sid:84701104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.230.130"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838003/; classtype:trojan-activity;sid:84701103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.231.41.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838002/; classtype:trojan-activity;sid:84701102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.163.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838001/; classtype:trojan-activity;sid:84701101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3838000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"grid.cyberdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3838000/; classtype:trojan-activity;sid:84701100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.137.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837999/; classtype:trojan-activity;sid:84701099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.223.137.31"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837998/; classtype:trojan-activity;sid:84701098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.i486"; depth:14; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837996/; classtype:trojan-activity;sid:84701096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.mips64"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837997/; classtype:trojan-activity;sid:84701097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sync.cyberdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837995/; classtype:trojan-activity;sid:84701095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.armv6l"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837994/; classtype:trojan-activity;sid:84701094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.mipsel"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837991/; classtype:trojan-activity;sid:84701091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader.sh"; depth:10; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837992/; classtype:trojan-activity;sid:84701092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.powerpc"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837993/; classtype:trojan-activity;sid:84701093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.m68k"; depth:14; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837990/; classtype:trojan-activity;sid:84701090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.i686"; depth:14; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837982/; classtype:trojan-activity;sid:84701082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.armv5l"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837983/; classtype:trojan-activity;sid:84701083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.armv4l"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837984/; classtype:trojan-activity;sid:84701084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.riscv64"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837985/; classtype:trojan-activity;sid:84701085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.mips"; depth:14; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837986/; classtype:trojan-activity;sid:84701086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.s390x"; depth:15; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837987/; classtype:trojan-activity;sid:84701087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.x86_64"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837988/; classtype:trojan-activity;sid:84701088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.aarch64"; depth:17; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837989/; classtype:trojan-activity;sid:84701089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.armv7l"; depth:16; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837980/; classtype:trojan-activity;sid:84701080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35fc4b37.i586"; depth:14; endswith; nocase; http.host; content:"176.65.139.11"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837981/; classtype:trojan-activity;sid:84701081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.118.209.172"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837979/; classtype:trojan-activity;sid:84701079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nova.cyberdrift.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837978/; classtype:trojan-activity;sid:84701078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"omni.quantumwave.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837977/; classtype:trojan-activity;sid:84701077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.231.41.174"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837976/; classtype:trojan-activity;sid:84701076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"link.quantumwave.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837975/; classtype:trojan-activity;sid:84701075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.75.114"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837974/; classtype:trojan-activity;sid:84701074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"byte.quantumwave.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837973/; classtype:trojan-activity;sid:84701073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.232.225.37"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837972/; classtype:trojan-activity;sid:84701072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.103.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837971/; classtype:trojan-activity;sid:84701071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.178.108.82"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837970/; classtype:trojan-activity;sid:84701070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.239.246.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837969/; classtype:trojan-activity;sid:84701069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flux.quantumwave.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837968/; classtype:trojan-activity;sid:84701068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.4.233.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837967/; classtype:trojan-activity;sid:84701067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeta.quantumwave.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837966/; classtype:trojan-activity;sid:84701066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837965/; classtype:trojan-activity;sid:84701065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vibe.quantumwave.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837964/; classtype:trojan-activity;sid:84701064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"180.107.158.34"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837963/; classtype:trojan-activity;sid:84701063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.60.252.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837962/; classtype:trojan-activity;sid:84701062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.25.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837961/; classtype:trojan-activity;sid:84701061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.60.252.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837960/; classtype:trojan-activity;sid:84701060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rush.andipfs.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837959/; classtype:trojan-activity;sid:84701059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.103.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837958/; classtype:trojan-activity;sid:84701058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kick.andipfs.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837957/; classtype:trojan-activity;sid:84701057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.13.21.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837956/; classtype:trojan-activity;sid:84701056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|ublib=zfwvsqdwvtucpdqd"; depth:27; endswith; nocase; http.host; content:"vuufaahx.ass-ecuadorian.digital"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837955/; classtype:trojan-activity;sid:84701055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.228.89.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837954/; classtype:trojan-activity;sid:84701054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"jump.andipfs.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837953/; classtype:trojan-activity;sid:84701053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.3.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837952/; classtype:trojan-activity;sid:84701052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fast.andipfs.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837951/; classtype:trojan-activity;sid:84701051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.159.15.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837950/; classtype:trojan-activity;sid:84701050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.77.70.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837949/; classtype:trojan-activity;sid:84701049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"run.andipfs.lat"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837947/; classtype:trojan-activity;sid:84701047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.3.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837948/; classtype:trojan-activity;sid:84701048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fire.andipfs.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837946/; classtype:trojan-activity;sid:84701046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.228.89.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837945/; classtype:trojan-activity;sid:84701045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"high.ipfsway.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837944/; classtype:trojan-activity;sid:84701044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.13.21.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837943/; classtype:trojan-activity;sid:84701043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"airy.ipfsway.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837942/; classtype:trojan-activity;sid:84701042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"view.ipfsway.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837941/; classtype:trojan-activity;sid:84701041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.77.70.102"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837939/; classtype:trojan-activity;sid:84701039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"186.159.15.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837940/; classtype:trojan-activity;sid:84701040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"blue.ipfsway.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837938/; classtype:trojan-activity;sid:84701038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"star.ipfsway.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837937/; classtype:trojan-activity;sid:84701037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sky.ipfsway.lat"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837936/; classtype:trojan-activity;sid:84701036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gear.querytan.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837935/; classtype:trojan-activity;sid:84701035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"snap.querytan.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837934/; classtype:trojan-activity;sid:84701034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dash.querytan.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837933/; classtype:trojan-activity;sid:84701033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mode.querytan.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837932/; classtype:trojan-activity;sid:84701032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swt"; depth:4; endswith; nocase; http.host; content:"178.16.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837931/; classtype:trojan-activity;sid:84701031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slt"; depth:4; endswith; nocase; http.host; content:"178.16.52.120"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837930/; classtype:trojan-activity;sid:84701030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"skip.querytan.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837929/; classtype:trojan-activity;sid:84701029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"echo.querytan.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837928/; classtype:trojan-activity;sid:84701028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.90.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837927/; classtype:trojan-activity;sid:84701027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flux.vmesscab.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837926/; classtype:trojan-activity;sid:84701026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.25.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837925/; classtype:trojan-activity;sid:84701025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeno.vmesscab.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837924/; classtype:trojan-activity;sid:84701024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.6.103"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837923/; classtype:trojan-activity;sid:84701023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bolt.vmesscab.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837922/; classtype:trojan-activity;sid:84701022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"key.vmesscab.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837921/; classtype:trojan-activity;sid:84701021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pure.vmesscab.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837920/; classtype:trojan-activity;sid:84701020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"atom.vmesscab.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837919/; classtype:trojan-activity;sid:84701019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.25.51"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837918/; classtype:trojan-activity;sid:84701018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"site.agocert.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837917/; classtype:trojan-activity;sid:84701017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"host.agocert.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837916/; classtype:trojan-activity;sid:84701016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.66.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837915/; classtype:trojan-activity;sid:84701015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"core.agocert.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837914/; classtype:trojan-activity;sid:84701014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.151.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837913/; classtype:trojan-activity;sid:84701013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.79.75.90"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837912/; classtype:trojan-activity;sid:84701012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gate.agocert.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837911/; classtype:trojan-activity;sid:84701011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.121.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837910/; classtype:trojan-activity;sid:84701010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.70.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837909/; classtype:trojan-activity;sid:84701009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.151.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837908/; classtype:trojan-activity;sid:84701008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"edge.agocert.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837907/; classtype:trojan-activity;sid:84701007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"apex.agocert.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837906/; classtype:trojan-activity;sid:84701006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.50.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837905/; classtype:trojan-activity;sid:84701005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.1.200"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837904/; classtype:trojan-activity;sid:84701004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"node.ipsetlap.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837903/; classtype:trojan-activity;sid:84701003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"37.26.85.56"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837902/; classtype:trojan-activity;sid:84701002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"beta.ipsetlap.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837901/; classtype:trojan-activity;sid:84701001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.127.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837900/; classtype:trojan-activity;sid:84701000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mobi.ipsetlap.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837899/; classtype:trojan-activity;sid:84700999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.121.193"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837898/; classtype:trojan-activity;sid:84700998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"grid.ipsetlap.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837897/; classtype:trojan-activity;sid:84700997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sync.ipsetlap.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837896/; classtype:trojan-activity;sid:84700996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nova.ipsetlap.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837895/; classtype:trojan-activity;sid:84700995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837894/; classtype:trojan-activity;sid:84700994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"axis.agilelid.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837893/; classtype:trojan-activity;sid:84700993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"link.agilelid.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837892/; classtype:trojan-activity;sid:84700992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.79.75.90"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837890/; classtype:trojan-activity;sid:84700990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.12.61"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837891/; classtype:trojan-activity;sid:84700991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"byte.agilelid.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837889/; classtype:trojan-activity;sid:84700989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837888/; classtype:trojan-activity;sid:84700988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flow.agilelid.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837887/; classtype:trojan-activity;sid:84700987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"192.159.99.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837886/; classtype:trojan-activity;sid:84700986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"185.241.208.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837883/; classtype:trojan-activity;sid:84700983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"185.241.208.243"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837884/; classtype:trojan-activity;sid:84700984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837885/; classtype:trojan-activity;sid:84700985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeta.agilelid.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837882/; classtype:trojan-activity;sid:84700982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837881/; classtype:trojan-activity;sid:84700981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vibe.agilelid.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837880/; classtype:trojan-activity;sid:84700980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.202.190.224"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837879/; classtype:trojan-activity;sid:84700979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.173.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837878/; classtype:trojan-activity;sid:84700978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"des1g-vector.toorout.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837877/; classtype:trojan-activity;sid:84700977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.i486"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837874/; classtype:trojan-activity;sid:84700974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837875/; classtype:trojan-activity;sid:84700975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837876/; classtype:trojan-activity;sid:84700976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837871/; classtype:trojan-activity;sid:84700971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837872/; classtype:trojan-activity;sid:84700972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837873/; classtype:trojan-activity;sid:84700973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.arc"; depth:9; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837870/; classtype:trojan-activity;sid:84700970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837868/; classtype:trojan-activity;sid:84700968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837869/; classtype:trojan-activity;sid:84700969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837864/; classtype:trojan-activity;sid:84700964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837865/; classtype:trojan-activity;sid:84700965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837866/; classtype:trojan-activity;sid:84700966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837867/; classtype:trojan-activity;sid:84700967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837862/; classtype:trojan-activity;sid:84700962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837863/; classtype:trojan-activity;sid:84700963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"176.65.139.36"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837861/; classtype:trojan-activity;sid:84700961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.76.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837860/; classtype:trojan-activity;sid:84700960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"reta-wave.woodfor.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837859/; classtype:trojan-activity;sid:84700959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsle"; depth:7; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837858/; classtype:trojan-activity;sid:84700958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837857/; classtype:trojan-activity;sid:84700957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"9wwp.woodfor.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837856/; classtype:trojan-activity;sid:84700956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86.exe"; depth:12; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837855/; classtype:trojan-activity;sid:84700955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot.exe"; depth:8; endswith; nocase; http.host; content:"176.65.139.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837854/; classtype:trojan-activity;sid:84700954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.i468"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837853/; classtype:trojan-activity;sid:84700953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"5now-mount.woodfor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837852/; classtype:trojan-activity;sid:84700952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"80.67.33.209"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837851/; classtype:trojan-activity;sid:84700951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"emjp1vs.woodfor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837850/; classtype:trojan-activity;sid:84700950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7556497175/rmrcoq0.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837848/; classtype:trojan-activity;sid:84700948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"u1tr4-scope.woodfor.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837847/; classtype:trojan-activity;sid:84700947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.76.221"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837846/; classtype:trojan-activity;sid:84700946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.206.185.127"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837845/; classtype:trojan-activity;sid:84700945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"packagesca.woodfor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837844/; classtype:trojan-activity;sid:84700944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"9wk4ykk.woodfor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837843/; classtype:trojan-activity;sid:84700943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.215.86.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837842/; classtype:trojan-activity;sid:84700942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.51.102"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837841/; classtype:trojan-activity;sid:84700941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"lmzrj5.yeldfor.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837840/; classtype:trojan-activity;sid:84700940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.173.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837839/; classtype:trojan-activity;sid:84700939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.53.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837838/; classtype:trojan-activity;sid:84700938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rnqb.yeldfor.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837837/; classtype:trojan-activity;sid:84700937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"s0un-panel.yeldfor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837836/; classtype:trojan-activity;sid:84700936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"forestoke.yeldfor.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837835/; classtype:trojan-activity;sid:84700935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.141.105.137"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837834/; classtype:trojan-activity;sid:84700934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dynforgear1.yeldfor.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837833/; classtype:trojan-activity;sid:84700933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.86.84"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837832/; classtype:trojan-activity;sid:84700932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.29.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837831/; classtype:trojan-activity;sid:84700931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"lvhpvce.yeldfor.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837830/; classtype:trojan-activity;sid:84700930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.225.84.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837829/; classtype:trojan-activity;sid:84700929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"105.184.16.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837828/; classtype:trojan-activity;sid:84700928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.12.116"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837827/; classtype:trojan-activity;sid:84700927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"handlprint.yeldfor.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837826/; classtype:trojan-activity;sid:84700926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.87.188.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837825/; classtype:trojan-activity;sid:84700925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vvagon-index.poorbet.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837824/; classtype:trojan-activity;sid:84700924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.155.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837823/; classtype:trojan-activity;sid:84700923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.236.149.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837822/; classtype:trojan-activity;sid:84700922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837820/; classtype:trojan-activity;sid:84700920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837821/; classtype:trojan-activity;sid:84700921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pwev0y0.poorbet.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837819/; classtype:trojan-activity;sid:84700919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/debug"; depth:18; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837817/; classtype:trojan-activity;sid:84700917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.x86_64"; depth:31; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837818/; classtype:trojan-activity;sid:84700918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.spc"; depth:28; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837812/; classtype:trojan-activity;sid:84700912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.arm6"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837813/; classtype:trojan-activity;sid:84700913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.sh"; depth:5; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837814/; classtype:trojan-activity;sid:84700914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.i686"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837815/; classtype:trojan-activity;sid:84700915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.87.188.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837816/; classtype:trojan-activity;sid:84700916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.mpsl"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837811/; classtype:trojan-activity;sid:84700911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.arc"; depth:28; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837805/; classtype:trojan-activity;sid:84700905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.m68k"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837806/; classtype:trojan-activity;sid:84700906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.ppc"; depth:28; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837807/; classtype:trojan-activity;sid:84700907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.x86"; depth:28; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837808/; classtype:trojan-activity;sid:84700908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.arm"; depth:28; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837809/; classtype:trojan-activity;sid:84700909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.arm7"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837810/; classtype:trojan-activity;sid:84700910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.sh4"; depth:28; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837803/; classtype:trojan-activity;sid:84700903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.arm5"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837804/; classtype:trojan-activity;sid:84700904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.i486"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837802/; classtype:trojan-activity;sid:84700902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"1nspec-mark.poorbet.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837801/; classtype:trojan-activity;sid:84700901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.53.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837800/; classtype:trojan-activity;sid:84700900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"quorforgeis5.poorbet.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837799/; classtype:trojan-activity;sid:84700899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bchx.poorbet.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837798/; classtype:trojan-activity;sid:84700898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dispatcherpodcast.poorbet.lat"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837797/; classtype:trojan-activity;sid:84700897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nortspec.poorbet.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837796/; classtype:trojan-activity;sid:84700896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.225.84.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837795/; classtype:trojan-activity;sid:84700895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pr1nt-plate.qantuni.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837794/; classtype:trojan-activity;sid:84700894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837793/; classtype:trojan-activity;sid:84700893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.140.5.45"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837792/; classtype:trojan-activity;sid:84700892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"v1vid-sync.qantuni.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837791/; classtype:trojan-activity;sid:84700891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.155.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837790/; classtype:trojan-activity;sid:84700890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wq278yz.qantuni.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837789/; classtype:trojan-activity;sid:84700889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"k7zm2.qantuni.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837788/; classtype:trojan-activity;sid:84700888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"yhrjk4yd.qantuni.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837787/; classtype:trojan-activity;sid:84700887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"yzhf.qantuni.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837786/; classtype:trojan-activity;sid:84700886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.230.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837785/; classtype:trojan-activity;sid:84700885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dynamicloc.qantuni.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837784/; classtype:trojan-activity;sid:84700884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.215.210.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837783/; classtype:trojan-activity;sid:84700883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wood-zone.weplord.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837782/; classtype:trojan-activity;sid:84700882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"x7abhl.weplord.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837781/; classtype:trojan-activity;sid:84700881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.152.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837780/; classtype:trojan-activity;sid:84700880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.152.140"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837779/; classtype:trojan-activity;sid:84700879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kelcoreet.weplord.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837778/; classtype:trojan-activity;sid:84700878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"velvenor4.weplord.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837777/; classtype:trojan-activity;sid:84700877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"moduleprime.weplord.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837776/; classtype:trojan-activity;sid:84700876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.215.229"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837775/; classtype:trojan-activity;sid:84700875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.127.163"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837773/; classtype:trojan-activity;sid:84700873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"merspirea.weplord.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837774/; classtype:trojan-activity;sid:84700874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.173.53.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837772/; classtype:trojan-activity;sid:84700872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"talcrestex7.weplord.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837771/; classtype:trojan-activity;sid:84700871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"clusteroasi.wentgot.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837770/; classtype:trojan-activity;sid:84700870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vs2uc.wentgot.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837769/; classtype:trojan-activity;sid:84700869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"runw2-flow.wentgot.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837768/; classtype:trojan-activity;sid:84700868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.173.53.31"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837767/; classtype:trojan-activity;sid:84700867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.90.147.48"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837766/; classtype:trojan-activity;sid:84700866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"indexlaunc.wentgot.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837765/; classtype:trojan-activity;sid:84700865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"101.29.21.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837764/; classtype:trojan-activity;sid:84700864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"urwiban.wentgot.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837763/; classtype:trojan-activity;sid:84700863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vel-nexon.wentgot.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837762/; classtype:trojan-activity;sid:84700862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rrjp7hig.wentgot.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837761/; classtype:trojan-activity;sid:84700861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"solmarkis1.klatren.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837760/; classtype:trojan-activity;sid:84700860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.239.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837759/; classtype:trojan-activity;sid:84700859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"texg.klatren.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837758/; classtype:trojan-activity;sid:84700858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zen-venor.klatren.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837757/; classtype:trojan-activity;sid:84700857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"163.142.84.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837756/; classtype:trojan-activity;sid:84700856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kel-crestis.klatren.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837755/; classtype:trojan-activity;sid:84700855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837754/; classtype:trojan-activity;sid:84700854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mrky.klatren.lat"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837753/; classtype:trojan-activity;sid:84700853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.127.135"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837752/; classtype:trojan-activity;sid:84700852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.239.25"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837751/; classtype:trojan-activity;sid:84700851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.146.212.59"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837750/; classtype:trojan-activity;sid:84700850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"4ct1ve-point.klatren.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837749/; classtype:trojan-activity;sid:84700849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tokenimport.klatren.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837748/; classtype:trojan-activity;sid:84700848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.82.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837747/; classtype:trojan-activity;sid:84700847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wowiloveyou/runningaway.mips"; depth:29; endswith; nocase; http.host; content:"80.241.218.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837746/; classtype:trojan-activity;sid:84700846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"look.darkwinterlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837745/; classtype:trojan-activity;sid:84700845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.178.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837744/; classtype:trojan-activity;sid:84700844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"great.wintercoldlab.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837743/; classtype:trojan-activity;sid:84700843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.205.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837742/; classtype:trojan-activity;sid:84700842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"last.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837741/; classtype:trojan-activity;sid:84700841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/ghos%74%73ta%74%75%73"; depth:24; endswith; nocase; http.host; content:"gltnub.live"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837740/; classtype:trojan-activity;sid:84700840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.82.219"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837739/; classtype:trojan-activity;sid:84700839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pondmarinedetonate89/zvvfrfhg/releases/download/45432/setup_x64.rar"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837738/; classtype:trojan-activity;sid:84700838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.19.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837737/; classtype:trojan-activity;sid:84700837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.177.201.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837736/; classtype:trojan-activity;sid:84700836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"poon.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837735/; classtype:trojan-activity;sid:84700835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.178.57"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837734/; classtype:trojan-activity;sid:84700834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.93.203.53"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837733/; classtype:trojan-activity;sid:84700833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"qanti.solidstonecore.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837732/; classtype:trojan-activity;sid:84700832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.174.98.187"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837731/; classtype:trojan-activity;sid:84700831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.197.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837729/; classtype:trojan-activity;sid:84700829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.115.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837730/; classtype:trojan-activity;sid:84700830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.153.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837728/; classtype:trojan-activity;sid:84700828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fast.magicflowpoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837727/; classtype:trojan-activity;sid:84700827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.173.159.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837726/; classtype:trojan-activity;sid:84700826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837725/; classtype:trojan-activity;sid:84700825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pure.magicflowpoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837724/; classtype:trojan-activity;sid:84700824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.228.102.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837723/; classtype:trojan-activity;sid:84700823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.129.153.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837722/; classtype:trojan-activity;sid:84700822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"blue.magicflowpoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837721/; classtype:trojan-activity;sid:84700821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.205.102"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837720/; classtype:trojan-activity;sid:84700820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.14.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837719/; classtype:trojan-activity;sid:84700819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"view.magicflowpoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837718/; classtype:trojan-activity;sid:84700818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.230.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837717/; classtype:trojan-activity;sid:84700817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sky.magicflowpoint.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837716/; classtype:trojan-activity;sid:84700816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.197.199"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837715/; classtype:trojan-activity;sid:84700815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.153.35"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837714/; classtype:trojan-activity;sid:84700814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.121.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837713/; classtype:trojan-activity;sid:84700813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837712/; classtype:trojan-activity;sid:84700812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"111.173.159.69"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837711/; classtype:trojan-activity;sid:84700811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"star.magicflowpoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837710/; classtype:trojan-activity;sid:84700810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"upd.wintercoldlab.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837709/; classtype:trojan-activity;sid:84700809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.129.153.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837708/; classtype:trojan-activity;sid:84700808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"site.wintercoldlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837707/; classtype:trojan-activity;sid:84700807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.121.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837706/; classtype:trojan-activity;sid:84700806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gate.wintercoldlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837705/; classtype:trojan-activity;sid:84700805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.131.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837704/; classtype:trojan-activity;sid:84700804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"base.wintercoldlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837703/; classtype:trojan-activity;sid:84700803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.205.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837702/; classtype:trojan-activity;sid:84700802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"edge.wintercoldlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837701/; classtype:trojan-activity;sid:84700801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837700/; classtype:trojan-activity;sid:84700800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"apex.wintercoldlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837699/; classtype:trojan-activity;sid:84700799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.50.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837698/; classtype:trojan-activity;sid:84700798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zoom.brightskycore.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837697/; classtype:trojan-activity;sid:84700797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bolt.brightskycore.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837696/; classtype:trojan-activity;sid:84700796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.131.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837695/; classtype:trojan-activity;sid:84700795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kick.brightskycore.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837694/; classtype:trojan-activity;sid:84700794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fomanory/better-ff-sounds/releases/download/release/loader.msi"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837693/; classtype:trojan-activity;sid:84700793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fomanory/roblox-script-executor/releases/download/release/loader.msi"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837692/; classtype:trojan-activity;sid:84700792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"201.149.107.54"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837691/; classtype:trojan-activity;sid:84700791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.153.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837690/; classtype:trojan-activity;sid:84700790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gear.brightskycore.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837689/; classtype:trojan-activity;sid:84700789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.50.76"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837688/; classtype:trojan-activity;sid:84700788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"snap.brightskycore.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837687/; classtype:trojan-activity;sid:84700787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.221.73.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837686/; classtype:trojan-activity;sid:84700786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dash.brightskycore.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837685/; classtype:trojan-activity;sid:84700785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.96.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837684/; classtype:trojan-activity;sid:84700784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc.snoopy"; depth:13; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837676/; classtype:trojan-activity;sid:84700776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc440fp.snoopy"; depth:16; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837677/; classtype:trojan-activity;sid:84700777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837678/; classtype:trojan-activity;sid:84700778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv4l.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837679/; classtype:trojan-activity;sid:84700779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837680/; classtype:trojan-activity;sid:84700780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4.snoopy"; depth:11; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837681/; classtype:trojan-activity;sid:84700781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837682/; classtype:trojan-activity;sid:84700782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc.snoopy"; depth:11; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837683/; classtype:trojan-activity;sid:84700783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips.snoopy"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837668/; classtype:trojan-activity;sid:84700768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837669/; classtype:trojan-activity;sid:84700769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586.snoopy"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837670/; classtype:trojan-activity;sid:84700770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486.snoopy"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837671/; classtype:trojan-activity;sid:84700771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k.snoopy"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837672/; classtype:trojan-activity;sid:84700772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc.snoopy"; depth:11; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837673/; classtype:trojan-activity;sid:84700773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel.snoopy"; depth:14; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837674/; classtype:trojan-activity;sid:84700774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686.snoopy"; depth:12; endswith; nocase; http.host; content:"87.121.84.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837675/; classtype:trojan-activity;sid:84700775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837667/; classtype:trojan-activity;sid:84700767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837665/; classtype:trojan-activity;sid:84700765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837666/; classtype:trojan-activity;sid:84700766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837663/; classtype:trojan-activity;sid:84700763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"185.104.63.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837664/; classtype:trojan-activity;sid:84700764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_217e325c53350455.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837654/; classtype:trojan-activity;sid:84700754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_160c8ca2c4655956.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837655/; classtype:trojan-activity;sid:84700755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/405567992/6fxqjcf.exe"; depth:28; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837656/; classtype:trojan-activity;sid:84700756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8424601462/hwmux9p.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837657/; classtype:trojan-activity;sid:84700757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/8635093259/dtq1shl.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837658/; classtype:trojan-activity;sid:84700758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/5407123006/wyktr7b.exe"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837659/; classtype:trojan-activity;sid:84700759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_bb7f5d620b30808a.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837660/; classtype:trojan-activity;sid:84700760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_575798a1df430328.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837661/; classtype:trojan-activity;sid:84700761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/mert/random.exe"; depth:22; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837662/; classtype:trojan-activity;sid:84700762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"host.darkstonebase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837653/; classtype:trojan-activity;sid:84700753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/405567992/azmizki.exe"; depth:28; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837651/; classtype:trojan-activity;sid:84700751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_d6af34a36ddadd95.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837652/; classtype:trojan-activity;sid:84700752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.231.96"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837650/; classtype:trojan-activity;sid:84700750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.73.217"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837649/; classtype:trojan-activity;sid:84700749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"link.darkstonebase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837648/; classtype:trojan-activity;sid:84700748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.59.155.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837647/; classtype:trojan-activity;sid:84700747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"core.darkstonebase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837646/; classtype:trojan-activity;sid:84700746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.171.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837645/; classtype:trojan-activity;sid:84700745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.233.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837644/; classtype:trojan-activity;sid:84700744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"axis.darkstonebase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837643/; classtype:trojan-activity;sid:84700743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.221.73.137"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837642/; classtype:trojan-activity;sid:84700742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bolt.darkstonebase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837641/; classtype:trojan-activity;sid:84700741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.29.21"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837640/; classtype:trojan-activity;sid:84700740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.123.193.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837639/; classtype:trojan-activity;sid:84700739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.59.155.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837638/; classtype:trojan-activity;sid:84700738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.92.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837637/; classtype:trojan-activity;sid:84700737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"proxy.darkstonebase.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837636/; classtype:trojan-activity;sid:84700736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeno.goldenleafway.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837635/; classtype:trojan-activity;sid:84700735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.168.230.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837634/; classtype:trojan-activity;sid:84700734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wave.goldenleafway.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837633/; classtype:trojan-activity;sid:84700733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.112.233.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837632/; classtype:trojan-activity;sid:84700732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"spark.goldenleafway.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837631/; classtype:trojan-activity;sid:84700731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.92.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837630/; classtype:trojan-activity;sid:84700730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.12.239.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837629/; classtype:trojan-activity;sid:84700729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.96.98"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837628/; classtype:trojan-activity;sid:84700728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"shift.goldenleafway.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837627/; classtype:trojan-activity;sid:84700727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.123.193.156"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837626/; classtype:trojan-activity;sid:84700726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.159.147"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837625/; classtype:trojan-activity;sid:84700725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.41.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837624/; classtype:trojan-activity;sid:84700724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"macro.goldenleafway.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837623/; classtype:trojan-activity;sid:84700723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.168.230.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837622/; classtype:trojan-activity;sid:84700722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"alpha.goldenleafway.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837621/; classtype:trojan-activity;sid:84700721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nx44.silverwoodhub.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837620/; classtype:trojan-activity;sid:84700720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.113.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837619/; classtype:trojan-activity;sid:84700719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.43.137.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837618/; classtype:trojan-activity;sid:84700718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"neon.silverwoodhub.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837617/; classtype:trojan-activity;sid:84700717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.248.185.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837616/; classtype:trojan-activity;sid:84700716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.83.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837615/; classtype:trojan-activity;sid:84700715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.33.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837614/; classtype:trojan-activity;sid:84700714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ultra.silverwoodhub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837613/; classtype:trojan-activity;sid:84700713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.214.89"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837612/; classtype:trojan-activity;sid:84700712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.19.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837611/; classtype:trojan-activity;sid:84700711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.202.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837610/; classtype:trojan-activity;sid:84700710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"trace.silverwoodhub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837609/; classtype:trojan-activity;sid:84700709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.28.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837607/; classtype:trojan-activity;sid:84700707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.173.77.227"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837608/; classtype:trojan-activity;sid:84700708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.113.209.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837606/; classtype:trojan-activity;sid:84700706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.19.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837605/; classtype:trojan-activity;sid:84700705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.33.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837604/; classtype:trojan-activity;sid:84700704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.56.96.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837603/; classtype:trojan-activity;sid:84700703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.113.42"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837601/; classtype:trojan-activity;sid:84700701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.43.137.126"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837602/; classtype:trojan-activity;sid:84700702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pulse.silverwoodhub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837600/; classtype:trojan-activity;sid:84700700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.98.68.153"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837599/; classtype:trojan-activity;sid:84700699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.93.201.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837598/; classtype:trojan-activity;sid:84700698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.248.185.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837597/; classtype:trojan-activity;sid:84700697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"delta.silverwoodhub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837596/; classtype:trojan-activity;sid:84700696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837595/; classtype:trojan-activity;sid:84700695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"logic.oceanstormview.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837594/; classtype:trojan-activity;sid:84700694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.229.176.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837593/; classtype:trojan-activity;sid:84700693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.56.96.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837592/; classtype:trojan-activity;sid:84700692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.113.209.104"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837591/; classtype:trojan-activity;sid:84700691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.28.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837590/; classtype:trojan-activity;sid:84700690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"point.oceanstormview.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837589/; classtype:trojan-activity;sid:84700689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.94.124.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837588/; classtype:trojan-activity;sid:84700688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; endswith; nocase; http.host; content:"ggc-partners.top"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837587/; classtype:trojan-activity;sid:84700687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"edge.oceanstormview.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837586/; classtype:trojan-activity;sid:84700686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tetra.oceanstormview.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837585/; classtype:trojan-activity;sid:84700685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.105.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837584/; classtype:trojan-activity;sid:84700684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837582/; classtype:trojan-activity;sid:84700682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.83.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837583/; classtype:trojan-activity;sid:84700683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"quant.oceanstormview.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837581/; classtype:trojan-activity;sid:84700681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"meta.oceanstormview.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837580/; classtype:trojan-activity;sid:84700680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.52.248.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837579/; classtype:trojan-activity;sid:84700679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.94.124.203"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837578/; classtype:trojan-activity;sid:84700678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.105.106"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837577/; classtype:trojan-activity;sid:84700677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"orbit.urbanlogicgrid.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837576/; classtype:trojan-activity;sid:84700676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"byte.urbanlogicgrid.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837575/; classtype:trojan-activity;sid:84700675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.211.147.71"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837574/; classtype:trojan-activity;sid:84700674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.61.114.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837573/; classtype:trojan-activity;sid:84700673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sonic.urbanlogicgrid.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837572/; classtype:trojan-activity;sid:84700672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.248.3"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837571/; classtype:trojan-activity;sid:84700671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.186.27"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837570/; classtype:trojan-activity;sid:84700670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"grid.urbanlogicgrid.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837569/; classtype:trojan-activity;sid:84700669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.143.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837568/; classtype:trojan-activity;sid:84700668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"atlas.urbanlogicgrid.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837567/; classtype:trojan-activity;sid:84700667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sync.urbanlogicgrid.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837566/; classtype:trojan-activity;sid:84700666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"beta.rapidfirepixel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837565/; classtype:trojan-activity;sid:84700665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"infra.rapidfirepixel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837564/; classtype:trojan-activity;sid:84700664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.45.66.19"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837563/; classtype:trojan-activity;sid:84700663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"prime.rapidfirepixel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837562/; classtype:trojan-activity;sid:84700662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.34.66"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837561/; classtype:trojan-activity;sid:84700661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.44.4"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837560/; classtype:trojan-activity;sid:84700660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.61.114.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837559/; classtype:trojan-activity;sid:84700659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"113.237.104.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837558/; classtype:trojan-activity;sid:84700658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.177.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837557/; classtype:trojan-activity;sid:84700657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837556/; classtype:trojan-activity;sid:84700656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flux.rapidfirepixel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837555/; classtype:trojan-activity;sid:84700655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"node.rapidfirepixel.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837554/; classtype:trojan-activity;sid:84700654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.34.66"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837553/; classtype:trojan-activity;sid:84700653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.223.106"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837552/; classtype:trojan-activity;sid:84700652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.52.213.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837551/; classtype:trojan-activity;sid:84700651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"cyber.rapidfirepixel.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837550/; classtype:trojan-activity;sid:84700650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837549/; classtype:trojan-activity;sid:84700649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.44.4"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837548/; classtype:trojan-activity;sid:84700648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.102.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837547/; classtype:trojan-activity;sid:84700647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"113.237.104.96"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837546/; classtype:trojan-activity;sid:84700646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.208.202.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837545/; classtype:trojan-activity;sid:84700645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"omni.starlightnova.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837544/; classtype:trojan-activity;sid:84700644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.12.239.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837543/; classtype:trojan-activity;sid:84700643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.245.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837542/; classtype:trojan-activity;sid:84700642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.177.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837541/; classtype:trojan-activity;sid:84700641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.106.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837540/; classtype:trojan-activity;sid:84700640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.213.112"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837539/; classtype:trojan-activity;sid:84700639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kilo.starlightnova.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837538/; classtype:trojan-activity;sid:84700638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vortex.starlightnova.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837537/; classtype:trojan-activity;sid:84700637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l0rn"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837526/; classtype:trojan-activity;sid:84700626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rhfi"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837527/; classtype:trojan-activity;sid:84700627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w5rt"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837528/; classtype:trojan-activity;sid:84700628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4r0"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837529/; classtype:trojan-activity;sid:84700629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raek"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837530/; classtype:trojan-activity;sid:84700630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ac6"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837531/; classtype:trojan-activity;sid:84700631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/95sz"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837532/; classtype:trojan-activity;sid:84700632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oz4"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837533/; classtype:trojan-activity;sid:84700633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qs1"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837534/; classtype:trojan-activity;sid:84700634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5da"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837535/; classtype:trojan-activity;sid:84700635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yxzv"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837536/; classtype:trojan-activity;sid:84700636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.208.202.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837525/; classtype:trojan-activity;sid:84700625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jtxt"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837523/; classtype:trojan-activity;sid:84700623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jyh"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837524/; classtype:trojan-activity;sid:84700624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.104.55"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837522/; classtype:trojan-activity;sid:84700622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.202.70.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837521/; classtype:trojan-activity;sid:84700621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeta.starlightnova.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837520/; classtype:trojan-activity;sid:84700620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.245.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837519/; classtype:trojan-activity;sid:84700619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"118.34.109.121"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837518/; classtype:trojan-activity;sid:84700618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.231.145.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837517/; classtype:trojan-activity;sid:84700617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pulse.starlightnova.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837516/; classtype:trojan-activity;sid:84700616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mobi.starlightnova.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837515/; classtype:trojan-activity;sid:84700615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.202.70.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837514/; classtype:trojan-activity;sid:84700614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mass.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837513/; classtype:trojan-activity;sid:84700613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.206.90.9"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837512/; classtype:trojan-activity;sid:84700612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"area.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837511/; classtype:trojan-activity;sid:84700611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"hard.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837510/; classtype:trojan-activity;sid:84700610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"base.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837509/; classtype:trojan-activity;sid:84700609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rock.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837508/; classtype:trojan-activity;sid:84700608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"iron.solidstonecore.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837507/; classtype:trojan-activity;sid:84700607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"45.231.145.15"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837506/; classtype:trojan-activity;sid:84700606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.46.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837505/; classtype:trojan-activity;sid:84700605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.244.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837504/; classtype:trojan-activity;sid:84700604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.229.220.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837502/; classtype:trojan-activity;sid:84700602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"temp.darkwinterlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837503/; classtype:trojan-activity;sid:84700603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"site.darkwinterlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837501/; classtype:trojan-activity;sid:84700601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.46.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837500/; classtype:trojan-activity;sid:84700600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zone.darkwinterlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837499/; classtype:trojan-activity;sid:84700599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.238.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837498/; classtype:trojan-activity;sid:84700598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"frost.darkwinterlab.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837497/; classtype:trojan-activity;sid:84700597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ice.darkwinterlab.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837496/; classtype:trojan-activity;sid:84700596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.229.220.252"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837495/; classtype:trojan-activity;sid:84700595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.252.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837494/; classtype:trojan-activity;sid:84700594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"cold.darkwinterlab.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837493/; classtype:trojan-activity;sid:84700593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.50.185"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837492/; classtype:trojan-activity;sid:84700592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.238.29"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837491/; classtype:trojan-activity;sid:84700591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"high.brightskyway.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837490/; classtype:trojan-activity;sid:84700590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"airy.brightskyway.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837489/; classtype:trojan-activity;sid:84700589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.233.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837488/; classtype:trojan-activity;sid:84700588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"view.brightskyway.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837487/; classtype:trojan-activity;sid:84700587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.40.0.177"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837486/; classtype:trojan-activity;sid:84700586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.14.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837485/; classtype:trojan-activity;sid:84700585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"star.brightskyway.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837484/; classtype:trojan-activity;sid:84700584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.124.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837483/; classtype:trojan-activity;sid:84700583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.252.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837482/; classtype:trojan-activity;sid:84700582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"blue.brightskyway.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837481/; classtype:trojan-activity;sid:84700581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.153.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837480/; classtype:trojan-activity;sid:84700580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wing.brightskyway.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837479/; classtype:trojan-activity;sid:84700579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.124.132"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837478/; classtype:trojan-activity;sid:84700578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"park.greenforesthub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837477/; classtype:trojan-activity;sid:84700577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.51.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837476/; classtype:trojan-activity;sid:84700576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wild.greenforesthub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837475/; classtype:trojan-activity;sid:84700575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wood.greenforesthub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_03; reference:url, urlhaus.abuse.ch/url/3837474/; classtype:trojan-activity;sid:84700574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.233.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837473/; classtype:trojan-activity;sid:84700573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tree.greenforesthub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837472/; classtype:trojan-activity;sid:84700572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.52.244.32"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837471/; classtype:trojan-activity;sid:84700571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"root.greenforesthub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837470/; classtype:trojan-activity;sid:84700570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"leaf.greenforesthub.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837469/; classtype:trojan-activity;sid:84700569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.51.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837468/; classtype:trojan-activity;sid:84700568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.9.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837467/; classtype:trojan-activity;sid:84700567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rich.magicgoldlogic.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837466/; classtype:trojan-activity;sid:84700566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.94.176"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837465/; classtype:trojan-activity;sid:84700565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vault.magicgoldlogic.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837464/; classtype:trojan-activity;sid:84700564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.161.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837463/; classtype:trojan-activity;sid:84700563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.40.0.177"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837462/; classtype:trojan-activity;sid:84700562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"coin.magicgoldlogic.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837461/; classtype:trojan-activity;sid:84700561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"key.magicgoldlogic.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837460/; classtype:trojan-activity;sid:84700560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.9.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837459/; classtype:trojan-activity;sid:84700559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pure.magicgoldlogic.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837458/; classtype:trojan-activity;sid:84700558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4o0g"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837457/; classtype:trojan-activity;sid:84700557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j18u"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837452/; classtype:trojan-activity;sid:84700552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rn8i"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837453/; classtype:trojan-activity;sid:84700553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bocv"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837454/; classtype:trojan-activity;sid:84700554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z6i"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837455/; classtype:trojan-activity;sid:84700555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shi"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837456/; classtype:trojan-activity;sid:84700556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gmx"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837450/; classtype:trojan-activity;sid:84700550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mj3f"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837451/; classtype:trojan-activity;sid:84700551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prd0"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837444/; classtype:trojan-activity;sid:84700544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zuh"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837445/; classtype:trojan-activity;sid:84700545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i8l"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837446/; classtype:trojan-activity;sid:84700546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mvg"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837447/; classtype:trojan-activity;sid:84700547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xde"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837448/; classtype:trojan-activity;sid:84700548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bpb"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837449/; classtype:trojan-activity;sid:84700549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q5a"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837412/; classtype:trojan-activity;sid:84700512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rb2"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837413/; classtype:trojan-activity;sid:84700513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jrtq"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837414/; classtype:trojan-activity;sid:84700514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02r"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837415/; classtype:trojan-activity;sid:84700515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w9p"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837416/; classtype:trojan-activity;sid:84700516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ljs"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837417/; classtype:trojan-activity;sid:84700517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jln"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837418/; classtype:trojan-activity;sid:84700518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tpo"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837419/; classtype:trojan-activity;sid:84700519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/00y"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837420/; classtype:trojan-activity;sid:84700520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugnm"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837421/; classtype:trojan-activity;sid:84700521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b6k"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837422/; classtype:trojan-activity;sid:84700522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t03g"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837423/; classtype:trojan-activity;sid:84700523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vcs"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837424/; classtype:trojan-activity;sid:84700524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ypod"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837425/; classtype:trojan-activity;sid:84700525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ncs"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837426/; classtype:trojan-activity;sid:84700526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0un"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837427/; classtype:trojan-activity;sid:84700527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5uob"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837428/; classtype:trojan-activity;sid:84700528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ng9"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837429/; classtype:trojan-activity;sid:84700529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nav"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837430/; classtype:trojan-activity;sid:84700530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lpbj"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837431/; classtype:trojan-activity;sid:84700531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wjv"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837432/; classtype:trojan-activity;sid:84700532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tbf"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837433/; classtype:trojan-activity;sid:84700533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ykg"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837434/; classtype:trojan-activity;sid:84700534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dtg"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837435/; classtype:trojan-activity;sid:84700535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tyu"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837436/; classtype:trojan-activity;sid:84700536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zvl"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837437/; classtype:trojan-activity;sid:84700537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/icw"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837438/; classtype:trojan-activity;sid:84700538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lei1"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837439/; classtype:trojan-activity;sid:84700539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cis"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837440/; classtype:trojan-activity;sid:84700540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5tli"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837441/; classtype:trojan-activity;sid:84700541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jrm"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837442/; classtype:trojan-activity;sid:84700542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iyah"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837443/; classtype:trojan-activity;sid:84700543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vlsq"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837408/; classtype:trojan-activity;sid:84700508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8fw"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837409/; classtype:trojan-activity;sid:84700509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ceaz"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837410/; classtype:trojan-activity;sid:84700510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b32o"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837411/; classtype:trojan-activity;sid:84700511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rkyh"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837403/; classtype:trojan-activity;sid:84700503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gy3"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837404/; classtype:trojan-activity;sid:84700504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3ye"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837405/; classtype:trojan-activity;sid:84700505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxt"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837406/; classtype:trojan-activity;sid:84700506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"167.250.158.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837407/; classtype:trojan-activity;sid:84700507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wget.sh"; depth:13; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837399/; classtype:trojan-activity;sid:84700499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm4"; depth:14; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837400/; classtype:trojan-activity;sid:84700500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm4"; depth:14; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837401/; classtype:trojan-activity;sid:84700501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wget.sh"; depth:13; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837402/; classtype:trojan-activity;sid:84700502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.176.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837398/; classtype:trojan-activity;sid:84700498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"atom.magicgoldlogic.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837397/; classtype:trojan-activity;sid:84700497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dash.boldfirestep.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837396/; classtype:trojan-activity;sid:84700496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.45.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837395/; classtype:trojan-activity;sid:84700495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kick.boldfirestep.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837394/; classtype:trojan-activity;sid:84700494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"jump.boldfirestep.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837393/; classtype:trojan-activity;sid:84700493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fast.boldfirestep.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837392/; classtype:trojan-activity;sid:84700492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.236.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837391/; classtype:trojan-activity;sid:84700491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.120.1.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837389/; classtype:trojan-activity;sid:84700489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.53.12.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837390/; classtype:trojan-activity;sid:84700490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"run.boldfirestep.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837388/; classtype:trojan-activity;sid:84700488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.228.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837387/; classtype:trojan-activity;sid:84700487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fe.boldfirestep.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837386/; classtype:trojan-activity;sid:84700486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fire.boldfirestep.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837385/; classtype:trojan-activity;sid:84700485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.236.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837384/; classtype:trojan-activity;sid:84700484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"salt.oceanwavepoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837383/; classtype:trojan-activity;sid:84700483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.58.131.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837382/; classtype:trojan-activity;sid:84700482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.120.1.90"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837381/; classtype:trojan-activity;sid:84700481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"deep.oceanwavepoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837380/; classtype:trojan-activity;sid:84700480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.53.12.146"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837379/; classtype:trojan-activity;sid:84700479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.4.2.146"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837378/; classtype:trojan-activity;sid:84700478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"reef.oceanwavepoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837377/; classtype:trojan-activity;sid:84700477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.138.124.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837376/; classtype:trojan-activity;sid:84700476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.199.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837375/; classtype:trojan-activity;sid:84700475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tide.oceanwavepoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837374/; classtype:trojan-activity;sid:84700474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.228.3"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837373/; classtype:trojan-activity;sid:84700473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.137.144.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837372/; classtype:trojan-activity;sid:84700472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.205.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837371/; classtype:trojan-activity;sid:84700471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"surf.oceanwavepoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837370/; classtype:trojan-activity;sid:84700470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.69.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837369/; classtype:trojan-activity;sid:84700469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.193.76.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837368/; classtype:trojan-activity;sid:84700468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"jazz.oceanwavepoint.lat"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837367/; classtype:trojan-activity;sid:84700467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.137.144.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837366/; classtype:trojan-activity;sid:84700466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gate.urbanflowbase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837365/; classtype:trojan-activity;sid:84700465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.72.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837364/; classtype:trojan-activity;sid:84700464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.227.22.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837363/; classtype:trojan-activity;sid:84700463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"host.urbanflowbase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837362/; classtype:trojan-activity;sid:84700462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.156.143.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837361/; classtype:trojan-activity;sid:84700461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.156.143.216"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837360/; classtype:trojan-activity;sid:84700460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.229.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837359/; classtype:trojan-activity;sid:84700459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.242.128.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837358/; classtype:trojan-activity;sid:84700458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mode.urbanflowbase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837357/; classtype:trojan-activity;sid:84700457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.137.158.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837356/; classtype:trojan-activity;sid:84700456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"apex.urbanflowbase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837355/; classtype:trojan-activity;sid:84700455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.42.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837354/; classtype:trojan-activity;sid:84700454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"skip.urbanflowbase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837353/; classtype:trojan-activity;sid:84700453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.206.169.134"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837352/; classtype:trojan-activity;sid:84700452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"echo.urbanflowbase.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837351/; classtype:trojan-activity;sid:84700451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.158.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837350/; classtype:trojan-activity;sid:84700450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sync.powertechlink.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837349/; classtype:trojan-activity;sid:84700449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.119.199.247"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837348/; classtype:trojan-activity;sid:84700448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"byte.powertechlink.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837347/; classtype:trojan-activity;sid:84700447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.42.62"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837346/; classtype:trojan-activity;sid:84700446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"neon.powertechlink.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837345/; classtype:trojan-activity;sid:84700445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837344/; classtype:trojan-activity;sid:84700444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"grid.powertechlink.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837343/; classtype:trojan-activity;sid:84700443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.104.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837340/; classtype:trojan-activity;sid:84700440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.126.90.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837341/; classtype:trojan-activity;sid:84700441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.126.90.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837342/; classtype:trojan-activity;sid:84700442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.104.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837339/; classtype:trojan-activity;sid:84700439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeta.powertechlink.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837338/; classtype:trojan-activity;sid:84700438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.124.56"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837337/; classtype:trojan-activity;sid:84700437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nova.powertechlink.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837336/; classtype:trojan-activity;sid:84700436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.68.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837335/; classtype:trojan-activity;sid:84700435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nx88.silvermoonlight.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837334/; classtype:trojan-activity;sid:84700434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.94.31.109"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837332/; classtype:trojan-activity;sid:84700432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.94.31.109"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837333/; classtype:trojan-activity;sid:84700433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.70.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837331/; classtype:trojan-activity;sid:84700431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.94.31.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837330/; classtype:trojan-activity;sid:84700430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.94.31.52"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837329/; classtype:trojan-activity;sid:84700429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.94.31.23"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837328/; classtype:trojan-activity;sid:84700428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.92.1.222"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837327/; classtype:trojan-activity;sid:84700427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeno.silvermoonlight.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837326/; classtype:trojan-activity;sid:84700426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.92.1.27"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837325/; classtype:trojan-activity;sid:84700425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.92.1.27"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837324/; classtype:trojan-activity;sid:84700424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.148.207.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837323/; classtype:trojan-activity;sid:84700423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.207.70"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837322/; classtype:trojan-activity;sid:84700422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.83.31.24"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837321/; classtype:trojan-activity;sid:84700421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.arm7"; depth:45; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837309/; classtype:trojan-activity;sid:84700409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.sh4"; depth:44; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837310/; classtype:trojan-activity;sid:84700410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.i686"; depth:45; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837311/; classtype:trojan-activity;sid:84700411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.arm"; depth:44; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837312/; classtype:trojan-activity;sid:84700412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.arm5"; depth:45; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837313/; classtype:trojan-activity;sid:84700413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.x86_64"; depth:47; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837314/; classtype:trojan-activity;sid:84700414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.arm6"; depth:45; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837315/; classtype:trojan-activity;sid:84700415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.mpsl"; depth:45; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837316/; classtype:trojan-activity;sid:84700416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.m68k"; depth:45; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837317/; classtype:trojan-activity;sid:84700417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.ppc"; depth:44; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837318/; classtype:trojan-activity;sid:84700418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.spc"; depth:44; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837319/; classtype:trojan-activity;sid:84700419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kkvettgaaasecnnaaaa/kkvettgaaasecnnaaaa.mips"; depth:45; endswith; nocase; http.host; content:"192.159.99.114"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837320/; classtype:trojan-activity;sid:84700420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.26.115.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837307/; classtype:trojan-activity;sid:84700407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"192.159.99.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837308/; classtype:trojan-activity;sid:84700408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.26.115.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837304/; classtype:trojan-activity;sid:84700404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.83.31.24"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837305/; classtype:trojan-activity;sid:84700405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"193.26.115.200"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837306/; classtype:trojan-activity;sid:84700406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.88.186.95"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837303/; classtype:trojan-activity;sid:84700403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"45.83.31.75"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837299/; classtype:trojan-activity;sid:84700399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"193.26.115.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837300/; classtype:trojan-activity;sid:84700400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"193.26.115.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837301/; classtype:trojan-activity;sid:84700401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"192.159.99.158"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837302/; classtype:trojan-activity;sid:84700402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.243.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837298/; classtype:trojan-activity;sid:84700398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"124.198.131.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837297/; classtype:trojan-activity;sid:84700397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"124.198.132.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837293/; classtype:trojan-activity;sid:84700393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"45.83.31.82"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837294/; classtype:trojan-activity;sid:84700394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.243.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837295/; classtype:trojan-activity;sid:84700395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.243.149"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837296/; classtype:trojan-activity;sid:84700396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"124.198.132.186"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837291/; classtype:trojan-activity;sid:84700391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.243.176"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837292/; classtype:trojan-activity;sid:84700392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"94.154.35.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837290/; classtype:trojan-activity;sid:84700390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flux.silvermoonlight.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837289/; classtype:trojan-activity;sid:84700389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.127.128.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837288/; classtype:trojan-activity;sid:84700388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"axis.silvermoonlight.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837287/; classtype:trojan-activity;sid:84700387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.68.65"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837286/; classtype:trojan-activity;sid:84700386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bolt.silvermoonlight.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837285/; classtype:trojan-activity;sid:84700385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"120.28.119.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837284/; classtype:trojan-activity;sid:84700384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.47.78.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837283/; classtype:trojan-activity;sid:84700383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.152.102.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837282/; classtype:trojan-activity;sid:84700382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vibe.silvermoonlight.lat"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837281/; classtype:trojan-activity;sid:84700381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.128.171"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837279/; classtype:trojan-activity;sid:84700379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.47.78.81"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837280/; classtype:trojan-activity;sid:84700380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.78.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837278/; classtype:trojan-activity;sid:84700378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"0rgan3-port.gabard-viewed.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837277/; classtype:trojan-activity;sid:84700377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.143.147"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837276/; classtype:trojan-activity;sid:84700376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837275/; classtype:trojan-activity;sid:84700375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sub-c0ve.gabard-viewed.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837274/; classtype:trojan-activity;sid:84700374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"36qgwr.gabard-viewed.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837273/; classtype:trojan-activity;sid:84700373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.14.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837272/; classtype:trojan-activity;sid:84700372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.78.216"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837271/; classtype:trojan-activity;sid:84700371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"motifroy.gabard-viewed.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837270/; classtype:trojan-activity;sid:84700370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"p1a5m2-cast.gabard-viewed.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837269/; classtype:trojan-activity;sid:84700369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"broad-royal.gabard-viewed.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837268/; classtype:trojan-activity;sid:84700368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.188.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837267/; classtype:trojan-activity;sid:84700367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.11.14.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837266/; classtype:trojan-activity;sid:84700366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"168.227.163.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837265/; classtype:trojan-activity;sid:84700365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.163.110"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837264/; classtype:trojan-activity;sid:84700364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"buildsprout.gabard-viewed.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837263/; classtype:trojan-activity;sid:84700363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.76.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837262/; classtype:trojan-activity;sid:84700362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vormesh8or.breadpotho1e.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837261/; classtype:trojan-activity;sid:84700361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"p5dyz1.breadpotho1e.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837260/; classtype:trojan-activity;sid:84700360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.242.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837259/; classtype:trojan-activity;sid:84700359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.242.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837258/; classtype:trojan-activity;sid:84700358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.241.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837257/; classtype:trojan-activity;sid:84700357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.241.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837255/; classtype:trojan-activity;sid:84700355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.240.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837256/; classtype:trojan-activity;sid:84700356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.241.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837254/; classtype:trojan-activity;sid:84700354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.241.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837252/; classtype:trojan-activity;sid:84700352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.241.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837253/; classtype:trojan-activity;sid:84700353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837251/; classtype:trojan-activity;sid:84700351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837243/; classtype:trojan-activity;sid:84700343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.168"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837244/; classtype:trojan-activity;sid:84700344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.99"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837245/; classtype:trojan-activity;sid:84700345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.73"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837246/; classtype:trojan-activity;sid:84700346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837247/; classtype:trojan-activity;sid:84700347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.156"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837248/; classtype:trojan-activity;sid:84700348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"91.92.241.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837249/; classtype:trojan-activity;sid:84700349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.241.192"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837250/; classtype:trojan-activity;sid:84700350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"31.211.189.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837242/; classtype:trojan-activity;sid:84700342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"0gf8.breadpotho1e.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837241/; classtype:trojan-activity;sid:84700341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"136.60.32.162"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837240/; classtype:trojan-activity;sid:84700340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"168.227.163.32"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837239/; classtype:trojan-activity;sid:84700339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rq6yosv.breadpotho1e.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837238/; classtype:trojan-activity;sid:84700338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.54.192.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837237/; classtype:trojan-activity;sid:84700337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gj5n.breadpotho1e.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837236/; classtype:trojan-activity;sid:84700336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.49.65.41"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837235/; classtype:trojan-activity;sid:84700335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.54.186"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837234/; classtype:trojan-activity;sid:84700334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.55.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837233/; classtype:trojan-activity;sid:84700333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.55.117"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837230/; classtype:trojan-activity;sid:84700330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.54.158"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837231/; classtype:trojan-activity;sid:84700331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.55.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837232/; classtype:trojan-activity;sid:84700332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.55.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837229/; classtype:trojan-activity;sid:84700329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.55.124"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837226/; classtype:trojan-activity;sid:84700326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.55.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837227/; classtype:trojan-activity;sid:84700327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.55.22"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837228/; classtype:trojan-activity;sid:84700328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b"; depth:2; endswith; nocase; http.host; content:"130.12.180.141"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837225/; classtype:trojan-activity;sid:84700325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.54.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837223/; classtype:trojan-activity;sid:84700323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.54.224"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837224/; classtype:trojan-activity;sid:84700324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.54.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837222/; classtype:trojan-activity;sid:84700322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.54.34"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837221/; classtype:trojan-activity;sid:84700321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=178.16.52.194|7c|26|7c|p=80|7c|26|7c|t=tcp|7c|26|7c|a=l64|7c|26|7c|stage=true"; depth:84; endswith; nocase; http.host; content:"178.16.52.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837220/; classtype:trojan-activity;sid:84700320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.138.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837219/; classtype:trojan-activity;sid:84700319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"summitdawn.breadpotho1e.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837218/; classtype:trojan-activity;sid:84700318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.110.15.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837217/; classtype:trojan-activity;sid:84700317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wildlan.breadpotho1e.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837216/; classtype:trojan-activity;sid:84700316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.76.28"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837215/; classtype:trojan-activity;sid:84700315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.53.237"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837211/; classtype:trojan-activity;sid:84700311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.52.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837212/; classtype:trojan-activity;sid:84700312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.52.23"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837213/; classtype:trojan-activity;sid:84700313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"178.16.53.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837214/; classtype:trojan-activity;sid:84700314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.52.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837210/; classtype:trojan-activity;sid:84700310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=178.16.52.194|7c|26|7c|p=80|7c|26|7c|t=tcp|7c|26|7c|a=a32|7c|26|7c|stage=true"; depth:84; endswith; nocase; http.host; content:"178.16.52.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837207/; classtype:trojan-activity;sid:84700307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=178.16.52.194|7c|26|7c|p=80|7c|26|7c|t=tcp|7c|26|7c|a=l32|7c|26|7c|stage=true"; depth:84; endswith; nocase; http.host; content:"178.16.52.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837208/; classtype:trojan-activity;sid:84700308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swt"; depth:4; endswith; nocase; http.host; content:"178.16.52.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837209/; classtype:trojan-activity;sid:84700309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=178.16.52.194|7c|26|7c|p=80|7c|26|7c|t=tcp|7c|26|7c|a=a64|7c|26|7c|stage=true"; depth:84; endswith; nocase; http.host; content:"178.16.52.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837206/; classtype:trojan-activity;sid:84700306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slt"; depth:4; endswith; nocase; http.host; content:"178.16.52.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837205/; classtype:trojan-activity;sid:84700305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ultrafal.notice-ohlamon.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837204/; classtype:trojan-activity;sid:84700304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.233.138.220"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837203/; classtype:trojan-activity;sid:84700303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"merfluxar4.notice-ohlamon.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837202/; classtype:trojan-activity;sid:84700302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"82db.notice-ohlamon.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837201/; classtype:trojan-activity;sid:84700301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.188.45"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837200/; classtype:trojan-activity;sid:84700300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.211.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837198/; classtype:trojan-activity;sid:84700298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"87.110.15.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837199/; classtype:trojan-activity;sid:84700299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"158.94.211.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837197/; classtype:trojan-activity;sid:84700297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bala6-forge.notice-ohlamon.surf"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837196/; classtype:trojan-activity;sid:84700296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.210.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837195/; classtype:trojan-activity;sid:84700295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.211.177"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837194/; classtype:trojan-activity;sid:84700294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.81.189.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837193/; classtype:trojan-activity;sid:84700293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.237.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837192/; classtype:trojan-activity;sid:84700292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.188.2.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837191/; classtype:trojan-activity;sid:84700291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"jvtu4ew.notice-ohlamon.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837190/; classtype:trojan-activity;sid:84700290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"176.65.139.124"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837189/; classtype:trojan-activity;sid:84700289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.208.197"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837187/; classtype:trojan-activity;sid:84700287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.208.232"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837188/; classtype:trojan-activity;sid:84700288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.208.20"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837185/; classtype:trojan-activity;sid:84700285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.exe"; depth:34; endswith; nocase; http.host; content:"158.94.208.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837186/; classtype:trojan-activity;sid:84700286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"158.94.208.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837184/; classtype:trojan-activity;sid:84700284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"grid-relay.notice-ohlamon.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837183/; classtype:trojan-activity;sid:84700283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.4.233.220"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837182/; classtype:trojan-activity;sid:84700282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.237.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837181/; classtype:trojan-activity;sid:84700281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.81.189.222"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837180/; classtype:trojan-activity;sid:84700280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rai1-cache.notice-ohlamon.surf"; depth:30; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837179/; classtype:trojan-activity;sid:84700279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.188.2.119"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837178/; classtype:trojan-activity;sid:84700278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.119.14.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837177/; classtype:trojan-activity;sid:84700277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"1.10.255.32"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837174/; classtype:trojan-activity;sid:84700274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.117.90.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837175/; classtype:trojan-activity;sid:84700275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"moral-reach.inconprofitab1e.surf"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837176/; classtype:trojan-activity;sid:84700276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837173/; classtype:trojan-activity;sid:84700273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm6"; depth:14; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837172/; classtype:trojan-activity;sid:84700272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.117.90.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837171/; classtype:trojan-activity;sid:84700271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/wget.sh"; depth:10; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837163/; classtype:trojan-activity;sid:84700263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm5"; depth:14; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837164/; classtype:trojan-activity;sid:84700264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.m68k"; depth:14; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837165/; classtype:trojan-activity;sid:84700265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.x86"; depth:13; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837166/; classtype:trojan-activity;sid:84700266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.ppc"; depth:13; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837167/; classtype:trojan-activity;sid:84700267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.sh4"; depth:13; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837168/; classtype:trojan-activity;sid:84700268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mpsl"; depth:14; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837169/; classtype:trojan-activity;sid:84700269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mips"; depth:14; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837170/; classtype:trojan-activity;sid:84700270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm7"; depth:14; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837162/; classtype:trojan-activity;sid:84700262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mpsl"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837161/; classtype:trojan-activity;sid:84700261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm6"; depth:14; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837157/; classtype:trojan-activity;sid:84700257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm"; depth:13; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837158/; classtype:trojan-activity;sid:84700258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mpsl"; depth:14; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837159/; classtype:trojan-activity;sid:84700259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837160/; classtype:trojan-activity;sid:84700260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837156/; classtype:trojan-activity;sid:84700256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.m68k"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837153/; classtype:trojan-activity;sid:84700253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.mips"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837154/; classtype:trojan-activity;sid:84700254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l"; depth:2; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837155/; classtype:trojan-activity;sid:84700255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm7"; depth:14; endswith; nocase; http.host; content:"vmi3273283.contaboserver.net"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837152/; classtype:trojan-activity;sid:84700252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837151/; classtype:trojan-activity;sid:84700251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837144/; classtype:trojan-activity;sid:84700244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.sh4"; depth:13; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837145/; classtype:trojan-activity;sid:84700245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jewn.sh"; depth:8; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837146/; classtype:trojan-activity;sid:84700246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837147/; classtype:trojan-activity;sid:84700247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc64"; depth:6; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837148/; classtype:trojan-activity;sid:84700248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837149/; classtype:trojan-activity;sid:84700249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc"; depth:10; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837150/; classtype:trojan-activity;sid:84700250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/wget.sh"; depth:10; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837135/; classtype:trojan-activity;sid:84700235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b/wget.sh"; depth:10; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837136/; classtype:trojan-activity;sid:84700236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jewn.sh"; depth:13; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837137/; classtype:trojan-activity;sid:84700237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.ppc"; depth:13; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837138/; classtype:trojan-activity;sid:84700238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.x86"; depth:13; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837139/; classtype:trojan-activity;sid:84700239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.spc"; depth:13; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837140/; classtype:trojan-activity;sid:84700240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.mips"; depth:14; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837141/; classtype:trojan-activity;sid:84700241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.m68k"; depth:14; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837142/; classtype:trojan-activity;sid:84700242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/jew.arm5"; depth:14; endswith; nocase; http.host; content:"161.97.163.222"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837143/; classtype:trojan-activity;sid:84700243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837134/; classtype:trojan-activity;sid:84700234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837131/; classtype:trojan-activity;sid:84700231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837132/; classtype:trojan-activity;sid:84700232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837133/; classtype:trojan-activity;sid:84700233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.ppc440"; depth:13; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837122/; classtype:trojan-activity;sid:84700222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm6"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837123/; classtype:trojan-activity;sid:84700223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.x86"; depth:10; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837124/; classtype:trojan-activity;sid:84700224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm7"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837125/; classtype:trojan-activity;sid:84700225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm5"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837126/; classtype:trojan-activity;sid:84700226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i486"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837127/; classtype:trojan-activity;sid:84700227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837128/; classtype:trojan-activity;sid:84700228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.sh4"; depth:10; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837129/; classtype:trojan-activity;sid:84700229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.spc"; depth:10; endswith; nocase; http.host; content:"176.65.139.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837130/; classtype:trojan-activity;sid:84700230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tqdgt.inconprofitab1e.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837121/; classtype:trojan-activity;sid:84700221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsrouter"; depth:16; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837119/; classtype:trojan-activity;sid:84700219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837120/; classtype:trojan-activity;sid:84700220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh"; depth:3; endswith; nocase; http.host; content:"176.65.139.61"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837118/; classtype:trojan-activity;sid:84700218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.174.11.115"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837117/; classtype:trojan-activity;sid:84700217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837116/; classtype:trojan-activity;sid:84700216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837114/; classtype:trojan-activity;sid:84700214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.152.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837115/; classtype:trojan-activity;sid:84700215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.42"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837113/; classtype:trojan-activity;sid:84700213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.39.7"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837112/; classtype:trojan-activity;sid:84700212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.i586"; depth:23; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837110/; classtype:trojan-activity;sid:84700210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"176.65.139.59"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837111/; classtype:trojan-activity;sid:84700211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.129.152.39"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837109/; classtype:trojan-activity;sid:84700209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pr4iri-point.inconprofitab1e.surf"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837108/; classtype:trojan-activity;sid:84700208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.114.33.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837107/; classtype:trojan-activity;sid:84700207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.8.42.91"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837106/; classtype:trojan-activity;sid:84700206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"memor-prim.inconprofitab1e.surf"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837105/; classtype:trojan-activity;sid:84700205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.216.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837104/; classtype:trojan-activity;sid:84700204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.111.185.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837103/; classtype:trojan-activity;sid:84700203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.217.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837102/; classtype:trojan-activity;sid:84700202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"cavemodu.inconprofitab1e.surf"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837101/; classtype:trojan-activity;sid:84700201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.114.33.189"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837100/; classtype:trojan-activity;sid:84700200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"79.111.185.211"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837099/; classtype:trojan-activity;sid:84700199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.arm4"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837098/; classtype:trojan-activity;sid:84700198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"176.65.139.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837097/; classtype:trojan-activity;sid:84700197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manji.i686"; depth:11; endswith; nocase; http.host; content:"176.65.139.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837096/; classtype:trojan-activity;sid:84700196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"uclq1my.inconprofitab1e.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837095/; classtype:trojan-activity;sid:84700195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.8.42.91"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837094/; classtype:trojan-activity;sid:84700194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"lumflux3ar.inconprofitab1e.surf"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837093/; classtype:trojan-activity;sid:84700193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.190.105.170"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837092/; classtype:trojan-activity;sid:84700192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.236.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837091/; classtype:trojan-activity;sid:84700191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.87.28.130"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837090/; classtype:trojan-activity;sid:84700190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.216.92"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837089/; classtype:trojan-activity;sid:84700189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.235.93.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837088/; classtype:trojan-activity;sid:84700188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.217.143"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837087/; classtype:trojan-activity;sid:84700187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.39.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837086/; classtype:trojan-activity;sid:84700186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gr4nd4-node.family-man.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837085/; classtype:trojan-activity;sid:84700185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"revie-ring.family-man.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837084/; classtype:trojan-activity;sid:84700184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.235.93.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837083/; classtype:trojan-activity;sid:84700183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.236.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837082/; classtype:trojan-activity;sid:84700182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"glosuppl.family-man.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837081/; classtype:trojan-activity;sid:84700181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"norcrest6ex.family-man.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837080/; classtype:trojan-activity;sid:84700180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.87.28.130"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837079/; classtype:trojan-activity;sid:84700179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.14.160"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837078/; classtype:trojan-activity;sid:84700178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"handlerric.family-man.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837077/; classtype:trojan-activity;sid:84700177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.39.32"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837075/; classtype:trojan-activity;sid:84700175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.247.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837076/; classtype:trojan-activity;sid:84700176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vxxyant.family-man.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837074/; classtype:trojan-activity;sid:84700174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.69.76"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837073/; classtype:trojan-activity;sid:84700173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"k3rn9-spark.family-man.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837072/; classtype:trojan-activity;sid:84700172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.29.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837071/; classtype:trojan-activity;sid:84700171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"desi3-route.fina1vrub.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837070/; classtype:trojan-activity;sid:84700170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.247.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837069/; classtype:trojan-activity;sid:84700169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.232.12.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837068/; classtype:trojan-activity;sid:84700168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"quor-coreix.fina1vrub.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837067/; classtype:trojan-activity;sid:84700167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"thicketswift.fina1vrub.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837066/; classtype:trojan-activity;sid:84700166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.233.106.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837065/; classtype:trojan-activity;sid:84700165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.121.190.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837064/; classtype:trojan-activity;sid:84700164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837063/; classtype:trojan-activity;sid:84700163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dynamiccom.fina1vrub.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837062/; classtype:trojan-activity;sid:84700162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.29.86"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837061/; classtype:trojan-activity;sid:84700161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.232.12.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837060/; classtype:trojan-activity;sid:84700160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"agentairw.fina1vrub.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837059/; classtype:trojan-activity;sid:84700159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.251.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837058/; classtype:trojan-activity;sid:84700158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.55.221.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837057/; classtype:trojan-activity;sid:84700157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vellithon1.fina1vrub.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837056/; classtype:trojan-activity;sid:84700156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.55.221.157"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837055/; classtype:trojan-activity;sid:84700155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"83.219.1.198"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837054/; classtype:trojan-activity;sid:84700154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837052/; classtype:trojan-activity;sid:84700152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.155.225.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837053/; classtype:trojan-activity;sid:84700153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"151.41.235.56"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837051/; classtype:trojan-activity;sid:84700151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"1uxjjv36.fina1vrub.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837050/; classtype:trojan-activity;sid:84700150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.121.190.13"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837049/; classtype:trojan-activity;sid:84700149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.247.164"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837048/; classtype:trojan-activity;sid:84700148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"f1310.saget-sly.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837047/; classtype:trojan-activity;sid:84700147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.50.251.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837046/; classtype:trojan-activity;sid:84700146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.110.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837045/; classtype:trojan-activity;sid:84700145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"3gwd.saget-sly.surf"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837044/; classtype:trojan-activity;sid:84700144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.155.225.242"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837043/; classtype:trojan-activity;sid:84700143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"enginetone.saget-sly.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837042/; classtype:trojan-activity;sid:84700142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tokentrav.saget-sly.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837041/; classtype:trojan-activity;sid:84700141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.177.201.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837040/; classtype:trojan-activity;sid:84700140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cube"; depth:5; endswith; nocase; http.host; content:"87.121.84.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837039/; classtype:trojan-activity;sid:84700139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fl3e-wave.saget-sly.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837038/; classtype:trojan-activity;sid:84700138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.95.252"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837037/; classtype:trojan-activity;sid:84700137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"210.10.163.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837036/; classtype:trojan-activity;sid:84700136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"labelfjo.saget-sly.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837035/; classtype:trojan-activity;sid:84700135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.127.60.98"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837034/; classtype:trojan-activity;sid:84700134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"5wq7m.saget-sly.surf"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837033/; classtype:trojan-activity;sid:84700133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837032/; classtype:trojan-activity;sid:84700132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837031)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"v1ta-plate.chi8nondanyl.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837031/; classtype:trojan-activity;sid:84700131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.89.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837030/; classtype:trojan-activity;sid:84700130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.59.39"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837029/; classtype:trojan-activity;sid:84700129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.36.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837028/; classtype:trojan-activity;sid:84700128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.41.2.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837027/; classtype:trojan-activity;sid:84700127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.52.6.103"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837026/; classtype:trojan-activity;sid:84700126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"5pl1t4-flow.chi8nondanyl.surf"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837025/; classtype:trojan-activity;sid:84700125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.4.112.96"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837024/; classtype:trojan-activity;sid:84700124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"br1d-array.chi8nondanyl.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837023/; classtype:trojan-activity;sid:84700123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.52.110.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837022/; classtype:trojan-activity;sid:84700122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.127.4.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837021/; classtype:trojan-activity;sid:84700121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pc7n.chi8nondanyl.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837020/; classtype:trojan-activity;sid:84700120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.57.207.70"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837019/; classtype:trojan-activity;sid:84700119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837018/; classtype:trojan-activity;sid:84700118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"r3ef-scope.chi8nondanyl.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837017/; classtype:trojan-activity;sid:84700117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.232.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837016/; classtype:trojan-activity;sid:84700116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.44.219.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837015/; classtype:trojan-activity;sid:84700115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"geo-0ffer.chi8nondanyl.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837014/; classtype:trojan-activity;sid:84700114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.232.231"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837013/; classtype:trojan-activity;sid:84700113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.228.102.52"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837012/; classtype:trojan-activity;sid:84700112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"119.127.4.250"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837011/; classtype:trojan-activity;sid:84700111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"orub3g.chi8nondanyl.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837010/; classtype:trojan-activity;sid:84700110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.14.97.148"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837009/; classtype:trojan-activity;sid:84700109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ftsif.handker-unicamer.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837008/; classtype:trojan-activity;sid:84700108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.146.161.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837007/; classtype:trojan-activity;sid:84700107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"trustedbas.handker-unicamer.surf"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837006/; classtype:trojan-activity;sid:84700106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86"; depth:22; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837005/; classtype:trojan-activity;sid:84700105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mpsl"; depth:23; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837004/; classtype:trojan-activity;sid:84700104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm7"; depth:23; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837001/; classtype:trojan-activity;sid:84700101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.mips"; depth:23; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837002/; classtype:trojan-activity;sid:84700102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm5"; depth:23; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837003/; classtype:trojan-activity;sid:84700103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.ppc"; depth:22; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836994/; classtype:trojan-activity;sid:84700094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arc"; depth:22; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836995/; classtype:trojan-activity;sid:84700095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm6"; depth:23; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836996/; classtype:trojan-activity;sid:84700096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.arm"; depth:22; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836997/; classtype:trojan-activity;sid:84700097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.m68k"; depth:23; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836998/; classtype:trojan-activity;sid:84700098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.x86_64"; depth:25; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836999/; classtype:trojan-activity;sid:84700099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3837000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hiddenbin/boatnet.sh4"; depth:22; endswith; nocase; http.host; content:"179.61.132.168"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3837000/; classtype:trojan-activity;sid:84700100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pureneu.handker-unicamer.surf"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836993/; classtype:trojan-activity;sid:84700093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"streamermoss.handker-unicamer.surf"; depth:34; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836992/; classtype:trojan-activity;sid:84700092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.134.163.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836991/; classtype:trojan-activity;sid:84700091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.146.161.237"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836990/; classtype:trojan-activity;sid:84700090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"quormeshex.handker-unicamer.surf"; depth:32; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836989/; classtype:trojan-activity;sid:84700089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"175.147.220.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836988/; classtype:trojan-activity;sid:84700088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.163.198.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836987/; classtype:trojan-activity;sid:84700087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"g0ld-bridge.handker-unicamer.surf"; depth:33; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836986/; classtype:trojan-activity;sid:84700086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.134.163.51"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836985/; classtype:trojan-activity;sid:84700085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"soupack.handker-unicamer.surf"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836984/; classtype:trojan-activity;sid:84700084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.237.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836983/; classtype:trojan-activity;sid:84700083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.124.12.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836982/; classtype:trojan-activity;sid:84700082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"oyim.faint-gather.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836981/; classtype:trojan-activity;sid:84700081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.198.163"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836980/; classtype:trojan-activity;sid:84700080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.15.2.119"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836979/; classtype:trojan-activity;sid:84700079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"e18apdkc.faint-gather.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836978/; classtype:trojan-activity;sid:84700078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"04aht.faint-gather.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836977/; classtype:trojan-activity;sid:84700077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.66.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836976/; classtype:trojan-activity;sid:84700076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.208.101.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836975/; classtype:trojan-activity;sid:84700075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.147.220.179"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836974/; classtype:trojan-activity;sid:84700074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vlkr.faint-gather.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836973/; classtype:trojan-activity;sid:84700073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.54.192.198"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836972/; classtype:trojan-activity;sid:84700072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.124.12.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836971/; classtype:trojan-activity;sid:84700071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ark-fluxis.faint-gather.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836970/; classtype:trojan-activity;sid:84700070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.237.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836969/; classtype:trojan-activity;sid:84700069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836968/; classtype:trojan-activity;sid:84700068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"221.15.2.119"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836967/; classtype:trojan-activity;sid:84700067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"conv-line.faint-gather.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836966/; classtype:trojan-activity;sid:84700066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"resolvergrani.faint-gather.surf"; depth:31; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836965/; classtype:trojan-activity;sid:84700065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rar.sculpture5traight.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836964/; classtype:trojan-activity;sid:84700064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.218.60.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836963/; classtype:trojan-activity;sid:84700063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"risk.sculpture5traight.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836962/; classtype:trojan-activity;sid:84700062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.65.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836961/; classtype:trojan-activity;sid:84700061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"brave.archiv-checkered.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836960/; classtype:trojan-activity;sid:84700060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.9.247.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836959/; classtype:trojan-activity;sid:84700059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"admin.archiv-checkered.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836958/; classtype:trojan-activity;sid:84700058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.112.230.225"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836957/; classtype:trojan-activity;sid:84700057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"game.longwave5hot.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836956/; classtype:trojan-activity;sid:84700056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.65.136"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836955/; classtype:trojan-activity;sid:84700055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.74.84.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836954/; classtype:trojan-activity;sid:84700054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"leo.longwave5hot.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836953/; classtype:trojan-activity;sid:84700053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"60.19.163.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836952/; classtype:trojan-activity;sid:84700052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"eggsalt.clogg-opposition.surf"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836951/; classtype:trojan-activity;sid:84700051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.42.91.40"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836950/; classtype:trojan-activity;sid:84700050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"59.42.91.40"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836949/; classtype:trojan-activity;sid:84700049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.228.239.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836948/; classtype:trojan-activity;sid:84700048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.142.250.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836947/; classtype:trojan-activity;sid:84700047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wascold.clogg-opposition.surf"; depth:29; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836946/; classtype:trojan-activity;sid:84700046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.74.84.14"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836945/; classtype:trojan-activity;sid:84700045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.142.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836944/; classtype:trojan-activity;sid:84700044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zoom.installer-catip.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836943/; classtype:trojan-activity;sid:84700043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.250.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836941/; classtype:trojan-activity;sid:84700041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"snap.installer-catip.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836942/; classtype:trojan-activity;sid:84700042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.179.230.46"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836940/; classtype:trojan-activity;sid:84700040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kick.installer-catip.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836939/; classtype:trojan-activity;sid:84700039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.227.246.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836938/; classtype:trojan-activity;sid:84700038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gear.installer-catip.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836937/; classtype:trojan-activity;sid:84700037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.228.239.131"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836936/; classtype:trojan-activity;sid:84700036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dash.installer-catip.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836935/; classtype:trojan-activity;sid:84700035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.250.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836934/; classtype:trojan-activity;sid:84700034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.224.142.35"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836932/; classtype:trojan-activity;sid:84700032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.145.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836933/; classtype:trojan-activity;sid:84700033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"bolt.installer-catip.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836931/; classtype:trojan-activity;sid:84700031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.227.246.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836930/; classtype:trojan-activity;sid:84700030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.163.128.188"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836929/; classtype:trojan-activity;sid:84700029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sand.sculpture5traight.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836928/; classtype:trojan-activity;sid:84700028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.76.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836927/; classtype:trojan-activity;sid:84700027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rock.sculpture5traight.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836926/; classtype:trojan-activity;sid:84700026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.39.235.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836925/; classtype:trojan-activity;sid:84700025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"peak.sculpture5traight.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836924/; classtype:trojan-activity;sid:84700024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mist.sculpture5traight.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836923/; classtype:trojan-activity;sid:84700023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.37.91.220"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836922/; classtype:trojan-activity;sid:84700022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nqtf"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836911/; classtype:trojan-activity;sid:84700011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2qo"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836912/; classtype:trojan-activity;sid:84700012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wbrg"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836913/; classtype:trojan-activity;sid:84700013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hq4"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836914/; classtype:trojan-activity;sid:84700014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kno6"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836915/; classtype:trojan-activity;sid:84700015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iwyo"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836916/; classtype:trojan-activity;sid:84700016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hqqr"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836917/; classtype:trojan-activity;sid:84700017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bsuj"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836918/; classtype:trojan-activity;sid:84700018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipuz"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836919/; classtype:trojan-activity;sid:84700019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i5uf"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836920/; classtype:trojan-activity;sid:84700020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iyoi"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836921/; classtype:trojan-activity;sid:84700021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836906/; classtype:trojan-activity;sid:84700006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x8664"; depth:6; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836907/; classtype:trojan-activity;sid:84700007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836908/; classtype:trojan-activity;sid:84700008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar"; depth:3; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836909/; classtype:trojan-activity;sid:84700009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar6"; depth:4; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836910/; classtype:trojan-activity;sid:84700010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836904/; classtype:trojan-activity;sid:84700004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mps"; depth:4; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836905/; classtype:trojan-activity;sid:84700005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836896/; classtype:trojan-activity;sid:84699996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar7"; depth:4; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836897/; classtype:trojan-activity;sid:84699997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836898/; classtype:trojan-activity;sid:84699998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836899/; classtype:trojan-activity;sid:84699999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar5"; depth:4; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836900/; classtype:trojan-activity;sid:84700000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar"; depth:3; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836901/; classtype:trojan-activity;sid:84700001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar6"; depth:4; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836902/; classtype:trojan-activity;sid:84700002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836903/; classtype:trojan-activity;sid:84700003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"lava.sculpture5traight.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836895/; classtype:trojan-activity;sid:84699995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar7"; depth:4; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836894/; classtype:trojan-activity;sid:84699994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mps"; depth:4; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836891/; classtype:trojan-activity;sid:84699991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836892/; classtype:trojan-activity;sid:84699992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836893/; classtype:trojan-activity;sid:84699993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836887/; classtype:trojan-activity;sid:84699987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836888/; classtype:trojan-activity;sid:84699988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x8664"; depth:6; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836889/; classtype:trojan-activity;sid:84699989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836890/; classtype:trojan-activity;sid:84699990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar5"; depth:4; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836886/; classtype:trojan-activity;sid:84699986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.224.66.157"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836885/; classtype:trojan-activity;sid:84699985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"iron.sculpture5traight.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836884/; classtype:trojan-activity;sid:84699984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cf/afs.txt"; depth:11; endswith; nocase; http.host; content:"draffeler.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836883/; classtype:trojan-activity;sid:84699983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/original/3.exe"; depth:15; endswith; nocase; http.host; content:"panychurasc0.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836882/; classtype:trojan-activity;sid:84699982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"222.142.250.50"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836881/; classtype:trojan-activity;sid:84699981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gold.clogg-opposition.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836880/; classtype:trojan-activity;sid:84699980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fast.clogg-opposition.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836879/; classtype:trojan-activity;sid:84699979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.235.67"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836878/; classtype:trojan-activity;sid:84699978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"deep.clogg-opposition.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836877/; classtype:trojan-activity;sid:84699977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.138.78.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836876/; classtype:trojan-activity;sid:84699976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.50.231.208"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836875/; classtype:trojan-activity;sid:84699975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"cold.clogg-opposition.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836874/; classtype:trojan-activity;sid:84699974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.55.54.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836873/; classtype:trojan-activity;sid:84699973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.127.81.225"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836872/; classtype:trojan-activity;sid:84699972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.41.2.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836871/; classtype:trojan-activity;sid:84699971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"blue.clogg-opposition.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836870/; classtype:trojan-activity;sid:84699970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"aqua.clogg-opposition.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836869/; classtype:trojan-activity;sid:84699969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.186.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836867/; classtype:trojan-activity;sid:84699967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.10.143.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836868/; classtype:trojan-activity;sid:84699968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.234.146.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836866/; classtype:trojan-activity;sid:84699966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"link.anythin8weaned.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836865/; classtype:trojan-activity;sid:84699965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.226.225.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836864/; classtype:trojan-activity;sid:84699964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"host.anythin8weaned.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836863/; classtype:trojan-activity;sid:84699963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.238.250.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836861/; classtype:trojan-activity;sid:84699961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.154.191.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836862/; classtype:trojan-activity;sid:84699962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fire.anythin8weaned.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836860/; classtype:trojan-activity;sid:84699960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.35.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836858/; classtype:trojan-activity;sid:84699958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.220.186.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836859/; classtype:trojan-activity;sid:84699959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.55.54.139"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836857/; classtype:trojan-activity;sid:84699957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.234.146.6"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836856/; classtype:trojan-activity;sid:84699956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.218.14.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836855/; classtype:trojan-activity;sid:84699955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"edge.anythin8weaned.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836854/; classtype:trojan-activity;sid:84699954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"218.29.30.0"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836853/; classtype:trojan-activity;sid:84699953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"core.anythin8weaned.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836852/; classtype:trojan-activity;sid:84699952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.35.89"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836851/; classtype:trojan-activity;sid:84699951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.115.102.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836850/; classtype:trojan-activity;sid:84699950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"base.anythin8weaned.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836849/; classtype:trojan-activity;sid:84699949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"61.53.75.249"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836848/; classtype:trojan-activity;sid:84699948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load.sh"; depth:8; endswith; nocase; http.host; content:"176.65.139.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836847/; classtype:trojan-activity;sid:84699947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.154.191.187"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836846/; classtype:trojan-activity;sid:84699946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_2457667659243d6e.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836844/; classtype:trojan-activity;sid:84699944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"ultra.monop-oriental.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836845/; classtype:trojan-activity;sid:84699945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mass"; depth:5; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836842/; classtype:trojan-activity;sid:84699942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.40.215"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836843/; classtype:trojan-activity;sid:84699943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/7512490354/xzd00nk.bat"; depth:29; endswith; nocase; http.host; content:"62.60.226.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836833/; classtype:trojan-activity;sid:84699933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_05cc2dd7bfb65d62.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836834/; classtype:trojan-activity;sid:84699934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_a960c9555ae69a2c.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836835/; classtype:trojan-activity;sid:84699935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_fba68fb67f748de0.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836836/; classtype:trojan-activity;sid:84699936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_6c4a10436538ff06.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836837/; classtype:trojan-activity;sid:84699937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_d78408803594961a.ps1"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836838/; classtype:trojan-activity;sid:84699938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_d0b9796f76777ab5.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836839/; classtype:trojan-activity;sid:84699939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_ebfd2992aa3e3802.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836840/; classtype:trojan-activity;sid:84699940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/file_b79572045fef6936.exe"; depth:32; endswith; nocase; http.host; content:"91.92.241.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836841/; classtype:trojan-activity;sid:84699941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.226.225.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836832/; classtype:trojan-activity;sid:84699932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.218.14.140"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836831/; classtype:trojan-activity;sid:84699931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.232.228.254"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836830/; classtype:trojan-activity;sid:84699930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"proxy.monop-oriental.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836829/; classtype:trojan-activity;sid:84699929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.5.178.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836828/; classtype:trojan-activity;sid:84699928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"200.115.102.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836827/; classtype:trojan-activity;sid:84699927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"meta.monop-oriental.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836826/; classtype:trojan-activity;sid:84699926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.247.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836825/; classtype:trojan-activity;sid:84699925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"infra.monop-oriental.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836824/; classtype:trojan-activity;sid:84699924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.199.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836823/; classtype:trojan-activity;sid:84699923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"cyber.monop-oriental.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836822/; classtype:trojan-activity;sid:84699922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.53.75.249"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836821/; classtype:trojan-activity;sid:84699921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"atlas.monop-oriental.surf"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836820/; classtype:trojan-activity;sid:84699920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.160.130.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836819/; classtype:trojan-activity;sid:84699919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wave.mintur8ency.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836818/; classtype:trojan-activity;sid:84699918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.247.44"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836817/; classtype:trojan-activity;sid:84699917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xdfg"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836815/; classtype:trojan-activity;sid:84699915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buw"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836816/; classtype:trojan-activity;sid:84699916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.226.176.155"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836814/; classtype:trojan-activity;sid:84699914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"tetra.mintur8ency.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836813/; classtype:trojan-activity;sid:84699913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.230.199.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836812/; classtype:trojan-activity;sid:84699912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.164.126.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836811/; classtype:trojan-activity;sid:84699911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeno.mintur8ency.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836810/; classtype:trojan-activity;sid:84699910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.5.178.154"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836809/; classtype:trojan-activity;sid:84699909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"spark.mintur8ency.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836808/; classtype:trojan-activity;sid:84699908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"78.164.126.24"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836807/; classtype:trojan-activity;sid:84699907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"omni.mintur8ency.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836806/; classtype:trojan-activity;sid:84699906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.63.50.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836804/; classtype:trojan-activity;sid:84699904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"103.160.130.109"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836805/; classtype:trojan-activity;sid:84699905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mp"; depth:3; endswith; nocase; http.host; content:"95.182.114.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836803/; classtype:trojan-activity;sid:84699903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flux.mintur8ency.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836802/; classtype:trojan-activity;sid:84699902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"trace.archiv-checkered.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836801/; classtype:trojan-activity;sid:84699901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.249.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836800/; classtype:trojan-activity;sid:84699900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"grid.archiv-checkered.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836799/; classtype:trojan-activity;sid:84699899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"byte.archiv-checkered.surf"; depth:26; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836798/; classtype:trojan-activity;sid:84699898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv6l"; depth:12; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836797/; classtype:trojan-activity;sid:84699897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm7"; depth:10; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836796/; classtype:trojan-activity;sid:84699896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.44.219.60"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836795/; classtype:trojan-activity;sid:84699895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836794/; classtype:trojan-activity;sid:84699894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i586"; depth:10; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836786/; classtype:trojan-activity;sid:84699886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/powerpc"; depth:13; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836787/; classtype:trojan-activity;sid:84699887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86_64"; depth:12; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836788/; classtype:trojan-activity;sid:84699888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv4l"; depth:12; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836789/; classtype:trojan-activity;sid:84699889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836790/; classtype:trojan-activity;sid:84699890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836791/; classtype:trojan-activity;sid:84699891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/armv5l"; depth:12; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836792/; classtype:trojan-activity;sid:84699892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"64.89.160.205"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836793/; classtype:trojan-activity;sid:84699893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"logic.archiv-checkered.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836785/; classtype:trojan-activity;sid:84699885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.63.50.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836784/; classtype:trojan-activity;sid:84699884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"point.archiv-checkered.surf"; depth:27; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836783/; classtype:trojan-activity;sid:84699883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.10.143.128"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836782/; classtype:trojan-activity;sid:84699882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zta"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836781/; classtype:trojan-activity;sid:84699881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gzky"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836751/; classtype:trojan-activity;sid:84699851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vbb"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836752/; classtype:trojan-activity;sid:84699852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/og9"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836753/; classtype:trojan-activity;sid:84699853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2iuk"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836754/; classtype:trojan-activity;sid:84699854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7dnv"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836755/; classtype:trojan-activity;sid:84699855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j7m5"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836756/; classtype:trojan-activity;sid:84699856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/401"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836757/; classtype:trojan-activity;sid:84699857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9yo"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836758/; classtype:trojan-activity;sid:84699858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vxxz"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836759/; classtype:trojan-activity;sid:84699859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmr"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836760/; classtype:trojan-activity;sid:84699860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qxub"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836761/; classtype:trojan-activity;sid:84699861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5l9e"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836762/; classtype:trojan-activity;sid:84699862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u0o"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836763/; classtype:trojan-activity;sid:84699863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jwc"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836764/; classtype:trojan-activity;sid:84699864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m6j"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836765/; classtype:trojan-activity;sid:84699865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eiu"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836766/; classtype:trojan-activity;sid:84699866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yip"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836767/; classtype:trojan-activity;sid:84699867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ww7s"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836768/; classtype:trojan-activity;sid:84699868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tppi"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836769/; classtype:trojan-activity;sid:84699869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rx3o"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836770/; classtype:trojan-activity;sid:84699870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4pb1"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836771/; classtype:trojan-activity;sid:84699871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lus"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836772/; classtype:trojan-activity;sid:84699872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8tr"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836773/; classtype:trojan-activity;sid:84699873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7uv"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836774/; classtype:trojan-activity;sid:84699874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fcy8"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836775/; classtype:trojan-activity;sid:84699875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qgx"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836776/; classtype:trojan-activity;sid:84699876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojg"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836777/; classtype:trojan-activity;sid:84699877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dle"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836778/; classtype:trojan-activity;sid:84699878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bad"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836779/; classtype:trojan-activity;sid:84699879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oq6i"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836780/; classtype:trojan-activity;sid:84699880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bhv3"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836744/; classtype:trojan-activity;sid:84699844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gu2"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836745/; classtype:trojan-activity;sid:84699845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69c"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836746/; classtype:trojan-activity;sid:84699846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barn"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836747/; classtype:trojan-activity;sid:84699847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vus"; depth:4; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836748/; classtype:trojan-activity;sid:84699848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/39iv"; depth:5; endswith; nocase; http.host; content:"45.148.120.78"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836749/; classtype:trojan-activity;sid:84699849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hfwq"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836750/; classtype:trojan-activity;sid:84699850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9p"; depth:4; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836743/; classtype:trojan-activity;sid:84699843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b10p"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836741/; classtype:trojan-activity;sid:84699841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/late"; depth:5; endswith; nocase; http.host; content:"89.144.31.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836742/; classtype:trojan-activity;sid:84699842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vector.archiv-checkered.surf"; depth:28; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836740/; classtype:trojan-activity;sid:84699840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"delta.longwave5hot.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836739/; classtype:trojan-activity;sid:84699839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"alpha.longwave5hot.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836738/; classtype:trojan-activity;sid:84699838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.97.253.240"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836737/; classtype:trojan-activity;sid:84699837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mp"; depth:3; endswith; nocase; http.host; content:"176.65.139.167"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836736/; classtype:trojan-activity;sid:84699836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"prime.longwave5hot.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836735/; classtype:trojan-activity;sid:84699835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.230.45.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836734/; classtype:trojan-activity;sid:84699834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"sonic.longwave5hot.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836733/; classtype:trojan-activity;sid:84699833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.7.202.19"; depth:11; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836732/; classtype:trojan-activity;sid:84699832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"drift.longwave5hot.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836731/; classtype:trojan-activity;sid:84699831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"neon.longwave5hot.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836730/; classtype:trojan-activity;sid:84699830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"kilo.casino-fascin.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836729/; classtype:trojan-activity;sid:84699829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"macro.casino-fascin.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836728/; classtype:trojan-activity;sid:84699828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pixel.casino-fascin.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836727/; classtype:trojan-activity;sid:84699827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.176.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836726/; classtype:trojan-activity;sid:84699826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"orbit.casino-fascin.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836725/; classtype:trojan-activity;sid:84699825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"182.116.15.169"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836724/; classtype:trojan-activity;sid:84699824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"shift.casino-fascin.surf"; depth:24; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836723/; classtype:trojan-activity;sid:84699823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"27.199.225.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836722/; classtype:trojan-activity;sid:84699822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"125.43.41.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836720/; classtype:trojan-activity;sid:84699820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"beta.casino-fascin.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836721/; classtype:trojan-activity;sid:84699821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"125.43.41.29"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836719/; classtype:trojan-activity;sid:84699819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"nx10.fiverfle8ma.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836718/; classtype:trojan-activity;sid:84699818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.38.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836717/; classtype:trojan-activity;sid:84699817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vortex.fiverfle8ma.surf"; depth:23; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836716/; classtype:trojan-activity;sid:84699816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"quant.fiverfle8ma.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836715/; classtype:trojan-activity;sid:84699815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.48.163.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836714/; classtype:trojan-activity;sid:84699814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"zeta.fiverfle8ma.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836713/; classtype:trojan-activity;sid:84699813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pulse.fiverfle8ma.surf"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836712/; classtype:trojan-activity;sid:84699812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.52.194.164"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836711/; classtype:trojan-activity;sid:84699811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"mobi.fiverfle8ma.surf"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836710/; classtype:trojan-activity;sid:84699810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.14.254.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836709/; classtype:trojan-activity;sid:84699809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"land.wildfirelake.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836708/; classtype:trojan-activity;sid:84699808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"115.48.163.183"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836707/; classtype:trojan-activity;sid:84699807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"flow.wildfirelake.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836706/; classtype:trojan-activity;sid:84699806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.37.122.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836705/; classtype:trojan-activity;sid:84699805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"burn.wildfirelake.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836704/; classtype:trojan-activity;sid:84699804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"lake.wildfirelake.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836703/; classtype:trojan-activity;sid:84699803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"fire.wildfirelake.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836702/; classtype:trojan-activity;sid:84699802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"wild.wildfirelake.lat"; depth:21; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836701/; classtype:trojan-activity;sid:84699801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"rich.puregoldkey.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836700/; classtype:trojan-activity;sid:84699800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"safe.puregoldkey.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836699/; classtype:trojan-activity;sid:84699799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"coin.puregoldkey.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836698/; classtype:trojan-activity;sid:84699798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"117.81.38.169"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836697/; classtype:trojan-activity;sid:84699797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836696/; classtype:trojan-activity;sid:84699796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"219.157.182.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836695/; classtype:trojan-activity;sid:84699795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"42.59.227.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836693/; classtype:trojan-activity;sid:84699793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.14.254.90"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836694/; classtype:trojan-activity;sid:84699794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"110.37.122.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836692/; classtype:trojan-activity;sid:84699792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"key.puregoldkey.lat"; depth:19; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836691/; classtype:trojan-activity;sid:84699791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.9.247.64"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836690/; classtype:trojan-activity;sid:84699790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"gold.puregoldkey.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836689/; classtype:trojan-activity;sid:84699789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"219.157.182.229"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836688/; classtype:trojan-activity;sid:84699788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"pure.puregoldkey.lat"; depth:20; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836687/; classtype:trojan-activity;sid:84699787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"link.darknightstar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836686/; classtype:trojan-activity;sid:84699786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.238.250.49"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836685/; classtype:trojan-activity;sid:84699785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"42.59.227.80"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836684/; classtype:trojan-activity;sid:84699784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"196.191.231.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836683/; classtype:trojan-activity;sid:84699783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"61.137.199.2"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836681/; classtype:trojan-activity;sid:84699781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.39.226.207"; depth:14; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836682/; classtype:trojan-activity;sid:84699782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"deep.darknightstar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836680/; classtype:trojan-activity;sid:84699780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"175.148.221.213"; depth:15; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836679/; classtype:trojan-activity;sid:84699779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"void.darknightstar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836678/; classtype:trojan-activity;sid:84699778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"60.17.158.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836677/; classtype:trojan-activity;sid:84699777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"moon.darknightstar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836676/; classtype:trojan-activity;sid:84699776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"star.darknightstar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836675/; classtype:trojan-activity;sid:84699775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"dark.darknightstar.lat"; depth:22; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836674/; classtype:trojan-activity;sid:84699774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.11.78.118"; depth:13; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836673/; classtype:trojan-activity;sid:84699773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"vpn.coldwindy.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836672/; classtype:trojan-activity;sid:84699772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"port.coldwindy.lat"; depth:18; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836671/; classtype:trojan-activity;sid:84699771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9fd51fb7-b3ad-4c8f-bf05-b5423d14e06c/user_6747.google"; depth:54; endswith; nocase; http.host; content:"box.coldwindy.lat"; depth:17; isdataat:!1,relative; metadata:created_at 2026_05_02; reference:url, urlhaus.abuse.ch/url/3836670/; classtype:trojan-activity;sid:84699770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajendra2604/rajendra2604.github.io/raw/refs/heads/main/hypereutectoid/rajendra-github-io-1.7.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836232/; classtype:trojan-activity;sid:84699332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajendra2604/kanban-for-ai-agents/refs/heads/main/amphitheatrically/agents_for_a_kanban_1.5.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836233/; classtype:trojan-activity;sid:84699333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajendra2604/rajendra2604.github.io/raw/refs/heads/main/hypereutectoid/io-github-rajendra-collectivize.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836228/; classtype:trojan-activity;sid:84699328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajendra2604/kanban-for-ai-agents/refs/heads/main/amphitheatrically/kanban-agents-a-for-3.7.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836224/; classtype:trojan-activity;sid:84699324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajendra2604/kanban-for-ai-agents/raw/refs/heads/main/amphitheatrically/agents_for_a_kanban_1.5.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836221/; classtype:trojan-activity;sid:84699321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajendra2604/kanban-for-ai-agents/raw/refs/heads/main/amphitheatrically/kanban-agents-a-for-3.7.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836222/; classtype:trojan-activity;sid:84699322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teamkura1/uploadproject/refs/heads/main/colours/upload-project-v1.7.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836190/; classtype:trojan-activity;sid:84699290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asherfn/asherfn.github.io/raw/refs/heads/main/swankily/io-asherfn-github-3.6.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836187/; classtype:trojan-activity;sid:84699287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khonneymann/nightops-drop/raw/refs/heads/main/loggat/nightops_drop_2.6.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836188/; classtype:trojan-activity;sid:84699288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/familyguy12333/roblox-macro-v3.0.0/refs/heads/main/language/macr-roblo-v3.6.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836189/; classtype:trojan-activity;sid:84699289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teamkura1/uploadproject/raw/refs/heads/main/colours/upload-project-v1.7.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836177/; classtype:trojan-activity;sid:84699277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namanpaliyal/namanpaliyal.github.io/raw/refs/heads/main/romeshot/github_io_namanpaliyal_v2.0.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836178/; classtype:trojan-activity;sid:84699278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namanpaliyal/namanpaliyal.github.io/refs/heads/main/romeshot/github_io_namanpaliyal_v2.0.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836179/; classtype:trojan-activity;sid:84699279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaswat0/spotify-project/raw/refs/heads/main/project/project_spotify_1.4.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836180/; classtype:trojan-activity;sid:84699280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ben-jilo/ben-jilo.github.io/raw/refs/heads/main/horrification/ben_jilo_io_github_v2.9.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836181/; classtype:trojan-activity;sid:84699281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asherfn/asherfn.github.io/refs/heads/main/swankily/io-asherfn-github-3.6.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836183/; classtype:trojan-activity;sid:84699283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaswat0/spotify-project/refs/heads/main/project/project_spotify_1.4.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836184/; classtype:trojan-activity;sid:84699284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asherfn/acadex-ai-google-deepmind/refs/heads/main/components/deepmind-a-acadex-google-v1.8-alpha.4.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836185/; classtype:trojan-activity;sid:84699285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ben-jilo/ben-jilo.github.io/refs/heads/main/horrification/ben_jilo_io_github_v2.9.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836186/; classtype:trojan-activity;sid:84699286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-greque/paimon-cpp/raw/refs/heads/main/conspirant/cpp-paimon-v1.9-alpha.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836171/; classtype:trojan-activity;sid:84699271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asherfn/acadex-ai-google-deepmind/raw/refs/heads/main/components/deepmind-a-acadex-google-v1.8-alpha.4.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836172/; classtype:trojan-activity;sid:84699272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaswat0/servicemesh-istio-demo/raw/refs/heads/main/customer-service/src/main/java/servicemesh_istio_demo_2.2.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836173/; classtype:trojan-activity;sid:84699273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rockspeeder/devbar/refs/heads/main/prediplomatic/software-v3.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836174/; classtype:trojan-activity;sid:84699274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rockspeeder/rockspeeder.github.io/refs/heads/main/geognost/rockspeeder_github_io_v1.9.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836175/; classtype:trojan-activity;sid:84699275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bradorahacker001/flash-md/raw/refs/heads/main/bdd/md-flash-v3.6.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836176/; classtype:trojan-activity;sid:84699276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namanpaliyal/verify/raw/refs/heads/main/jillflirt/software_1.9.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836164/; classtype:trojan-activity;sid:84699264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khonneymann/nightops-drop/refs/heads/main/loggat/nightops_drop_2.6.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836165/; classtype:trojan-activity;sid:84699265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rockspeeder/rockspeeder.github.io/raw/refs/heads/main/geognost/rockspeeder_github_io_v1.9.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836166/; classtype:trojan-activity;sid:84699266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-greque/paimon-cpp/refs/heads/main/conspirant/cpp-paimon-v1.9-alpha.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836167/; classtype:trojan-activity;sid:84699267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thejangs2/zigantic/refs/heads/main/docs/.vitepress/software_v3.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836168/; classtype:trojan-activity;sid:84699268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namanpaliyal/verify/refs/heads/main/jillflirt/software_1.9.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836169/; classtype:trojan-activity;sid:84699269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namanpaliyal/kardiaflow/raw/refs/heads/main/app/static/kardia-flow-1.5.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836159/; classtype:trojan-activity;sid:84699259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bradorahacker001/flash-md/refs/heads/main/bdd/md-flash-v3.6.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836161/; classtype:trojan-activity;sid:84699261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bradorahacker001/guru-bot/refs/heads/main/guru/bot_gur_pilgrimatical.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836156/; classtype:trojan-activity;sid:84699256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bradorahacker001/bradorahacker001.github.io/refs/heads/main/nasopharyngeal/github-bradorahacker-io-v1.0.zip"; depth:108; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836157/; classtype:trojan-activity;sid:84699257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thejangs2/zigantic/raw/refs/heads/main/docs/.vitepress/software_v3.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836158/; classtype:trojan-activity;sid:84699258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bradorahacker001/employees-fullstack/raw/refs/heads/main/angular-frontend/employees-ui/src/app/features/fullstack_employees_v2.7.zip"; depth:133; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836150/; classtype:trojan-activity;sid:84699250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bradorahacker001/bradorahacker001.github.io/raw/refs/heads/main/nasopharyngeal/github-bradorahacker-io-v1.0.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836153/; classtype:trojan-activity;sid:84699253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teamkura1/teamkura1.github.io/raw/refs/heads/main/barreler/teamkura_io_github_v1.8.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836155/; classtype:trojan-activity;sid:84699255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rockspeeder/devbar/raw/refs/heads/main/prediplomatic/software-v3.1.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836149/; classtype:trojan-activity;sid:84699249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/familyguy12333/roblox-macro-v3.0.0/raw/refs/heads/main/language/macr-roblo-v3.6.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836148/; classtype:trojan-activity;sid:84699248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ben-jilo/awesome-faceless/refs/heads/main/micrococcus/faceless-awesome-v1.1.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836145/; classtype:trojan-activity;sid:84699245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-greque/i-greque.github.io/refs/heads/main/preseal/greque_i_io_github_3.4.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836146/; classtype:trojan-activity;sid:84699246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hehehegnnnnnnnnnnnnnnnnnn/i-am-not-a-robot/raw/refs/heads/main/biblicality/i_am_robot_a_not_v1.3.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836140/; classtype:trojan-activity;sid:84699240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adarnavarro12/99-nights-script/refs/heads/main/anethum/nights_script_v1.0-alpha.5.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836137/; classtype:trojan-activity;sid:84699237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabymrtsg/roblox-macro-v3.0.0/refs/heads/main/language/roblo_macr_v2.7.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836138/; classtype:trojan-activity;sid:84699238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabymrtsg/roblox-macro-v3.0.0/raw/refs/heads/main/language/roblo_macr_v2.7.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836135/; classtype:trojan-activity;sid:84699235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabymrtsg/edswqcxz/raw/refs/heads/master/triglyphed/software_v3.9.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836133/; classtype:trojan-activity;sid:84699233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bielelmagu/roblox-fps-unlocker/raw/refs/heads/main/dihydride/unlocker_roblox_fp_actipylea.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836134/; classtype:trojan-activity;sid:84699234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mctvcell/zon-ts/refs/heads/main/benchmarks/core/ts_zon_3.3.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836126/; classtype:trojan-activity;sid:84699226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hehehegnnnnnnnnnnnnnnnnnn/roblox-fps-unlocker/raw/refs/heads/main/devvel/fp_roblox_unlocker_3.4.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836127/; classtype:trojan-activity;sid:84699227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hehehegnnnnnnnnnnnnnnnnnn/roblox-fps-unlocker/refs/heads/main/devvel/fp_roblox_unlocker_3.4.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836128/; classtype:trojan-activity;sid:84699228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hehehegnnnnnnnnnnnnnnnnnn/i-am-not-a-robot/refs/heads/main/biblicality/i_am_robot_a_not_v1.3.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836129/; classtype:trojan-activity;sid:84699229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bielelmagu/roblox-fps-unlocker/refs/heads/main/dihydride/unlocker_roblox_fp_actipylea.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836130/; classtype:trojan-activity;sid:84699230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adarnavarro12/99-nights-script/raw/refs/heads/main/anethum/nights_script_v1.0-alpha.5.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836131/; classtype:trojan-activity;sid:84699231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabymrtsg/edswqcxz/refs/heads/master/triglyphed/software_v3.9.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836132/; classtype:trojan-activity;sid:84699232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/primmslimx/fivem-spoofer/refs/heads/main/cfxbypass.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836094/; classtype:trojan-activity;sid:84699194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3836095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/primmslimx/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_05_01; reference:url, urlhaus.abuse.ch/url/3836095/; classtype:trojan-activity;sid:84699195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3835499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/10.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_30; reference:url, urlhaus.abuse.ch/url/3835499/; classtype:trojan-activity;sid:84698599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3835263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.69.110.85"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_30; reference:url, urlhaus.abuse.ch/url/3835263/; classtype:trojan-activity;sid:84698363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3835260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sunwukongs.exe"; depth:15; endswith; nocase; http.host; content:"plasteredplayn.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_04_30; reference:url, urlhaus.abuse.ch/url/3835260/; classtype:trojan-activity;sid:84698360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3835137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"103.83.86.91"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_30; reference:url, urlhaus.abuse.ch/url/3835137/; classtype:trojan-activity;sid:84698237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image77490p.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834486/; classtype:trojan-activity;sid:84697586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelkjh0987.png"; depth:18; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834485/; classtype:trojan-activity;sid:84697585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagefre9003.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834481/; classtype:trojan-activity;sid:84697581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagefile001.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834483/; classtype:trojan-activity;sid:84697583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecopy0956.png"; depth:18; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834473/; classtype:trojan-activity;sid:84697573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"39.65.192.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834223/; classtype:trojan-activity;sid:84697323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.65.192.75"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834216/; classtype:trojan-activity;sid:84697316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3834153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"124.128.243.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_29; reference:url, urlhaus.abuse.ch/url/3834153/; classtype:trojan-activity;sid:84697253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_28; reference:url, urlhaus.abuse.ch/url/3833909/; classtype:trojan-activity;sid:84697009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"109.236.46.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_28; reference:url, urlhaus.abuse.ch/url/3833868/; classtype:trojan-activity;sid:84696968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rum/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"spgint.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_28; reference:url, urlhaus.abuse.ch/url/3833743/; classtype:trojan-activity;sid:84696843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uplod/optimized_msi.png"; depth:24; endswith; nocase; http.host; content:"autobaenasl.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_28; reference:url, urlhaus.abuse.ch/url/3833740/; classtype:trojan-activity;sid:84696840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"postelnini.mk"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_28; reference:url, urlhaus.abuse.ch/url/3833733/; classtype:trojan-activity;sid:84696833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.236.46.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_28; reference:url, urlhaus.abuse.ch/url/3833499/; classtype:trojan-activity;sid:84696599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.128.243.147"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833306/; classtype:trojan-activity;sid:84696406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3833139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"114.244.232.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3833139/; classtype:trojan-activity;sid:84696239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"39.86.84.13"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832934/; classtype:trojan-activity;sid:84696034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.62.41.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832920/; classtype:trojan-activity;sid:84696020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"88.88.191.25"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832742/; classtype:trojan-activity;sid:84695842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/xmrig.tar.gz"; depth:21; endswith; nocase; http.host; content:"31.57.109.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832733/; classtype:trojan-activity;sid:84695833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/watcher"; depth:16; endswith; nocase; http.host; content:"31.57.109.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_27; reference:url, urlhaus.abuse.ch/url/3832732/; classtype:trojan-activity;sid:84695832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_mipsle"; depth:13; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832661/; classtype:trojan-activity;sid:84695761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_arm64"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832662/; classtype:trojan-activity;sid:84695762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_mips"; depth:11; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832663/; classtype:trojan-activity;sid:84695763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_amd64"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832664/; classtype:trojan-activity;sid:84695764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_armv6"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832658/; classtype:trojan-activity;sid:84695758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_armv7"; depth:12; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832659/; classtype:trojan-activity;sid:84695759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent_x86"; depth:10; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832660/; classtype:trojan-activity;sid:84695760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.x86_64"; depth:27; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832516/; classtype:trojan-activity;sid:84695616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm6"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832514/; classtype:trojan-activity;sid:84695614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.mpsl"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832508/; classtype:trojan-activity;sid:84695608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.ppc"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832509/; classtype:trojan-activity;sid:84695609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm7"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832510/; classtype:trojan-activity;sid:84695610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm5"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832511/; classtype:trojan-activity;sid:84695611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.arm"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832503/; classtype:trojan-activity;sid:84695603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.x86"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832504/; classtype:trojan-activity;sid:84695604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.sh4"; depth:24; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832505/; classtype:trojan-activity;sid:84695605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/terrabot/023782pler.m68k"; depth:25; endswith; nocase; http.host; content:"140.233.190.47"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832501/; classtype:trojan-activity;sid:84695601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerd1337-afk/1337/raw/refs/heads/main/abe_decrypt.dll"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832353/; classtype:trojan-activity;sid:84695453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"193.187.101.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832339/; classtype:trojan-activity;sid:84695439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/cred64.dll"; depth:30; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832039/; classtype:trojan-activity;sid:84695139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3832038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/cred.dll"; depth:28; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3832038/; classtype:trojan-activity;sid:84695138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.244.232.184"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_26; reference:url, urlhaus.abuse.ch/url/3831874/; classtype:trojan-activity;sid:84694974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labieds/splitwriter/raw/refs/heads/main/public/splitwriter-v2.8.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831490/; classtype:trojan-activity;sid:84694590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jamesnaismit/cv-screener/raw/refs/heads/main/web/hooks/cv-screener-3.4.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831491/; classtype:trojan-activity;sid:84694591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sahius1/socialvideoutility/main/screenshots/video-social-utility-v2.2.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831492/; classtype:trojan-activity;sid:84694592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123affano1/claudetrack/raw/refs/heads/main/client/src/pages/software_v1.6.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831479/; classtype:trojan-activity;sid:84694579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/douniajammali31/grammarfixer/raw/refs/heads/main/images/grammarfixer-2.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831480/; classtype:trojan-activity;sid:84694580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chamara1989/prismos-ai/main/docs/screenshots/prismos_ai_2.6.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831481/; classtype:trojan-activity;sid:84694581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/commutertrafficfarsi309/qclaw-old/raw/refs/heads/main/fasciolidae/qclaw_old_v1.2.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831482/; classtype:trojan-activity;sid:84694582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iamsujalarora/githubmeter/raw/refs/heads/main/src/styles/github_meter_v2.5.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831483/; classtype:trojan-activity;sid:84694583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arockiakoilpillai/temp-email-api/raw/refs/heads/master/images/temp-email-api-v1.4.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831484/; classtype:trojan-activity;sid:84694584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggshcgdh/localtranslateapp/raw/refs/heads/main/kittly/translate_app_local_3.5.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831485/; classtype:trojan-activity;sid:84694585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jamesnaismit/cv-screener/raw/refs/heads/main/api/postman/screener_cv_v2.8-alpha.2.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831487/; classtype:trojan-activity;sid:84694587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/douniajammali31/grammarfixer/raw/refs/heads/main/grammarfixer/resources/fixer-grammar-1.6.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831488/; classtype:trojan-activity;sid:84694588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reency/blox-fruits/raw/refs/heads/main/regardance/fruits_blox_v1.0.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831489/; classtype:trojan-activity;sid:84694589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lapk0m/n01d-overwatch/main/shared/overwatch-n-d-2.9.zip"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831478/; classtype:trojan-activity;sid:84694578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayubalishah/mac-recorder/raw/refs/heads/main/dist/macrecorder-0.2.0.pkg"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831472/; classtype:trojan-activity;sid:84694572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mwamwaaaa/opentypeless/main/src/hooks/software-v1.3.zip"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831473/; classtype:trojan-activity;sid:84694573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayubalishah/mac-recorder/main/macrecorder/resources/assets.xcassets/recorder-mac-2.6.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831474/; classtype:trojan-activity;sid:84694574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nightmanvr/modernnav/raw/refs/heads/main/src/hooks/modern_nav_1.5.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831475/; classtype:trojan-activity;sid:84694575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labieds/splitwriter/main/src/windows%20-%20old/boards/text-engine/_old/software-v2.8-beta.5.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831471/; classtype:trojan-activity;sid:84694571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/twelve-today822/juai/main/assets/ai_ju_riverwards.zip"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831462/; classtype:trojan-activity;sid:84694562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yashsoni443/ai-image-generator-web/master/functions/web_generator_image_ai_v2.3.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831450/; classtype:trojan-activity;sid:84694550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unaccustomed-godspeed86/appbun/main/src/lib/software-2.5.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831446/; classtype:trojan-activity;sid:84694546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yashsoni443/ai-image-generator-web/raw/refs/heads/master/functions/ai-image-generator-web_v3.0.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831447/; classtype:trojan-activity;sid:84694547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lacquerwarepernyimoth791/crosshair-x-custom-crosshair-overlay-for-every-game/raw/refs/heads/main/1.24.2/for_game_custom_overlay_every_crosshair_3.2-alpha.2.zip"; depth:160; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831448/; classtype:trojan-activity;sid:84694548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yuhejdjdi2828264/ediktefinder-analyzer/raw/refs/heads/main/feminality/analyzer-edikte-finder-3.2.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831449/; classtype:trojan-activity;sid:84694549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/almondleaveswillowlorenzodressing280/opguia/main/opguia/pages/connection/software-v1.2-alpha.2.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831441/; classtype:trojan-activity;sid:84694541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yousefmohamed54701/pygenpass/main/intertangle/gen-py-pass-v3.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831442/; classtype:trojan-activity;sid:84694542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrfrank-07/ipa-edit/raw/refs/heads/main/modules/edit_i_p_v1.7.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831443/; classtype:trojan-activity;sid:84694543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bragii044/securekey-vault/main/context/secure_vault_key_v2.5.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831445/; classtype:trojan-activity;sid:84694545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ajobka/teams-alive/raw/refs/heads/main/childe/teams-alive-1.1.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831436/; classtype:trojan-activity;sid:84694536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astriefaw/animo-app/raw/refs/heads/master/gradle/wrapper/animo-app_v2.0.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831439/; classtype:trojan-activity;sid:84694539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pitthawat7/openclaw-win/raw/refs/heads/main/src/win_openclaw_2.7-alpha.2.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831432/; classtype:trojan-activity;sid:84694532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/funeralvalue508/crossdevicetracker.desktop/main/unheretical/cross_tracker_desktop_device_v1.8.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831433/; classtype:trojan-activity;sid:84694533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparoecanthusfultoni104/exphora_db/raw/refs/heads/main/ui/src/components/settings/exphora-db-v3.4-beta.1.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831429/; classtype:trojan-activity;sid:84694529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anandhupeepi/kafkalet/raw/refs/heads/main/frontend/node_modules/tailwindcss/lib/cli/software-cowardy.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831430/; classtype:trojan-activity;sid:84694530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hundred-praisworthiness384/domainos/main/scripts/os-domain-1.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831425/; classtype:trojan-activity;sid:84694525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acting-correlationalanalysis567/twin-bridge-v1/main/frontend/src/bridge_twin_1.1.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831427/; classtype:trojan-activity;sid:84694527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kathan2504/auto-voice-over-tool/raw/refs/heads/main/src/windows/main/auto_tool_over_voice_fining.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831417/; classtype:trojan-activity;sid:84694517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loeyyyyy/ai-voice-changer-real-time-2026/raw/refs/heads/main/cpp/de/jurihock/voicesmith/plug/time-changer-real-a-voice-3.4.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831406/; classtype:trojan-activity;sid:84694506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astriefaw/animo-app/raw/refs/heads/master/gradle/animo_app_v1.2.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831407/; classtype:trojan-activity;sid:84694507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poetic-macroglia442/openclaw-desktop-launcher/raw/refs/heads/main/startopenclawlauncher/services/launcher_desktop_openclaw_v3.8-beta.2.zip"; depth:139; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831409/; classtype:trojan-activity;sid:84694509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/memet-jo/trading/raw/refs/heads/main/sylphlike/software_1.0.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831410/; classtype:trojan-activity;sid:84694510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sb090/tauri-plugin-macos-fps/main/examples/fps-diag/src-tauri/capabilities/plugin_macos_fps_tauri_2.4.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831411/; classtype:trojan-activity;sid:84694511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koteshwr-ra/linux-mac/main/image/common/overlay/etc/linux_mac_hacker.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831403/; classtype:trojan-activity;sid:84694503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdulmejid/desktopledsync/main/providers/desktop_led_sync_v3.3.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831404/; classtype:trojan-activity;sid:84694504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eliasxii/nullbyte/raw/refs/heads/main/docs/assets/byte_null_v3.0-beta.4.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831405/; classtype:trojan-activity;sid:84694505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scriptez1/redxfreesteaminstaller/releases/download/v2.4.4/redx_setup.exe"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831369/; classtype:trojan-activity;sid:84694469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/duroypogi/gann-master-3d/raw/refs/heads/main/perichondritis/gann-d-master-v3.0-beta.5.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831364/; classtype:trojan-activity;sid:84694464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojb2017/vectorfusion/raw/refs/heads/main/assets/vectorfusion_aplanospore.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831366/; classtype:trojan-activity;sid:84694466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anantbhardwaj828/cursor-free-vip/raw/refs/heads/main/electron/vip-free-cursor-v2.3.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831367/; classtype:trojan-activity;sid:84694467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tphuc7639/chop-your-tree-script/raw/refs/heads/main/endermatic/scripttreeyourchop-1.8-beta.5.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831361/; classtype:trojan-activity;sid:84694461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/duroypogi/gann-master-3d/raw/refs/heads/main/perichondritis/master_d_gann_2.9.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831362/; classtype:trojan-activity;sid:84694462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tphuc7639/chop-your-tree-script/raw/refs/heads/main/endermatic/your_script_tree_chop_3.2.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831363/; classtype:trojan-activity;sid:84694463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puscasupaul01/wallet-hunter/raw/refs/heads/main/unchastised/hunter_wallet_cockshut.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831358/; classtype:trojan-activity;sid:84694458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.129.153.224"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831230/; classtype:trojan-activity;sid:84694330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3831217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"193.187.101.209"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3831217/; classtype:trojan-activity;sid:84694317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830970/; classtype:trojan-activity;sid:84694070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/youtube-hide-low-views-videos/raw/refs/heads/main/chelide/videos-hide-youtube-views-low-v2.6.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830938/; classtype:trojan-activity;sid:84694038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/n8n-mt5-fetch/refs/heads/main/telluriferous/fetch_n_mt_v3.9.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830936/; classtype:trojan-activity;sid:84694036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/n8n-mt5-fetch/raw/refs/heads/main/telluriferous/fetch_n_mt_v3.9.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830937/; classtype:trojan-activity;sid:84694037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/rupa9495.github.io/raw/refs/heads/main/pterotheca/io-rupa-github-1.6.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830934/; classtype:trojan-activity;sid:84694034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rupa9495/youtube-hide-low-views-videos/refs/heads/main/chelide/videos-hide-youtube-views-low-v2.6.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_25; reference:url, urlhaus.abuse.ch/url/3830933/; classtype:trojan-activity;sid:84694033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/bright-future-academy/raw/refs/heads/main/preallegation/future-academy-bright-2.4.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830856/; classtype:trojan-activity;sid:84693956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/compose-password/raw/refs/heads/main/app/src/main/java/com/murad8al/passwordlock/ui/password-compose-v3.8.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830859/; classtype:trojan-activity;sid:84693959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/particalfun/refs/heads/main/build/software-v3.8-beta.1.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830860/; classtype:trojan-activity;sid:84693960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/kevlar782.github.io/raw/refs/heads/main/elocutionary/io-github-kevlar-eremology.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830861/; classtype:trojan-activity;sid:84693961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/claude-code-showcase/raw/refs/heads/main/.claude/skills/core-components/showcase-claude-code-3.2-beta.5.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830862/; classtype:trojan-activity;sid:84693962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/data_analyst-bi_dev-portfolio.github.io/raw/refs/heads/main/assets/io_b_github_portfoli_analys_dat_de_v2.8.zip"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830863/; classtype:trojan-activity;sid:84693963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mhmdoafv/swiftemoji/raw/refs/heads/main/sources/swiftemojiindex/datasource/swift-emoji-1.9-beta.3.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830864/; classtype:trojan-activity;sid:84693964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/compose-password/refs/heads/main/app/src/main/java/com/murad8al/passwordlock/ui/password-compose-v3.8.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830865/; classtype:trojan-activity;sid:84693965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/portfolio/raw/refs/heads/main/assets/projects/software_v3.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830866/; classtype:trojan-activity;sid:84693966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mhmdoafv/mhmdoafv.github.io/raw/refs/heads/main/cephalhematoma/github-io-mhmdoafv-1.6.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830867/; classtype:trojan-activity;sid:84693967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/facebook-marketing-automation/refs/heads/main/baseheartedness/facebook_automation_marketing_1.0.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830868/; classtype:trojan-activity;sid:84693968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mhmdoafv/mhmdoafv.github.io/refs/heads/main/cephalhematoma/github-io-mhmdoafv-1.6.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830869/; classtype:trojan-activity;sid:84693969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/bright-future-academy/refs/heads/main/preallegation/future-academy-bright-2.4.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830870/; classtype:trojan-activity;sid:84693970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/portfolio/refs/heads/main/assets/projects/software_v3.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830871/; classtype:trojan-activity;sid:84693971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raditpasy25/aws-serverless-elt-pipeline/refs/heads/main/infra/terraform/modules/lambda_event_source_mapping/serverless_pipeline_aw_el_v3.5-beta.5.zip"; depth:150; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830873/; classtype:trojan-activity;sid:84693973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/swiftuihelpers/refs/heads/main/resources/helpers-swift-ui-v2.8-beta.2.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830874/; classtype:trojan-activity;sid:84693974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raditpasy25/aws-serverless-elt-pipeline/raw/refs/heads/main/infra/terraform/modules/lambda_event_source_mapping/serverless_pipeline_aw_el_v3.5-beta.5.zip"; depth:154; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830875/; classtype:trojan-activity;sid:84693975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/facebook-marketing-automation/raw/refs/heads/main/baseheartedness/facebook_automation_marketing_1.0.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830876/; classtype:trojan-activity;sid:84693976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fadeldia/data_analyst-bi_dev-portfolio.github.io/refs/heads/main/assets/io_b_github_portfoli_analys_dat_de_v2.8.zip"; depth:116; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830853/; classtype:trojan-activity;sid:84693953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/ipoprock.github.io/refs/heads/main/decanically/io_github_ipoprock_2.0.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830854/; classtype:trojan-activity;sid:84693954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/builds/raw/refs/heads/main/build/software-1.4.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830855/; classtype:trojan-activity;sid:84693955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muradaldahmashi/android-development/refs/heads/main/examples/android-development-v3.7.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830849/; classtype:trojan-activity;sid:84693949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyasdz/stm32-oled-i2c-hal-coding-method/refs/heads/main/drivers/cmsis/device/st/st_ha_coding_method_ole_v3.3.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830850/; classtype:trojan-activity;sid:84693950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raditpasy25/raditpasy25.github.io/raw/refs/heads/main/degradement/github-raditpasy-io-2.5.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830847/; classtype:trojan-activity;sid:84693947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/builds/refs/heads/main/build/software-1.4.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830846/; classtype:trojan-activity;sid:84693946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alyasdz/alyasdz.github.io/raw/refs/heads/main/primulic/io_alyasdz_github_v1.2.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830845/; classtype:trojan-activity;sid:84693945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/claude-code-showcase/refs/heads/main/.claude/skills/core-components/showcase-claude-code-3.2-beta.5.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830842/; classtype:trojan-activity;sid:84693942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipoprock/ipoprock.github.io/raw/refs/heads/main/decanically/io_github_ipoprock_2.0.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830844/; classtype:trojan-activity;sid:84693944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojamesalaba93/bloom/refs/heads/main/packages/bloom/software-2.4.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830815/; classtype:trojan-activity;sid:84693915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/space-project/raw/refs/heads/master/home/project-space-3.2.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830816/; classtype:trojan-activity;sid:84693916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/hankamarvanova.github.io/refs/heads/main/steamproof/io_hankamarvanova_github_v2.3.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830817/; classtype:trojan-activity;sid:84693917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/qwen3-vl-embedding/raw/refs/heads/main/scripts/evaluation/mmeb_v2/qwen-v-embedding-v3.0.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830818/; classtype:trojan-activity;sid:84693918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/unified-db/raw/refs/heads/main/sources/db_unified_3.9.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830819/; classtype:trojan-activity;sid:84693919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/simple-calculator/raw/refs/heads/master/node_modules/get-intrinsic/.github/calculator_simple_v1.3.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830820/; classtype:trojan-activity;sid:84693920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftmesut/geanos-scene-optimizer/raw/refs/heads/main/styles/optimizer-scene-geanos-keenly.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830821/; classtype:trojan-activity;sid:84693921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/laravael-ui-dashboard/raw/refs/heads/main/resources/views/pages/laravel/ui-laravael-dashboard-vitamer.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830822/; classtype:trojan-activity;sid:84693922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/laravael-ui-dashboard/refs/heads/main/resources/views/pages/laravel/ui-laravael-dashboard-vitamer.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830824/; classtype:trojan-activity;sid:84693924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/genshin-ts/raw/refs/heads/main/whitecap/ts-genshin-2.2-alpha.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830826/; classtype:trojan-activity;sid:84693926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/game/raw/refs/heads/main/reputed/software-v1.8-alpha.4.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830827/; classtype:trojan-activity;sid:84693927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/nextjs-tailwind-postgresql-project-template/raw/refs/heads/main/app/project-nextjs-template-tailwind-postgre-sq-v1.9.zip"; depth:133; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830828/; classtype:trojan-activity;sid:84693928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/espressivep.github.io/raw/refs/heads/main/infelicitousness/io-espressivep-github-2.5.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830829/; classtype:trojan-activity;sid:84693929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftmesut/craftmesut.github.io/raw/refs/heads/main/yuca/craftmesut_github_io_v1.8-beta.1.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830830/; classtype:trojan-activity;sid:84693930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/unified-db/refs/heads/main/sources/db_unified_3.9.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830831/; classtype:trojan-activity;sid:84693931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojamesalaba93/ojamesalaba93.github.io/refs/heads/main/stormward/io_ojamesalaba_github_v2.1.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830832/; classtype:trojan-activity;sid:84693932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/nextjs-tailwind-postgresql-project-template/refs/heads/main/app/project-nextjs-template-tailwind-postgre-sq-v1.9.zip"; depth:129; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830834/; classtype:trojan-activity;sid:84693934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/game/refs/heads/main/reputed/software-v1.8-alpha.4.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830835/; classtype:trojan-activity;sid:84693935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftmesut/geanos-scene-optimizer/refs/heads/main/styles/optimizer-scene-geanos-keenly.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830836/; classtype:trojan-activity;sid:84693936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/espressivep/espressivep.github.io/refs/heads/main/infelicitousness/io-espressivep-github-2.5.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830837/; classtype:trojan-activity;sid:84693937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/kevlar782.github.io/refs/heads/main/elocutionary/io-github-kevlar-eremology.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830838/; classtype:trojan-activity;sid:84693938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kevlar782/genshin-ts/refs/heads/main/whitecap/ts-genshin-2.2-alpha.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830840/; classtype:trojan-activity;sid:84693940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maplecoder18/maplecoder18.github.io/refs/heads/main/flaky/maplecoder_io_github_v2.5.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830810/; classtype:trojan-activity;sid:84693910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ojamesalaba93/bloom/raw/refs/heads/main/packages/bloom/software-2.4.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830811/; classtype:trojan-activity;sid:84693911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/timiallen/space-project/refs/heads/master/home/project-space-3.2.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830813/; classtype:trojan-activity;sid:84693913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hankamarvanova/hankamarvanova.github.io/raw/refs/heads/main/steamproof/io_hankamarvanova_github_v2.3.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830814/; classtype:trojan-activity;sid:84693914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/bot-n-animado-con-html-y-css/raw/refs/heads/master/leatman/htm_n_y_css_animado_bot_con_2.2.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830784/; classtype:trojan-activity;sid:84693884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"5.79.147.245"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830781/; classtype:trojan-activity;sid:84693881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/w_merchs/raw/refs/heads/main/src/layouts/merchs_3.4.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830780/; classtype:trojan-activity;sid:84693880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziebwon/cnmsb/refs/heads/main/docs/apt/dists/stable/software-3.8.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830777/; classtype:trojan-activity;sid:84693877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeffplatinum1013/full-stack-fastapi-mongodb/refs/heads/main/%7d/scripts/mongodb_fastapi_full_stack_v3.5-beta.3.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830778/; classtype:trojan-activity;sid:84693878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/jhoi2000.github.io/raw/refs/heads/main/sociometry/github-jhoi-io-v2.3-beta.5.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830779/; classtype:trojan-activity;sid:84693879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtelej/solana-dev-skill/raw/refs/heads/main/skill/solana-dev-skill-3.6.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830762/; classtype:trojan-activity;sid:84693862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/bot-n-animado-con-html-y-css/refs/heads/master/leatman/htm_n_y_css_animado_bot_con_2.2.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830763/; classtype:trojan-activity;sid:84693863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtelej/mtelej.github.io/raw/refs/heads/main/outdream/io-github-mtelej-2.2.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830764/; classtype:trojan-activity;sid:84693864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/zen-c/raw/refs/heads/master/images/zen_c_hydramnion.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830765/; classtype:trojan-activity;sid:84693865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtelej/solana-dev-skill/refs/heads/main/skill/solana-dev-skill-3.6.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830766/; classtype:trojan-activity;sid:84693866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/techgyan123.github.io/raw/refs/heads/main/stinkball/techgyan_github_io_thunderously.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830767/; classtype:trojan-activity;sid:84693867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeffplatinum1013/full-stack-fastapi-mongodb/raw/refs/heads/main/%7d/scripts/mongodb_fastapi_full_stack_v3.5-beta.3.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830769/; classtype:trojan-activity;sid:84693869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/gestion_voluntario/raw/refs/heads/main/organizacion/voluntario_gestion_3.7.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830771/; classtype:trojan-activity;sid:84693871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/community-design-resources/refs/heads/main/brand-assets/rolldown/community-resources-design-v1.3.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830772/; classtype:trojan-activity;sid:84693872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/community-design-resources/raw/refs/heads/main/brand-assets/rolldown/community-resources-design-v1.3.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830773/; classtype:trojan-activity;sid:84693873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/w_merchs/refs/heads/main/src/layouts/merchs_3.4.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830774/; classtype:trojan-activity;sid:84693874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/techgyan123.github.io/refs/heads/main/stinkball/techgyan_github_io_thunderously.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830775/; classtype:trojan-activity;sid:84693875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziebwon/cnmsb/raw/refs/heads/main/docs/apt/dists/stable/software-3.8.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830776/; classtype:trojan-activity;sid:84693876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/propesy_demon/refs/heads/main/public/propesy-demon-2.0.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830749/; classtype:trojan-activity;sid:84693849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/zen-c/refs/heads/master/images/zen_c_hydramnion.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830750/; classtype:trojan-activity;sid:84693850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeffplatinum1013/jeffplatinum1013.github.io/refs/heads/main/crook/io_jeffplatinum_github_1.6-alpha.4.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830751/; classtype:trojan-activity;sid:84693851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faisaloday/evotokendlm/refs/heads/master/assets/dlm_evo_token_1.0.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830752/; classtype:trojan-activity;sid:84693852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufiane20032003/astro-pu/raw/refs/heads/main/src/content/blog/pu_astro_v1.1.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830753/; classtype:trojan-activity;sid:84693853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufiane20032003/soufiane20032003.github.io/raw/refs/heads/main/coupling/soufiane-io-github-v1.2.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830754/; classtype:trojan-activity;sid:84693854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faisaloday/faisaloday.github.io/refs/heads/main/vesiculigerous/github_faisaloday_io_2.8.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830755/; classtype:trojan-activity;sid:84693855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/theenemylost.github.io/raw/refs/heads/main/predaylight/theenemylost_io_github_v1.4.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830756/; classtype:trojan-activity;sid:84693856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhoi2000/jhoi2000.github.io/refs/heads/main/sociometry/github-jhoi-io-v2.3-beta.5.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830757/; classtype:trojan-activity;sid:84693857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/transformer-hierarchical-layers/raw/refs/heads/main/tests/utils/layers-hierarchical-transformer-3.5.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830759/; classtype:trojan-activity;sid:84693859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/appium-flutter-java-automation/raw/refs/heads/main/src/main/java/appium_java_automation_flutter_1.2-alpha.3.zip"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830760/; classtype:trojan-activity;sid:84693860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faisaloday/faisaloday.github.io/raw/refs/heads/main/vesiculigerous/github_faisaloday_io_2.8.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830761/; classtype:trojan-activity;sid:84693861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soufiane20032003/astro-pu/refs/heads/main/src/content/blog/pu_astro_v1.1.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830742/; classtype:trojan-activity;sid:84693842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/websyze.github.io/raw/refs/heads/main/invisible/io-github-websyze-overcustom.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830743/; classtype:trojan-activity;sid:84693843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/websyze.github.io/refs/heads/main/invisible/io-github-websyze-overcustom.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830744/; classtype:trojan-activity;sid:84693844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theenemylost/theenemylost.github.io/refs/heads/main/predaylight/theenemylost_io_github_v1.4.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830745/; classtype:trojan-activity;sid:84693845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/websyze/appium-flutter-java-automation/refs/heads/main/src/main/java/appium_java_automation_flutter_1.2-alpha.3.zip"; depth:116; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830747/; classtype:trojan-activity;sid:84693847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techgyan123/transformer-hierarchical-layers/refs/heads/main/tests/utils/layers-hierarchical-transformer-3.5.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830748/; classtype:trojan-activity;sid:84693848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/awesome-flipperzero/raw/refs/heads/main/squirrelfish/flipperzero_awesome_2.6.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830734/; classtype:trojan-activity;sid:84693834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/detsad312.github.io/refs/heads/main/untwinned/io-github-detsad-2.0.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830726/; classtype:trojan-activity;sid:84693826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubreg0301/bubreg0301.github.io/refs/heads/main/impedance/io_bubreg_github_v3.2.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830727/; classtype:trojan-activity;sid:84693827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/profile-metadata/refs/heads/main/spiranthy/metadata-profile-v1.5.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830728/; classtype:trojan-activity;sid:84693828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/darkexception22.github.io/raw/refs/heads/main/unreachably/darkexception_github_io_v2.7.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830729/; classtype:trojan-activity;sid:84693829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novabiriseg/gpio-led-cycle/refs/heads/main/drivers/stm32f4xx_hal_driver/src/le-cycle-gpi-1.3.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830730/; classtype:trojan-activity;sid:84693830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/darkexception22.github.io/refs/heads/main/unreachably/darkexception_github_io_v2.7.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830732/; classtype:trojan-activity;sid:84693832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/novabar/refs/heads/main/data/nova-bar-2.9.zip"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830733/; classtype:trojan-activity;sid:84693833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/dim747.github.io/raw/refs/heads/main/downfold/dim-github-io-myogenetic.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830716/; classtype:trojan-activity;sid:84693816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/afa567.github.io/raw/refs/heads/main/foreadvice/afa_github_io_2.7.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830717/; classtype:trojan-activity;sid:84693817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/dim747.github.io/refs/heads/main/downfold/dim-github-io-myogenetic.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830718/; classtype:trojan-activity;sid:84693818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/profile-metadata/raw/refs/heads/main/spiranthy/metadata-profile-v1.5.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830719/; classtype:trojan-activity;sid:84693819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mo911-w16/mo911-w16.github.io/refs/heads/main/towards/github-w-mo-io-badenite.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830721/; classtype:trojan-activity;sid:84693821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/openbento/refs/heads/main/components/software_v3.2-beta.2.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830722/; classtype:trojan-activity;sid:84693822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novabiriseg/gpio-led-cycle/raw/refs/heads/main/drivers/stm32f4xx_hal_driver/src/le-cycle-gpi-1.3.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830724/; classtype:trojan-activity;sid:84693824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/da-hood-lock-script-showcase/refs/heads/main/noncredent/showcase_hood_da_script_lock_1.9.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830712/; classtype:trojan-activity;sid:84693812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pgmonitorbrasil/pgmonitorbrasil.github.io/raw/refs/heads/main/schematonics/io_pgmonitorbrasil_github_v3.9.zip"; depth:110; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830713/; classtype:trojan-activity;sid:84693813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/afa567.github.io/refs/heads/main/foreadvice/afa_github_io_2.7.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830714/; classtype:trojan-activity;sid:84693814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/detsad312.github.io/raw/refs/heads/main/untwinned/io-github-detsad-2.0.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830715/; classtype:trojan-activity;sid:84693815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/universal-ideation-v3/raw/refs/heads/main/driftpiece/ideation-universal-v-v1.7.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830710/; classtype:trojan-activity;sid:84693810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/ydanok01.github.io/raw/refs/heads/main/eagless/github_ydanok_io_v3.2.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830711/; classtype:trojan-activity;sid:84693811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/afa567/universal-ideation-v3/refs/heads/main/driftpiece/ideation-universal-v-v1.7.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830703/; classtype:trojan-activity;sid:84693803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubreg0301/tracey/refs/heads/main/docs/spec/software-3.5.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830704/; classtype:trojan-activity;sid:84693804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/novabar/raw/refs/heads/main/data/nova-bar-2.9.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830705/; classtype:trojan-activity;sid:84693805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/aayush/refs/heads/master/dietic/software-commenceable.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830706/; classtype:trojan-activity;sid:84693806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/aayush/raw/refs/heads/master/dietic/software-commenceable.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830707/; classtype:trojan-activity;sid:84693807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/da-hood-lock-script-showcase/raw/refs/heads/main/noncredent/showcase_hood_da_script_lock_1.9.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830708/; classtype:trojan-activity;sid:84693808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/detsad312/openbento/raw/refs/heads/main/components/software_v3.2-beta.2.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830709/; classtype:trojan-activity;sid:84693809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/flipper/refs/heads/main/sub-ghz/remote_outlet_switches/voltman_dio041050/software_v3.6.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830698/; classtype:trojan-activity;sid:84693798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubreg0301/bubreg0301.github.io/raw/refs/heads/main/impedance/io_bubreg_github_v3.2.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830699/; classtype:trojan-activity;sid:84693799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/awesome-flipperzero/refs/heads/main/squirrelfish/flipperzero_awesome_2.6.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830700/; classtype:trojan-activity;sid:84693800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pgmonitorbrasil/nav2_hybrid_a_star/raw/refs/heads/main/src/data/nav_hybrid_star_v2.9.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830702/; classtype:trojan-activity;sid:84693802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/zaluea/raw/refs/heads/main/site/games/flappybird/files/assets/3371288/1/software_v1.9.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830692/; classtype:trojan-activity;sid:84693792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/alphabet/raw/refs/heads/main/src/cmps/software_unattuned.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830693/; classtype:trojan-activity;sid:84693793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pgmonitorbrasil/pgmonitorbrasil.github.io/refs/heads/main/schematonics/io_pgmonitorbrasil_github_v3.9.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830695/; classtype:trojan-activity;sid:84693795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydanok01/ydanok01.github.io/refs/heads/main/eagless/github_ydanok_io_v3.2.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830696/; classtype:trojan-activity;sid:84693796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dim747/zaluea/refs/heads/main/site/games/flappybird/files/assets/3371288/1/software_v1.9.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830689/; classtype:trojan-activity;sid:84693789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkexception22/alphabet/refs/heads/main/src/cmps/software_unattuned.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830690/; classtype:trojan-activity;sid:84693790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/qt-liquid-glass/refs/heads/main/bulliform/qt_glass_liquid_3.5.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830682/; classtype:trojan-activity;sid:84693782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"5.79.147.245"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830683/; classtype:trojan-activity;sid:84693783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/obscure-affairs-unlocked-edition/refs/heads/branch/taurobolium/unlocked-obscure-affairs-edition-3.0.zip"; depth:115; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830680/; classtype:trojan-activity;sid:84693780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/.ai-dev/refs/heads/main/features/dev_ai_v3.4.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830678/; classtype:trojan-activity;sid:84693778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/neon-abyss-2-mod-toolkit/raw/refs/heads/branch/hypsophyllary/neon-toolkit-abyss-mod-v3.0.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830665/; classtype:trojan-activity;sid:84693765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/wpu-resolusi/raw/refs/heads/master/distractedness/wpu-resolusi-reapparition.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830666/; classtype:trojan-activity;sid:84693766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lkjhygtgvbhnjk/jquery-image-slider/raw/refs/heads/main/js/jquery-slider-image-2.1.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830667/; classtype:trojan-activity;sid:84693767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/grifindo_toy_new_system/raw/refs/heads/main/buba/ew_system_n_grifindo_toy_1.7.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830668/; classtype:trojan-activity;sid:84693768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/jquery-status-message/raw/refs/heads/main/css/status_message_jquery_2.2.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830669/; classtype:trojan-activity;sid:84693769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/dunia-gelap-butuh-resolusi-2023/refs/heads/main/nontidal/butuh-gelap-resolusi-dunia-v2.8.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830670/; classtype:trojan-activity;sid:84693770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huseindyslexic178/internee.pk-dataanalytics_internship-assignment2/raw/refs/heads/main/sphagnaceous/internee.pk-dataanalytics_internship-assignment2-v3.3.zip"; depth:158; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830671/; classtype:trojan-activity;sid:84693771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/obscure-affairs-unlocked-edition/raw/refs/heads/branch/taurobolium/unlocked-obscure-affairs-edition-3.0.zip"; depth:119; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830672/; classtype:trojan-activity;sid:84693772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/wpu-resolusi/refs/heads/master/distractedness/wpu-resolusi-reapparition.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830673/; classtype:trojan-activity;sid:84693773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/dunia-gelap-butuh-resolusi-2023/raw/refs/heads/main/nontidal/butuh-gelap-resolusi-dunia-v2.8.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830674/; classtype:trojan-activity;sid:84693774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdoooali/corellm/raw/refs/heads/main/corellm/software_calaba.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830675/; classtype:trojan-activity;sid:84693775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/awesome-dotnet/refs/heads/main/impersonize/awesome-dotnet-v2.9.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830676/; classtype:trojan-activity;sid:84693776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/celestiapolyunsaturated14/helios-engine/raw/refs/heads/master/tests/helios_engine_v1.3-beta.1.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830644/; classtype:trojan-activity;sid:84693744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lumansitrevormwesigwa/parallaxparticles/raw/refs/heads/main/parallax.xcodeproj/xcuserdata/pa.alekseev.xcuserdatad/xcschemes/parallax_particles_2.7.zip"; depth:151; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830645/; classtype:trojan-activity;sid:84693745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/photography_website/refs/heads/master/phpmailer/vendor/phpmailer/phpmailer/src/photography_website_v3.5.zip"; depth:128; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830647/; classtype:trojan-activity;sid:84693747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huseindyslexic178/internee.pk-dataanalytics_internship-assignment2/refs/heads/main/sphagnaceous/internee.pk-dataanalytics_internship-assignment2-v3.3.zip"; depth:154; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830648/; classtype:trojan-activity;sid:84693748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/floyddemocratic337/fijahu-6/refs/heads/main/sibby/fijahu_v1.2.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830649/; classtype:trojan-activity;sid:84693749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdoooali/precision-aim-8ball-pool/raw/refs/heads/branch/catacorolla/precision-pool-aim-ball-1.3-beta.5.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830652/; classtype:trojan-activity;sid:84693752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sooryanaga/qt-liquid-glass/raw/refs/heads/main/bulliform/qt_glass_liquid_3.5.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830653/; classtype:trojan-activity;sid:84693753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/adriannablo.github.io/raw/refs/heads/main/unpremeditatedly/github-nablo-io-adrian-3.7.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830654/; classtype:trojan-activity;sid:84693754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/grifindo_toy_new_system/refs/heads/main/buba/ew_system_n_grifindo_toy_1.7.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830655/; classtype:trojan-activity;sid:84693755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/szhuaa/java-fundamentals-fullname-/raw/refs/heads/main/postphlogistic/fullname_fundamentals_java_v3.6-alpha.1.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830656/; classtype:trojan-activity;sid:84693756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lkjhygtgvbhnjk/jquery-image-slider/refs/heads/main/js/jquery-slider-image-2.1.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830657/; classtype:trojan-activity;sid:84693757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/neon-abyss-2-mod-toolkit/refs/heads/branch/hypsophyllary/neon-toolkit-abyss-mod-v3.0.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830659/; classtype:trojan-activity;sid:84693759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/momofrd00/jquery-status-message/refs/heads/main/css/status_message_jquery_2.2.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830660/; classtype:trojan-activity;sid:84693760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/murad63/starwhore/raw/refs/heads/main/polyphaser/star_whore_v2.0.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830662/; classtype:trojan-activity;sid:84693762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wijewardhanagayashi/awesome-dotnet/raw/refs/heads/main/impersonize/awesome-dotnet-v2.9.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830664/; classtype:trojan-activity;sid:84693764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lumansitrevormwesigwa/parallaxparticles/refs/heads/main/parallax.xcodeproj/xcuserdata/pa.alekseev.xcuserdatad/xcschemes/parallax_particles_2.7.zip"; depth:147; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830641/; classtype:trojan-activity;sid:84693741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/szhuaa/pyflightprofiler/refs/heads/main/flight_profiler/plugins/tt/profiler_py_flight_3.7-beta.2.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830642/; classtype:trojan-activity;sid:84693742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/floyddemocratic337/fijahu-6/raw/refs/heads/main/sibby/fijahu_v1.2.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830643/; classtype:trojan-activity;sid:84693743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adriannablo/adriannablo.github.io/refs/heads/main/unpremeditatedly/github-nablo-io-adrian-3.7.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830639/; classtype:trojan-activity;sid:84693739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dishonorpeachpit230/fijahu-5/refs/heads/main/quiz/fijahu_v2.1.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830640/; classtype:trojan-activity;sid:84693740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suren19173021/mytestproject/raw/refs/heads/main/vintager/software_1.2.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830628/; classtype:trojan-activity;sid:84693728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/machato2708/beyond-charts-interactive-storytelling/raw/refs/heads/main/illegalize/interactive_charts_beyond_storytelling_v1.6.zip"; depth:130; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830627/; classtype:trojan-activity;sid:84693727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/machato2708/beyond-charts-interactive-storytelling/refs/heads/main/illegalize/interactive_charts_beyond_storytelling_v1.6.zip"; depth:126; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830626/; classtype:trojan-activity;sid:84693726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericliu8888/blog-preview-card/raw/refs/heads/main/assets/preview-blog-card-outtop.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830621/; classtype:trojan-activity;sid:84693721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericliu8888/blog-preview-card/refs/heads/main/assets/preview-blog-card-outtop.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830624/; classtype:trojan-activity;sid:84693724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suren19173021/mytestproject/refs/heads/main/vintager/software_1.2.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830619/; classtype:trojan-activity;sid:84693719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonasedwardsalkfirehose824/bobanimelist/refs/heads/main/.droid/software-2.9-beta.4.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830620/; classtype:trojan-activity;sid:84693720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/separatesoapmaker/cs2-report-tool/raw/refs/heads/main/cs2reporttool-1.5.0-win64.rar"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830601/; classtype:trojan-activity;sid:84693701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/separatesoapmaker/cs2-report-tool/refs/heads/main/cs2reporttool-1.5.0-win64.rar"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830602/; classtype:trojan-activity;sid:84693702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seizesectorpraise/7-days-to-die-player-detection/refs/heads/main/7daystodiepd-1.4.0-win64.rar"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830600/; classtype:trojan-activity;sid:84693700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seizesectorpraise/7-days-to-die-player-detection/raw/refs/heads/main/7daystodiepd-1.4.0-win64.rar"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830598/; classtype:trojan-activity;sid:84693698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"91.92.243.181"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830140/; classtype:trojan-activity;sid:84693240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.client.exe"; depth:23; endswith; nocase; http.host; content:"178.16.55.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830132/; classtype:trojan-activity;sid:84693232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3830135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/opvjr94jfe/plugins/vnc.exe"; depth:27; endswith; nocase; http.host; content:"91.92.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_24; reference:url, urlhaus.abuse.ch/url/3830135/; classtype:trojan-activity;sid:84693235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829957/; classtype:trojan-activity;sid:84693057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"123.132.166.255"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829895/; classtype:trojan-activity;sid:84692995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.226.178.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829580/; classtype:trojan-activity;sid:84692680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.84.219.118"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829571/; classtype:trojan-activity;sid:84692671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.226.178.108"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829559/; classtype:trojan-activity;sid:84692659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salesplataniik-commits/updates/v1/1583.txt"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829410/; classtype:trojan-activity;sid:84692510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salesplataniik-commits/sales/raw/refs/heads/main/nrrwihqidthwszel.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829411/; classtype:trojan-activity;sid:84692511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/52.exe"; depth:7; endswith; nocase; http.host; content:"168.222.254.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829380/; classtype:trojan-activity;sid:84692480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5252.exe"; depth:9; endswith; nocase; http.host; content:"168.222.254.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_23; reference:url, urlhaus.abuse.ch/url/3829381/; classtype:trojan-activity;sid:84692481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oualiide/manageengine-desktop-central-crack/refs/heads/master/ectocondyloid/central-crack-desktop-manage-engine-v2.7.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829211/; classtype:trojan-activity;sid:84692311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamevoid2366/authcrack-v8/raw/refs/heads/main/characteristically/auth-crack-v-2.1.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829208/; classtype:trojan-activity;sid:84692308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oualiide/manageengine-desktop-central-crack/raw/refs/heads/master/ectocondyloid/central-crack-desktop-manage-engine-v2.7.zip"; depth:125; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829209/; classtype:trojan-activity;sid:84692309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/cloudweb/raw/refs/heads/main/unshattered/software_v3.4-beta.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829210/; classtype:trojan-activity;sid:84692310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sanfin/jsoncrack.com/raw/refs/heads/main/public/assets/com-jsoncrack-3.3-beta.3.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829202/; classtype:trojan-activity;sid:84692302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/cloudweb/refs/heads/main/unshattered/software_v3.4-beta.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829203/; classtype:trojan-activity;sid:84692303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamevoid2366/authcrack-v8/refs/heads/main/characteristically/auth-crack-v-2.1.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829205/; classtype:trojan-activity;sid:84692305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/todo/refs/heads/main/eyeberry/software_v3.2.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829207/; classtype:trojan-activity;sid:84692307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/vercel/raw/refs/heads/main/methylanthracene/software_1.9.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829201/; classtype:trojan-activity;sid:84692301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/todo/raw/refs/heads/main/eyeberry/software_v3.2.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829200/; classtype:trojan-activity;sid:84692300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/web/raw/refs/heads/main/reticence/software-uncivilish.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829198/; classtype:trojan-activity;sid:84692298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jcalumag19/web/refs/heads/main/reticence/software-uncivilish.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829197/; classtype:trojan-activity;sid:84692297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/autopasscrack/raw/refs/heads/main/autopasscrack/auto_pass_crack_v3.8.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829173/; classtype:trojan-activity;sid:84692273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/whiteboxaescrack/raw/refs/heads/main/fonts/white-crack-box-aes-v2.5.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829174/; classtype:trojan-activity;sid:84692274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/shakti-site/refs/heads/main/unseclusive/site_shakti_1.5-alpha.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829175/; classtype:trojan-activity;sid:84692275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/shakti-site/raw/refs/heads/main/unseclusive/site_shakti_1.5-alpha.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829176/; classtype:trojan-activity;sid:84692276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chotu120/batcrack/refs/heads/master/internal/cracker/crack_bat_v2.8-beta.5.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829177/; classtype:trojan-activity;sid:84692277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chotu120/batcrack/raw/refs/heads/master/internal/cracker/crack_bat_v2.8-beta.5.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829178/; classtype:trojan-activity;sid:84692278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/valentine/raw/refs/heads/main/effortful/software-2.3.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829179/; classtype:trojan-activity;sid:84692279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/whiteboxaescrack/refs/heads/main/fonts/white-crack-box-aes-v2.5.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829170/; classtype:trojan-activity;sid:84692270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaktiigrover/autopasscrack/refs/heads/main/autopasscrack/auto_pass_crack_v3.8.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829171/; classtype:trojan-activity;sid:84692271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wuaricoco23/valentine/refs/heads/main/effortful/software-2.3.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829172/; classtype:trojan-activity;sid:84692272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clad-chrism998/wasmcrack/raw/refs/heads/main/src/wasmcrack/struct_solver/wasm_crack_3.3.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829149/; classtype:trojan-activity;sid:84692249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pammyhangdog747/claude-cracks-the-whip/refs/heads/main/lapidarist/the_cracks_whip_claude_3.0.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829150/; classtype:trojan-activity;sid:84692250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pammyhangdog747/claude-cracks-the-whip/raw/refs/heads/main/lapidarist/the_cracks_whip_claude_3.0.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829151/; classtype:trojan-activity;sid:84692251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clad-chrism998/wasmcrack/refs/heads/main/src/wasmcrack/struct_solver/wasm_crack_3.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829148/; classtype:trojan-activity;sid:84692248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devjinma/crackftp/refs/heads/main/therence/ftp-crack-v3.7.zip"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829139/; classtype:trojan-activity;sid:84692239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/grandaland/refs/heads/main/bournless/software-3.9.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829136/; classtype:trojan-activity;sid:84692236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/prueva/raw/refs/heads/master/merycoidodon/software-v3.0.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829131/; classtype:trojan-activity;sid:84692231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/hash_buster/raw/refs/heads/drylikov/erythrosiderite/hash_buster_hydrophinae.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829132/; classtype:trojan-activity;sid:84692232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/grandaland/raw/refs/heads/main/bournless/software-3.9.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829133/; classtype:trojan-activity;sid:84692233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/prueva/refs/heads/master/merycoidodon/software-v3.0.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829134/; classtype:trojan-activity;sid:84692234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/guvann1/raw/refs/heads/main/confirmatory/guvann-v1.7.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829135/; classtype:trojan-activity;sid:84692235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/cyjl/raw/refs/heads/main/assets/software-3.3.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829119/; classtype:trojan-activity;sid:84692219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/devcrack-mobile-interviews/refs/heads/main/credit/mobile-dev-interviews-crack-v3.2-alpha.1.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829120/; classtype:trojan-activity;sid:84692220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luffy1402/crackftp-la/raw/refs/heads/main/gimped/ftp-la-crack-unenslave.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829121/; classtype:trojan-activity;sid:84692221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/cyjl/refs/heads/main/assets/software-3.3.zip"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829122/; classtype:trojan-activity;sid:84692222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/luffy1402/crackftp-la/refs/heads/main/gimped/ftp-la-crack-unenslave.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829123/; classtype:trojan-activity;sid:84692223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/online-timer.github.io/refs/heads/main/font/online_timer_io_github_swainship.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829124/; classtype:trojan-activity;sid:84692224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/cursor-reset/raw/refs/heads/main/olympiadic/cursor_reset_1.3.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829125/; classtype:trojan-activity;sid:84692225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/social-bar/raw/refs/heads/gh-pages/fonts/social-bar-v3.8-alpha.3.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829126/; classtype:trojan-activity;sid:84692226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devjinma/crackftp/raw/refs/heads/main/therence/ftp-crack-v3.7.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829127/; classtype:trojan-activity;sid:84692227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/devcrack-mobile-interviews/raw/refs/heads/main/credit/mobile-dev-interviews-crack-v3.2-alpha.1.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829129/; classtype:trojan-activity;sid:84692229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davittgamer/social-bar/refs/heads/gh-pages/fonts/social-bar-v3.8-alpha.3.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829130/; classtype:trojan-activity;sid:84692230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/cursor-reset/refs/heads/main/olympiadic/cursor_reset_1.3.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829116/; classtype:trojan-activity;sid:84692216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guvann/guvann1/refs/heads/main/confirmatory/guvann-v1.7.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829117/; classtype:trojan-activity;sid:84692217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3829118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/canbemax/hash_buster/refs/heads/drylikov/erythrosiderite/hash_buster_hydrophinae.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3829118/; classtype:trojan-activity;sid:84692218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.247.155.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828736/; classtype:trojan-activity;sid:84691836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"112.247.155.211"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828729/; classtype:trojan-activity;sid:84691829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t"; depth:2; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828598/; classtype:trojan-activity;sid:84691698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tp"; depth:3; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828599/; classtype:trojan-activity;sid:84691699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828600/; classtype:trojan-activity;sid:84691700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssh.sh"; depth:7; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828601/; classtype:trojan-activity;sid:84691701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp.sh"; depth:8; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828602/; classtype:trojan-activity;sid:84691702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828603/; classtype:trojan-activity;sid:84691703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mpsl"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828589/; classtype:trojan-activity;sid:84691689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr.sh"; depth:7; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828590/; classtype:trojan-activity;sid:84691690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl.sh"; depth:8; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828591/; classtype:trojan-activity;sid:84691691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828592/; classtype:trojan-activity;sid:84691692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c.sh"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828588/; classtype:trojan-activity;sid:84691688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dvr"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828583/; classtype:trojan-activity;sid:84691683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g"; depth:2; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828584/; classtype:trojan-activity;sid:84691684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c"; depth:2; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828585/; classtype:trojan-activity;sid:84691685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn"; depth:3; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828586/; classtype:trojan-activity;sid:84691686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/w.sh"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828580/; classtype:trojan-activity;sid:84691680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/sh4"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828575/; classtype:trojan-activity;sid:84691675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/m68k"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828576/; classtype:trojan-activity;sid:84691676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/i686"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828577/; classtype:trojan-activity;sid:84691677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/c.sh"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828574/; classtype:trojan-activity;sid:84691674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/wget.sh"; depth:13; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828569/; classtype:trojan-activity;sid:84691669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mipsel"; depth:12; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828570/; classtype:trojan-activity;sid:84691670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/ppc"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828571/; classtype:trojan-activity;sid:84691671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/x86"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828572/; classtype:trojan-activity;sid:84691672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/mips"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828573/; classtype:trojan-activity;sid:84691673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828566/; classtype:trojan-activity;sid:84691666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/arm5"; depth:10; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828567/; classtype:trojan-activity;sid:84691667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/amd64"; depth:11; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828568/; classtype:trojan-activity;sid:84691668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bee"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828565/; classtype:trojan-activity;sid:84691665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828518/; classtype:trojan-activity;sid:84691618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828498/; classtype:trojan-activity;sid:84691598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isass.exe"; depth:10; endswith; nocase; http.host; content:"118.107.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828497/; classtype:trojan-activity;sid:84691597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"118.107.44.253"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828496/; classtype:trojan-activity;sid:84691596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xclient...exe"; depth:14; endswith; nocase; http.host; content:"206.245.165.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828327/; classtype:trojan-activity;sid:84691427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828247/; classtype:trojan-activity;sid:84691347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massload"; depth:9; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828245/; classtype:trojan-activity;sid:84691345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deermoment/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828228/; classtype:trojan-activity;sid:84691328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deermoment/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_22; reference:url, urlhaus.abuse.ch/url/3828229/; classtype:trojan-activity;sid:84691329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828101/; classtype:trojan-activity;sid:84691201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828092/; classtype:trojan-activity;sid:84691192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828093/; classtype:trojan-activity;sid:84691193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828094/; classtype:trojan-activity;sid:84691194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828095/; classtype:trojan-activity;sid:84691195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828096/; classtype:trojan-activity;sid:84691196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828097/; classtype:trojan-activity;sid:84691197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828098/; classtype:trojan-activity;sid:84691198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3828099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3828099/; classtype:trojan-activity;sid:84691199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"208.84.100.209"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827962/; classtype:trojan-activity;sid:84691062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.140.248.242"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827899/; classtype:trojan-activity;sid:84690999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.232.142.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827734/; classtype:trojan-activity;sid:84690834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/april_staff_appraisal_4qsk_pdf.arj"; depth:35; endswith; nocase; http.host; content:"mosselnet.co.za"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827620/; classtype:trojan-activity;sid:84690720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3827318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"24.35.228.16"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_21; reference:url, urlhaus.abuse.ch/url/3827318/; classtype:trojan-activity;sid:84690418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/optimized_msi.png"; depth:22; endswith; nocase; http.host; content:"66.179.248.120"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826980/; classtype:trojan-activity;sid:84690080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emacute/maize_disease_detection_system/raw/refs/heads/main/syllabicness/system_disease_detection_maize_2.5.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826347/; classtype:trojan-activity;sid:84689447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaja25/demo-os/raw/refs/heads/main/modules/demo-os-sparking.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826349/; classtype:trojan-activity;sid:84689449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gaja25/demo-os/refs/heads/main/modules/demo-os-sparking.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826352/; classtype:trojan-activity;sid:84689452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emacute/maize_disease_detection_system/refs/heads/main/syllabicness/system_disease_detection_maize_2.5.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826343/; classtype:trojan-activity;sid:84689443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3826334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camilo-vs/patching-hacked-world/raw/refs/heads/principal/landrick_v3.2/__macosx/landrick_v3.2/html/php/patching_world_hacked_v3.8.zip"; depth:134; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_20; reference:url, urlhaus.abuse.ch/url/3826334/; classtype:trojan-activity;sid:84689434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//tmp/f/10dfff942805d90d6ebb28bd58093653_20251208021850.so"; depth:58; endswith; nocase; http.host; content:"fd.v2downf.shop"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_19; reference:url, urlhaus.abuse.ch/url/3825863/; classtype:trojan-activity;sid:84688963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"217.168.128.146"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825482/; classtype:trojan-activity;sid:84688582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825131/; classtype:trojan-activity;sid:84688231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3825137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config"; depth:7; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_18; reference:url, urlhaus.abuse.ch/url/3825137/; classtype:trojan-activity;sid:84688237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagedan73.png"; depth:15; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824667/; classtype:trojan-activity;sid:84687767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageiuyre99.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824501/; classtype:trojan-activity;sid:84687601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageven098.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824500/; classtype:trojan-activity;sid:84687600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagehola21.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824497/; classtype:trojan-activity;sid:84687597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelokoko222.png"; depth:19; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824495/; classtype:trojan-activity;sid:84687595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagefresk090.png"; depth:18; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824494/; classtype:trojan-activity;sid:84687594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecdg09.png"; depth:15; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824490/; classtype:trojan-activity;sid:84687590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image09iug0.png"; depth:16; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824489/; classtype:trojan-activity;sid:84687589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image222.png"; depth:13; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824438/; classtype:trojan-activity;sid:84687538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"41.32.249.165"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824412/; classtype:trojan-activity;sid:84687512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3824134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagefre9003.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3824134/; classtype:trojan-activity;sid:84687234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/raw/refs/heads/main/1/4.log"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823984/; classtype:trojan-activity;sid:84687084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/refs/heads/main/1/4.log"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823983/; classtype:trojan-activity;sid:84687083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/refs/heads/main/1/3.log"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823982/; classtype:trojan-activity;sid:84687082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alinaitweshalifu28-netizen/2/raw/refs/heads/main/1/3.log"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_17; reference:url, urlhaus.abuse.ch/url/3823981/; classtype:trojan-activity;sid:84687081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itzmesultan01/eventpipe/raw/refs/heads/main/src/formats/software_2.6.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823979/; classtype:trojan-activity;sid:84687079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/restaurant-management-saas/refs/heads/main/frontend/src/lib/management-restaurant-saas-superinnocent.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823974/; classtype:trojan-activity;sid:84687074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/secure-vault/refs/heads/main/node_modules/%40supabase/auth-ui-shared/dist/vault_secure_1.8-beta.2.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823975/; classtype:trojan-activity;sid:84687075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/securevault-password-manager/raw/refs/heads/main/node_modules/typescript/lib/tr/password-manager-secure-vault-v3.7.zip"; depth:131; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823972/; classtype:trojan-activity;sid:84687072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/securevault-password-manager/refs/heads/main/node_modules/typescript/lib/tr/password-manager-secure-vault-v3.7.zip"; depth:127; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823973/; classtype:trojan-activity;sid:84687073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/secure-vault/raw/refs/heads/main/node_modules/@supabase/auth-ui-shared/dist/vault_secure_1.8-beta.2.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823967/; classtype:trojan-activity;sid:84687067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metasoftia/portforwarder/raw/refs/heads/main/x64/forwarder-port-1.2.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823968/; classtype:trojan-activity;sid:84687068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxdag5/gproxy-tool/refs/heads/main/bin/gproxy-tool-v1.7.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823969/; classtype:trojan-activity;sid:84687069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/spaceship-mcp/refs/heads/main/src/tools/mcp-spaceship-2.8.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823970/; classtype:trojan-activity;sid:84687070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxdag5/gproxy-tool/raw/refs/heads/main/bin/gproxy-tool-v1.7.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823962/; classtype:trojan-activity;sid:84687062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/spaceship-mcp/raw/refs/heads/main/src/tools/mcp-spaceship-2.8.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823964/; classtype:trojan-activity;sid:84687064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/restaurant-management-saas/raw/refs/heads/main/frontend/src/lib/management-restaurant-saas-superinnocent.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823965/; classtype:trojan-activity;sid:84687065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itzmesultan01/eventpipe/refs/heads/main/src/formats/software_2.6.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823958/; classtype:trojan-activity;sid:84687058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/smart-tutor/refs/heads/main/src/contexts/tutor_smart_v1.7.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823959/; classtype:trojan-activity;sid:84687059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naveenkm007/smart-tutor/raw/refs/heads/main/src/contexts/tutor_smart_v1.7.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823960/; classtype:trojan-activity;sid:84687060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackfalan/was/raw/refs/heads/master/augurship/software-v1.3-beta.2.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823951/; classtype:trojan-activity;sid:84687051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/assslapbattle/raw/refs/heads/main/ontosophy/battle_ass_slap_v2.6.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823936/; classtype:trojan-activity;sid:84687036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sandro-beep/discord-message-forwarder/raw/refs/heads/main/septuplication/discord-forwarder-message-v2.8-beta.3.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823937/; classtype:trojan-activity;sid:84687037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jesusnnc/mtproxy/refs/heads/main/angiosporous/proxy_mt_v2.0.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823938/; classtype:trojan-activity;sid:84687038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/slapbattlesglove/refs/heads/main/backsword/glove_battles_slap_v3.9.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823940/; classtype:trojan-activity;sid:84687040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/lara-weeb/raw/refs/heads/main/bootstrap/cache/lara_weeb_3.9-alpha.2.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823941/; classtype:trojan-activity;sid:84687041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jesusnnc/mtproxy/raw/refs/heads/main/angiosporous/proxy_mt_v2.0.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823942/; classtype:trojan-activity;sid:84687042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/assslapbattle/refs/heads/main/ontosophy/battle_ass_slap_v2.6.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823944/; classtype:trojan-activity;sid:84687044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/lara-weeb/refs/heads/main/bootstrap/cache/lara_weeb_3.9-alpha.2.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823946/; classtype:trojan-activity;sid:84687046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saramc89mc/personal-website-template/raw/refs/heads/main/src/components/sections/about/personal_template_website_2.2.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823933/; classtype:trojan-activity;sid:84687033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/billydagreat/vps-git/refs/heads/main/ansible/roles/watchdog/templates/git_vps_3.0-beta.3.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823935/; classtype:trojan-activity;sid:84687035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alecyi/cache-components-granular/refs/heads/main/components/layout/notebook/page/components-cache-granular-v2.1.zip"; depth:116; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823930/; classtype:trojan-activity;sid:84687030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/dandyworldhubupdate/refs/heads/main/duodenocholecystostomy/dandy_world_hub_update_3.9.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823931/; classtype:trojan-activity;sid:84687031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/reflectshaders/refs/heads/main/ambulomancy/software_3.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823929/; classtype:trojan-activity;sid:84687029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/dandyworldhubupdate/raw/refs/heads/main/duodenocholecystostomy/dandy_world_hub_update_3.9.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823928/; classtype:trojan-activity;sid:84687028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invertebratekinanesthesia779/aios-core/refs/heads/main/tests/unit/squad/fixtures/invalid-squad/core-aios-1.4.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823926/; classtype:trojan-activity;sid:84687026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackfalan/happyview/raw/refs/heads/master/yow/software_v2.0-beta.1.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823924/; classtype:trojan-activity;sid:84687024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/billydagreat/vps-git/raw/refs/heads/main/ansible/roles/watchdog/templates/git_vps_3.0-beta.3.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823925/; classtype:trojan-activity;sid:84687025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alecyi/cache-components-granular/raw/refs/heads/main/components/layout/notebook/page/components-cache-granular-v2.1.zip"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823922/; classtype:trojan-activity;sid:84687022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackfalan/was/refs/heads/master/augurship/software-v1.3-beta.2.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823921/; classtype:trojan-activity;sid:84687021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invertebratekinanesthesia779/aios-core/raw/refs/heads/main/tests/unit/squad/fixtures/invalid-squad/core-aios-1.4.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823919/; classtype:trojan-activity;sid:84687019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/reflectshaders/raw/refs/heads/main/ambulomancy/software_3.4.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823920/; classtype:trojan-activity;sid:84687020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/doorsscript/refs/heads/main/counterfessed/script-doors-v1.6.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823914/; classtype:trojan-activity;sid:84687014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wndaalol/doorsscript/raw/refs/heads/main/counterfessed/script-doors-v1.6.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823915/; classtype:trojan-activity;sid:84687015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gta509fx/scrappe-tout/refs/heads/main/tests/e2e/scrappe-tout-2.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823916/; classtype:trojan-activity;sid:84687016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/willywarriorportfolio/refs/heads/master/fonts/font-awesome-4.7.0/fonts/software-3.7.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823912/; classtype:trojan-activity;sid:84687012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/willywarriorportfolio/raw/refs/heads/master/fonts/font-awesome-4.7.0/fonts/software-3.7.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823913/; classtype:trojan-activity;sid:84687013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industrialintelligence/homestead_new_backend/raw/refs/heads/master/validator/backend_homestead_new_v1.9-beta.5.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823911/; classtype:trojan-activity;sid:84687011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/45d5r/databricks-mcp-server/raw/refs/heads/main/databricks_mcp/resources/server_databricks_mcp_1.6.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823908/; classtype:trojan-activity;sid:84687008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saramc89mc/personal-website-template/refs/heads/main/src/components/sections/about/personal_template_website_2.2.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823907/; classtype:trojan-activity;sid:84687007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/45d5r/databricks-mcp-server/refs/heads/main/databricks_mcp/resources/server_databricks_mcp_1.6.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823905/; classtype:trojan-activity;sid:84687005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"145.255.196.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823613/; classtype:trojan-activity;sid:84686713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"145.255.196.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823614/; classtype:trojan-activity;sid:84686714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"145.255.196.49"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823530/; classtype:trojan-activity;sid:84686630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3823224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31agosto.vbs"; depth:13; endswith; nocase; http.host; content:"www.elpolacodelsur3.duckdns.org"; depth:31; isdataat:!1,relative; metadata:created_at 2026_04_16; reference:url, urlhaus.abuse.ch/url/3823224/; classtype:trojan-activity;sid:84686324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/html-portfolioes/raw/refs/heads/main/someone/html_portfolioes_1.1.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822771/; classtype:trojan-activity;sid:84685871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nikhildaharwal2004/context.nvim/refs/heads/main/lua/nvim_context_2.5-beta.4.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822773/; classtype:trojan-activity;sid:84685873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/djast/raw/refs/heads/main/4.3%20html%20porfolio%20project/software_2.5.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822765/; classtype:trojan-activity;sid:84685865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gma/raw/refs/heads/main/aegrotant/software-1.3-alpha.2.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822766/; classtype:trojan-activity;sid:84685866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/joni/raw/refs/heads/main/epiklesis/software-1.5.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822767/; classtype:trojan-activity;sid:84685867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/dark-thema-saas/raw/refs/heads/main/assets/images/people/thema-saas-dark-v3.0.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822768/; classtype:trojan-activity;sid:84685868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gma/refs/heads/main/aegrotant/software-1.3-alpha.2.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822760/; classtype:trojan-activity;sid:84685860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/git-demo/refs/heads/main/unresponsiveness/demo_git_v2.4.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822762/; classtype:trojan-activity;sid:84685862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/fdgdfg/refs/heads/main/.github/workflows/software_v3.3-alpha.5.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822763/; classtype:trojan-activity;sid:84685863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gmmms/raw/refs/heads/main/chegoe/software_v2.5-alpha.1.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822764/; classtype:trojan-activity;sid:84685864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/kids-drag-drop-game2/raw/refs/heads/main/ethmophysal/kids_drop_game_drag_v3.4-alpha.4.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822756/; classtype:trojan-activity;sid:84685856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etabra098/gmmms/refs/heads/main/chegoe/software_v2.5-alpha.1.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822758/; classtype:trojan-activity;sid:84685858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jonisark/html-portfolioes/refs/heads/main/someone/html_portfolioes_1.1.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822759/; classtype:trojan-activity;sid:84685859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/kws-project/raw/refs/heads/main/pics/project_kw_1.6.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822747/; classtype:trojan-activity;sid:84685847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/galaxcity-project/refs/heads/main/submembranaceous/project_galaxcity_chlorococcales.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822748/; classtype:trojan-activity;sid:84685848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/java-journey/refs/heads/main/oracle_jdk-24/journey_jav_2.7.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822750/; classtype:trojan-activity;sid:84685850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guitupetidutra-ship-it/dr-tulu/raw/refs/heads/main/agent/evaluation/genetic_diseases_eval/tulu-dr-v2.8.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822751/; classtype:trojan-activity;sid:84685851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/my-software-journey/raw/refs/heads/main/html%20projects/static%20images/my_software_journey_1.1.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822745/; classtype:trojan-activity;sid:84685845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/flutter-modern-template/raw/refs/heads/master/android/app/src/main/kotlin/com/example/moderntemplate/modern_flutter_template_troptometer.zip"; depth:154; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822746/; classtype:trojan-activity;sid:84685846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawnspe/custom-plugin-devops/raw/refs/heads/master/.github/workflows/plugin-devops-custom-2.6.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822735/; classtype:trojan-activity;sid:84685835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reddinton95/custom-plugin-backend/raw/refs/heads/main/agents/02-database-management/backend-plugin-custom-1.2.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822736/; classtype:trojan-activity;sid:84685836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guitupetidutra-ship-it/dr-tulu/refs/heads/main/agent/evaluation/genetic_diseases_eval/tulu-dr-v2.8.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822737/; classtype:trojan-activity;sid:84685837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/test-practice/raw/refs/heads/master/embrail/test_practice_1.4.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822738/; classtype:trojan-activity;sid:84685838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reddinton95/custom-plugin-backend/refs/heads/main/agents/02-database-management/backend-plugin-custom-1.2.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822739/; classtype:trojan-activity;sid:84685839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/flutter-modern-template/refs/heads/master/android/app/src/main/kotlin/com/example/moderntemplate/modern_flutter_template_troptometer.zip"; depth:150; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822740/; classtype:trojan-activity;sid:84685840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/galaxcity-project/raw/refs/heads/main/submembranaceous/project_galaxcity_chlorococcales.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822741/; classtype:trojan-activity;sid:84685841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/java-journey/raw/refs/heads/main/oracle_jdk-24/journey_jav_2.7.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822742/; classtype:trojan-activity;sid:84685842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/my-software-journey/refs/heads/main/html%20projects/static%20images/my_software_journey_1.1.zip"; depth:109; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822743/; classtype:trojan-activity;sid:84685843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaac1993-io/test-practice/refs/heads/master/embrail/test_practice_1.4.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822744/; classtype:trojan-activity;sid:84685844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/assignment-2/refs/heads/main/img/assignment_shelyak.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822726/; classtype:trojan-activity;sid:84685826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yawnspe/custom-plugin-devops/refs/heads/master/.github/workflows/plugin-devops-custom-2.6.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822729/; classtype:trojan-activity;sid:84685829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/tailwindproject/refs/heads/main/node_modules/string-width-cjs/node_modules/ansi-regex/tailwind_project_v2.2.zip"; depth:126; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822730/; classtype:trojan-activity;sid:84685830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/gemini_cli_skill/raw/refs/heads/main/mammillation/cli_skill_gemini_v3.8.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822731/; classtype:trojan-activity;sid:84685831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaacww/var-lighter-auto-tool/raw/refs/heads/main/turbinatoglobose/tool-lighter-var-auto-v3.6-beta.3.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822732/; classtype:trojan-activity;sid:84685832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/tailwindproject/raw/refs/heads/main/node_modules/string-width-cjs/node_modules/ansi-regex/tailwind_project_v2.2.zip"; depth:130; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822733/; classtype:trojan-activity;sid:84685833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/isaacww/var-lighter-auto-tool/refs/heads/main/turbinatoglobose/tool-lighter-var-auto-v3.6-beta.3.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822734/; classtype:trojan-activity;sid:84685834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kingfahmee12/aind-workshops/raw/refs/heads/main/devcon25nyc/examples/ain_workshops_v2.3.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822722/; classtype:trojan-activity;sid:84685822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kingfahmee12/aind-workshops/refs/heads/main/devcon25nyc/examples/ain_workshops_v2.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822723/; classtype:trojan-activity;sid:84685823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/assignment-1/refs/heads/main/img/assignment-2.3.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822724/; classtype:trojan-activity;sid:84685824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/junayedahmedd/gemini_cli_skill/refs/heads/main/mammillation/cli_skill_gemini_v3.8.zip"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822725/; classtype:trojan-activity;sid:84685825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/arweave-academy/raw/refs/heads/main/submissions/xmevan%202/challenge2/node_modules/kleur/academy-arweave-v1.9-beta.3.zip"; depth:135; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822719/; classtype:trojan-activity;sid:84685819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/entregafinal/raw/refs/heads/main/css/final-entrega-3.0.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822720/; classtype:trojan-activity;sid:84685820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/godie09/laravel-12-routeserviceprovider-configuration-tutorial/refs/heads/main/database/configuration_laravel_tutorial_routeserviceprovider_v2.8.zip"; depth:149; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822704/; classtype:trojan-activity;sid:84685804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gseu41/powersub-demo-1000/refs/heads/main/antasphyctic/demo-powersub-v1.8.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822705/; classtype:trojan-activity;sid:84685805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/powersub-demo-9758/refs/heads/main/ericales/demo_powersub_3.1.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822706/; classtype:trojan-activity;sid:84685806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/entregafinal/refs/heads/main/css/final-entrega-3.0.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822707/; classtype:trojan-activity;sid:84685807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/godie09/laravel-12-routeserviceprovider-configuration-tutorial/raw/refs/heads/main/database/configuration_laravel_tutorial_routeserviceprovider_v2.8.zip"; depth:153; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822708/; classtype:trojan-activity;sid:84685808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/powersub-demo-9758/raw/refs/heads/main/ericales/demo_powersub_3.1.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822710/; classtype:trojan-activity;sid:84685810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/ai-etl-anomaly-detection/raw/refs/heads/main/data/anomaly_etl_ai_detection_2.1.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822711/; classtype:trojan-activity;sid:84685811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flix-ux/powersub-demo-7484/raw/refs/heads/main/transpeer/powersub_demo_v3.7.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822713/; classtype:trojan-activity;sid:84685813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cemanosdesolidao/hedged-rpc-client/raw/refs/heads/main/src/client_hedged_rpc_v2.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822715/; classtype:trojan-activity;sid:84685815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jallinskyluca/ai-etl-anomaly-detection/refs/heads/main/data/anomaly_etl_ai_detection_2.1.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822716/; classtype:trojan-activity;sid:84685816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cemanosdesolidao/hedged-rpc-client/refs/heads/main/src/client_hedged_rpc_v2.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822701/; classtype:trojan-activity;sid:84685801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evilpratama17/arweave-academy/refs/heads/main/submissions/xmevan%202/challenge2/node_modules/kleur/academy-arweave-v1.9-beta.3.zip"; depth:131; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822703/; classtype:trojan-activity;sid:84685803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rizkiameli/blog-starter-template/raw/refs/heads/main/lib/blog_template_starter_2.4.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822698/; classtype:trojan-activity;sid:84685798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rizkiameli/blog-starter-template/refs/heads/main/lib/blog_template_starter_2.4.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822697/; classtype:trojan-activity;sid:84685797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/menor1111/iscsi-setup-tutorial-on-linux-mint/refs/heads/main/deloul/linux-on-tutorial-mint-i-setup-scs-unclosable.zip"; depth:118; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822696/; classtype:trojan-activity;sid:84685796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavbarskar/pluralsight-aws-data-pipelines-orchestrating-automating/raw/refs/heads/main/module-2/module-2-demo-3-parallel-map/lambdas/generate-datasets/automating_data_pipelines_aws_orchestrating_pluralsight_2.8.zip"; depth:218; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822680/; classtype:trojan-activity;sid:84685780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roseannspastic496/pyspark-etl-automation/refs/heads/main/pridelessly/etl-automation-pyspark-3.4-alpha.1.zip"; depth:108; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822683/; classtype:trojan-activity;sid:84685783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsbs20/claude-code-aso-skill/raw/refs/heads/main/.claude/skills/code-aso-claude-skill-v2.7.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822684/; classtype:trojan-activity;sid:84685784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123luka123/k3s-proxmox-terraform/raw/refs/heads/main/docs/terraform-s-k-proxmox-frontierlike.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822686/; classtype:trojan-activity;sid:84685786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hardcore-bioengineering120/think/refs/heads/master/gestative/software_v1.8.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822687/; classtype:trojan-activity;sid:84685787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kartik944/relizy/refs/heads/main/src/core/__tests__/software_v2.1.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822688/; classtype:trojan-activity;sid:84685788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novice-cloud/workflow/refs/heads/main/packages/world-postgres/src/drizzle/migrations/software_v1.3.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822689/; classtype:trojan-activity;sid:84685789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pranavbarskar/pluralsight-aws-data-pipelines-orchestrating-automating/refs/heads/main/module-2/module-2-demo-3-parallel-map/lambdas/generate-datasets/automating_data_pipelines_aws_orchestrating_pluralsight_2.8.zip"; depth:214; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822690/; classtype:trojan-activity;sid:84685790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsbs20/claude-code-aso-skill/refs/heads/main/.claude/skills/code-aso-claude-skill-v2.7.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822691/; classtype:trojan-activity;sid:84685791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longphamok1323/2025doubao-free-api/raw/refs/heads/master/public/doubao_api_free_inanga.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822694/; classtype:trojan-activity;sid:84685794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/superdev699/cheatsheet-llm/raw/refs/heads/main/textbook_create/textbook-pdf/sheet_cheat_llm_2.6.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822695/; classtype:trojan-activity;sid:84685795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gustavomnhee/lima/raw/refs/heads/master/pkg/localpathutil/software_v2.7.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822675/; classtype:trojan-activity;sid:84685775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gustavomnhee/lima/refs/heads/master/pkg/localpathutil/software_v2.7.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822676/; classtype:trojan-activity;sid:84685776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kartik944/relizy/raw/refs/heads/main/src/core/__tests__/software_v2.1.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822671/; classtype:trojan-activity;sid:84685771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zebulenlithophytic371/algorithmic-trading-platform/refs/heads/main/agents/algorithmic-trading-platform-1.4.zip"; depth:111; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822672/; classtype:trojan-activity;sid:84685772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novice-cloud/workflow/raw/refs/heads/main/packages/world-postgres/src/drizzle/migrations/software_v1.3.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822673/; classtype:trojan-activity;sid:84685773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hardcore-bioengineering120/think/raw/refs/heads/master/gestative/software_v1.8.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822674/; classtype:trojan-activity;sid:84685774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zebulenlithophytic371/algorithmic-trading-platform/raw/refs/heads/main/agents/algorithmic-trading-platform-1.4.zip"; depth:115; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822669/; classtype:trojan-activity;sid:84685769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123luka123/k3s-proxmox-terraform/refs/heads/main/docs/terraform-s-k-proxmox-frontierlike.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822659/; classtype:trojan-activity;sid:84685759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/superdev699/cheatsheet-llm/refs/heads/main/textbook_create/textbook-pdf/sheet_cheat_llm_2.6.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822620/; classtype:trojan-activity;sid:84685720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/camm1ls/deviloff/refs/heads/main/4j8576a0e8v3.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822574/; classtype:trojan-activity;sid:84685674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fornessa/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822557/; classtype:trojan-activity;sid:84685657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/landeliur/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822558/; classtype:trojan-activity;sid:84685658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hopeinfully/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822559/; classtype:trojan-activity;sid:84685659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hopeinfully/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822555/; classtype:trojan-activity;sid:84685655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fornessa/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822554/; classtype:trojan-activity;sid:84685654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rump1_msi.png"; depth:14; endswith; nocase; http.host; content:"aumri.ae"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822245/; classtype:trojan-activity;sid:84685345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3822169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"203.203.86.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_15; reference:url, urlhaus.abuse.ch/url/3822169/; classtype:trojan-activity;sid:84685269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fscan"; depth:6; endswith; nocase; http.host; content:"101.43.204.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821825/; classtype:trojan-activity;sid:84684925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lucifer.elf"; depth:12; endswith; nocase; http.host; content:"101.43.204.194"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821821/; classtype:trojan-activity;sid:84684921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=bat|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:162; endswith; nocase; http.host; content:"184.174.20.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821609/; classtype:trojan-activity;sid:84684709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"64.53.93.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821424/; classtype:trojan-activity;sid:84684524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"64.53.93.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821416/; classtype:trojan-activity;sid:84684516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"65.99.181.12"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821392/; classtype:trojan-activity;sid:84684492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagepixxx011.png"; depth:18; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821391/; classtype:trojan-activity;sid:84684491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagehd09.png"; depth:14; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821356/; classtype:trojan-activity;sid:84684456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/support.clientsetup.msi|3f|e=access|7c|26|7c|y=guest|7c|26|7c|c=4-4-2026|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=new|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c=|7c|26|7c|c="; depth:164; endswith; nocase; http.host; content:"doc.e-statements.app"; depth:20; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821345/; classtype:trojan-activity;sid:84684445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.130.34.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821276/; classtype:trojan-activity;sid:84684376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"91.130.34.217"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821271/; classtype:trojan-activity;sid:84684371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3821074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apr13image.png"; depth:15; endswith; nocase; http.host; content:"aumri.ae"; depth:8; isdataat:!1,relative; metadata:created_at 2026_04_14; reference:url, urlhaus.abuse.ch/url/3821074/; classtype:trojan-activity;sid:84684174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3820855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/professor9-sys/oldlauncher928/refs/heads/main/woofer.rar"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3820855/; classtype:trojan-activity;sid:84683955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lk/bhaikecn191.bin"; depth:19; endswith; nocase; http.host; content:"38.49.217.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_13; reference:url, urlhaus.abuse.ch/url/3817756/; classtype:trojan-activity;sid:84680856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"77.247.88.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817361/; classtype:trojan-activity;sid:84680461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3817332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/net_launcher.exe"; depth:26; endswith; nocase; http.host; content:"185.149.120.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3817332/; classtype:trojan-activity;sid:84680432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewoba/ewoba.github.io/refs/heads/main/lampoon/io_github_ewoba_v3.4.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816935/; classtype:trojan-activity;sid:84680035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewoba/kick-tg-rewards/raw/refs/heads/main/backend-python/rem/lib/site-packages/pip/_vendor/packaging/tg-kick-rewards-v2.9.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816934/; classtype:trojan-activity;sid:84680034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewoba/ewoba.github.io/raw/refs/heads/main/lampoon/io_github_ewoba_v3.4.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816933/; classtype:trojan-activity;sid:84680033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pato851/rock-breaker/refs/heads/main/src/components/rock_breaker_v1.9.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816929/; classtype:trojan-activity;sid:84680029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pato851/rock-breaker/raw/refs/heads/main/src/components/rock_breaker_v1.9.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816930/; classtype:trojan-activity;sid:84680030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pato851/pato851.github.io/refs/heads/main/supraterraneous/io-github-pato-2.6.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816931/; classtype:trojan-activity;sid:84680031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/infinity-snip3/raw/refs/heads/master/audio/infinity_snip_screeve.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816923/; classtype:trojan-activity;sid:84680023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/talktobaby.github.io/raw/refs/heads/main/hymeneals/talktobaby-io-github-v1.3.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816921/; classtype:trojan-activity;sid:84680021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/infinity-snip3/refs/heads/master/audio/infinity_snip_screeve.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816922/; classtype:trojan-activity;sid:84680022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talktobaby/talktobaby.github.io/refs/heads/main/hymeneals/talktobaby-io-github-v1.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816920/; classtype:trojan-activity;sid:84680020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/servermaker/raw/refs/heads/main/data/maker_server_v3.5.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816897/; classtype:trojan-activity;sid:84679997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/beast700.github.io/refs/heads/main/still/beast_io_github_2.9.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816896/; classtype:trojan-activity;sid:84679996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/flexlkgaming-com/refs/heads/main/firmhearted/com_flexlkgaming_1.9.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816895/; classtype:trojan-activity;sid:84679995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/flexlkgaming-com/raw/refs/heads/main/firmhearted/com_flexlkgaming_1.9.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816893/; classtype:trojan-activity;sid:84679993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/beast700.github.io/raw/refs/heads/main/still/beast_io_github_2.9.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816894/; classtype:trojan-activity;sid:84679994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beast700/servermaker/refs/heads/main/data/maker_server_v3.5.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816892/; classtype:trojan-activity;sid:84679992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xfoxusx/xfoxusx.github.io/raw/refs/heads/main/arsenism/github_io_xfoxusx_v1.7.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816888/; classtype:trojan-activity;sid:84679988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xfoxusx/arduino-joystick-and-servo-control/refs/heads/main/lection/servo-arduino-control-and-joystick-1.1.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816887/; classtype:trojan-activity;sid:84679987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xfoxusx/xfoxusx.github.io/refs/heads/main/arsenism/github_io_xfoxusx_v1.7.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816886/; classtype:trojan-activity;sid:84679986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/tic_tac_toe/refs/heads/main/auriculae/toe-tic-tac-v3.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816841/; classtype:trojan-activity;sid:84679941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/32/raw/refs/heads/main/app/(public)/contact/software_v1.6-beta.5.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816837/; classtype:trojan-activity;sid:84679937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/abdalrhmanasif5.github.io/refs/heads/main/torques/github_io_abdalrhmanasif_screwsman.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816838/; classtype:trojan-activity;sid:84679938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdalrhmanasif5/32/refs/heads/main/app/(public)/contact/software_v1.6-beta.5.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816836/; classtype:trojan-activity;sid:84679936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm64"; depth:12; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816822/; classtype:trojan-activity;sid:84679922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips64"; depth:13; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816823/; classtype:trojan-activity;sid:84679923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mixteens/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816810/; classtype:trojan-activity;sid:84679910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mixteens/fivem-spoofer/refs/heads/main/cfxbypass.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816809/; classtype:trojan-activity;sid:84679909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jahredip/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816793/; classtype:trojan-activity;sid:84679893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jahredip/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816791/; classtype:trojan-activity;sid:84679891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trustnobodys/fivem-spoofer/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816792/; classtype:trojan-activity;sid:84679892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trustnobodys/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816790/; classtype:trojan-activity;sid:84679890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atteriss/silentum-spoofer/raw/refs/heads/main/silentum_spoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816784/; classtype:trojan-activity;sid:84679884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atteriss/silentum-spoofer/refs/heads/main/silentum_spoofer.exe"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816785/; classtype:trojan-activity;sid:84679885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_mips"; depth:11; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816741/; classtype:trojan-activity;sid:84679841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm5"; depth:11; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816739/; classtype:trojan-activity;sid:84679839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816740/; classtype:trojan-activity;sid:84679840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.132.166.255"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_12; reference:url, urlhaus.abuse.ch/url/3816686/; classtype:trojan-activity;sid:84679786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z"; depth:2; endswith; nocase; http.host; content:"103.232.213.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816485/; classtype:trojan-activity;sid:84679585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.37.0.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816376/; classtype:trojan-activity;sid:84679476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_arm7"; depth:11; endswith; nocase; http.host; content:"45.66.228.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816329/; classtype:trojan-activity;sid:84679429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot_x86"; depth:8; endswith; nocase; http.host; content:"31.56.229.232"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816327/; classtype:trojan-activity;sid:84679427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"58.37.0.5"; depth:9; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816317/; classtype:trojan-activity;sid:84679417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3816058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lk/mhiodh1.bin"; depth:15; endswith; nocase; http.host; content:"38.49.217.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3816058/; classtype:trojan-activity;sid:84679158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.247.88.88"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_11; reference:url, urlhaus.abuse.ch/url/3815852/; classtype:trojan-activity;sid:84678952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/launcher.dll"; depth:22; endswith; nocase; http.host; content:"185.149.120.3"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815736/; classtype:trojan-activity;sid:84678836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"94.156.166.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_10; reference:url, urlhaus.abuse.ch/url/3815631/; classtype:trojan-activity;sid:84678731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3815203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.156.166.84"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3815203/; classtype:trojan-activity;sid:84678303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elementos/mhdcbdc.txt"; depth:22; endswith; nocase; http.host; content:"grupomcperu.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814916/; classtype:trojan-activity;sid:84678016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/spenglercomics.firebasestorage.app/o/task.txt|3f|alt=media|7c|26|7c|token=f162f5ce-52f7-4407-8cc4-dd96cedd9b0e"; depth:116; endswith; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814834/; classtype:trojan-activity;sid:84677934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"121.167.209.164"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814765/; classtype:trojan-activity;sid:84677865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/encrypted.hta"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814749/; classtype:trojan-activity;sid:84677849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/raw/refs/heads/main/pulsar-client.exe"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814748/; classtype:trojan-activity;sid:84677848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/maybeworking.hta"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814746/; classtype:trojan-activity;sid:84677846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/raw/refs/heads/main/test/123123.exe"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814744/; classtype:trojan-activity;sid:84677844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/rickowens/refs/heads/main/encrypted.hta"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814742/; classtype:trojan-activity;sid:84677842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/detectionratetesting.hta"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814743/; classtype:trojan-activity;sid:84677843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/rickowens/raw/refs/heads/main/pulsar-client.exe"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814741/; classtype:trojan-activity;sid:84677841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demarcusnofatherington420-a11y/scriptinstaller/refs/heads/main/test/encrypted.hta"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_09; reference:url, urlhaus.abuse.ch/url/3814740/; classtype:trojan-activity;sid:84677840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3814104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/craftpedro62-debug/_s/raw/refs/heads/master/sass/utilities/randll32.exe"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_08; reference:url, urlhaus.abuse.ch/url/3814104/; classtype:trojan-activity;sid:84677204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsw0"; depth:5; endswith; nocase; http.host; content:"216.107.139.197"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813818/; classtype:trojan-activity;sid:84676918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"45.95.147.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813653/; classtype:trojan-activity;sid:84676753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k.php"; depth:6; endswith; nocase; http.host; content:"45.95.147.178"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813602/; classtype:trojan-activity;sid:84676702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3813596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x"; depth:2; endswith; nocase; http.host; content:"160.119.69.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_07; reference:url, urlhaus.abuse.ch/url/3813596/; classtype:trojan-activity;sid:84676696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i88.txt"; depth:8; endswith; nocase; http.host; content:"176.65.144.108"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812986/; classtype:trojan-activity;sid:84676086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aa/raw/refs/heads/main/hey.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812871/; classtype:trojan-activity;sid:84675971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/99/raw/refs/heads/main/violet.exe"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812870/; classtype:trojan-activity;sid:84675970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aaaa/raw/refs/heads/main/hey.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812869/; classtype:trojan-activity;sid:84675969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/violet/raw/refs/heads/main/violet.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812867/; classtype:trojan-activity;sid:84675967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/app/raw/refs/heads/main/violet.exe"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812868/; classtype:trojan-activity;sid:84675968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aaa/refs/heads/main/he.exe"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812862/; classtype:trojan-activity;sid:84675962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l44443934-ui/aaa/raw/refs/heads/main/he.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812863/; classtype:trojan-activity;sid:84675963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv4l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812849/; classtype:trojan-activity;sid:84675949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv5l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812843/; classtype:trojan-activity;sid:84675943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sh4"; depth:9; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812846/; classtype:trojan-activity;sid:84675946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.x86_64"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812847/; classtype:trojan-activity;sid:84675947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv6l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812821/; classtype:trojan-activity;sid:84675921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mipsel"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812827/; classtype:trojan-activity;sid:84675927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.powerpc"; depth:13; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812831/; classtype:trojan-activity;sid:84675931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.armv7l"; depth:12; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812833/; classtype:trojan-activity;sid:84675933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.aarch64"; depth:13; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812835/; classtype:trojan-activity;sid:84675935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.m68k"; depth:10; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812838/; classtype:trojan-activity;sid:84675938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.sparc"; depth:11; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812841/; classtype:trojan-activity;sid:84675941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iran.mips"; depth:10; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812812/; classtype:trojan-activity;sid:84675912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"83.168.110.191"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812774/; classtype:trojan-activity;sid:84675874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbc"; depth:4; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812726/; classtype:trojan-activity;sid:84675826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_06; reference:url, urlhaus.abuse.ch/url/3812664/; classtype:trojan-activity;sid:84675764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.12.251.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812586/; classtype:trojan-activity;sid:84675686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812407/; classtype:trojan-activity;sid:84675507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3812302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_05; reference:url, urlhaus.abuse.ch/url/3812302/; classtype:trojan-activity;sid:84675402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3811002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t.sh"; depth:5; endswith; nocase; http.host; content:"5.175.223.249"; depth:13; isdataat:!1,relative; metadata:created_at 2026_04_04; reference:url, urlhaus.abuse.ch/url/3811002/; classtype:trojan-activity;sid:84674102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.253.117.78"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810884/; classtype:trojan-activity;sid:84673984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y"; depth:2; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810777/; classtype:trojan-activity;sid:84673877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"192.176.50.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810689/; classtype:trojan-activity;sid:84673789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"192.176.50.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_03; reference:url, urlhaus.abuse.ch/url/3810685/; classtype:trojan-activity;sid:84673785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810365/; classtype:trojan-activity;sid:84673465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i586"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810361/; classtype:trojan-activity;sid:84673461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810363/; classtype:trojan-activity;sid:84673463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerpc"; depth:8; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810364/; classtype:trojan-activity;sid:84673464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i686"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810338/; classtype:trojan-activity;sid:84673438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc"; depth:4; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810339/; classtype:trojan-activity;sid:84673439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sparc"; depth:6; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810342/; classtype:trojan-activity;sid:84673442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810343/; classtype:trojan-activity;sid:84673443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mipsel"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810347/; classtype:trojan-activity;sid:84673447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i486"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810352/; classtype:trojan-activity;sid:84673452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810360/; classtype:trojan-activity;sid:84673460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv5l"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810337/; classtype:trojan-activity;sid:84673437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3810335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv6l"; depth:7; endswith; nocase; http.host; content:"195.178.110.204"; depth:15; isdataat:!1,relative; metadata:created_at 2026_04_02; reference:url, urlhaus.abuse.ch/url/3810335/; classtype:trojan-activity;sid:84673435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcoss/dl/pptv(pplive)_forap_1084_9993.exe"; depth:42; endswith; nocase; http.host; content:"ossapp.suning.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809815/; classtype:trojan-activity;sid:84672915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.224.208.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_04_01; reference:url, urlhaus.abuse.ch/url/3809563/; classtype:trojan-activity;sid:84672663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809348/; classtype:trojan-activity;sid:84672448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809351/; classtype:trojan-activity;sid:84672451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.exe"; depth:6; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809352/; classtype:trojan-activity;sid:84672452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sehhs_msi.png"; depth:14; endswith; nocase; http.host; content:"reutilizemais.co.mz"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809024/; classtype:trojan-activity;sid:84672124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3809025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sehhs_msi.png"; depth:14; endswith; nocase; http.host; content:"reutilizemais.co.mz"; depth:19; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3809025/; classtype:trojan-activity;sid:84672125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.208.164.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_31; reference:url, urlhaus.abuse.ch/url/3808984/; classtype:trojan-activity;sid:84672084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/packages/83/b7/5e93f51cd157cc8cf5599f387e587a1926d50fc7e54fb76d04b342341fb0/telnyx-4.87.1-py3-none-any.whl"; depth:107; endswith; nocase; http.host; content:"files.pythonhosted.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808366/; classtype:trojan-activity;sid:84671466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/packages/5a/73/87cb49434a1f89f253819b81993d3a4e65186ae08b013b9825633ceac359/telnyx-4.87.2-py3-none-any.whl"; depth:107; endswith; nocase; http.host; content:"files.pythonhosted.org"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808367/; classtype:trojan-activity;sid:84671467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dannyjune79/tangnano20k-pooyan/refs/heads/main/tn20k-pooyan/schematics/pooyan-tang-nano-v3.7.zip"; depth:97; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808273/; classtype:trojan-activity;sid:84671373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dannyjune79/tangnano20k-pooyan/raw/refs/heads/main/tn20k-pooyan/schematics/pooyan-tang-nano-v3.7.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808277/; classtype:trojan-activity;sid:84671377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3808154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"90.224.208.190"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_30; reference:url, urlhaus.abuse.ch/url/3808154/; classtype:trojan-activity;sid:84671254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiendaunomx/wave-defender/raw/refs/heads/main/counterstatement/wave_defender_3.3.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807816/; classtype:trojan-activity;sid:84670916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/provosaintbride913/twitchfollowers/refs/heads/main/recoast/followers-twitch-counterpray.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807799/; classtype:trojan-activity;sid:84670899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-ettahri/nullrat/refs/heads/main/nullrat/rat_null_1.4-beta.5.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807802/; classtype:trojan-activity;sid:84670902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a-ettahri/nullrat/raw/refs/heads/main/nullrat/rat_null_1.4-beta.5.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807804/; classtype:trojan-activity;sid:84670904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/provosaintbride913/twitchfollowers/raw/refs/heads/main/recoast/followers-twitch-counterpray.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807805/; classtype:trojan-activity;sid:84670905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zouag94/map/raw/refs/heads/main/or/75.txt"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807793/; classtype:trojan-activity;sid:84670893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kupcsi/bounce_zero/refs/heads/main/lang/bounce_zero_v1.0.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807784/; classtype:trojan-activity;sid:84670884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nopaleafifo630/tic-tac-toe-game/refs/heads/main/nepotistical/game_tac_toe_tic_v1.2.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807786/; classtype:trojan-activity;sid:84670886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mustkimkureshi/cafe-erp-system/refs/heads/main/css/system-er-caf-v3.3.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807787/; classtype:trojan-activity;sid:84670887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nopaleafifo630/tic-tac-toe-game/raw/refs/heads/main/nepotistical/game_tac_toe_tic_v1.2.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807788/; classtype:trojan-activity;sid:84670888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeckef/unnamed_game_1_v2/raw/refs/heads/main/epidictical/game-unnamed-v-1.3-beta.4.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807790/; classtype:trojan-activity;sid:84670890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mustkimkureshi/blood-donation-sql-project/refs/heads/main/reference/project-blood-sql-donation-1.4-beta.5.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807779/; classtype:trojan-activity;sid:84670879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mustkimkureshi/blood-donation-sql-project/raw/refs/heads/main/reference/project-blood-sql-donation-1.4-beta.5.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807781/; classtype:trojan-activity;sid:84670881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cosggg/simon-says-rag-android/raw/refs/heads/main/app/src/main/res/drawable/android-ra-says-simon-transparentness.zip"; depth:118; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807735/; classtype:trojan-activity;sid:84670835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonymss642/james-bond-quantum-of-solace-pc-fix-controller-support/refs/heads/main/build/obj/win32/debug/quantum-fix-of-controller-solace-bond-support-p-james-2.6.zip"; depth:167; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807643/; classtype:trojan-activity;sid:84670743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonymss642/james-bond-quantum-of-solace-pc-fix-controller-support/raw/refs/heads/main/build/obj/win32/debug/quantum-fix-of-controller-solace-bond-support-p-james-2.6.zip"; depth:171; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_29; reference:url, urlhaus.abuse.ch/url/3807649/; classtype:trojan-activity;sid:84670749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3807074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.28.195.142"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3807074/; classtype:trojan-activity;sid:84670174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"90.224.208.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_28; reference:url, urlhaus.abuse.ch/url/3806913/; classtype:trojan-activity;sid:84670013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"27.220.132.248"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806637/; classtype:trojan-activity;sid:84669737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806307/; classtype:trojan-activity;sid:84669407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806305/; classtype:trojan-activity;sid:84669405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xx.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806306/; classtype:trojan-activity;sid:84669406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i.sh"; depth:5; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806302/; classtype:trojan-activity;sid:84669402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3806303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sc.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_27; reference:url, urlhaus.abuse.ch/url/3806303/; classtype:trojan-activity;sid:84669403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/re.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805847/; classtype:trojan-activity;sid:84668947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/libsystem.so"; depth:13; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805839/; classtype:trojan-activity;sid:84668939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl-amd64"; depth:11; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805840/; classtype:trojan-activity;sid:84668940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl-aarch64"; depth:13; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805841/; classtype:trojan-activity;sid:84668941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acb.sh"; depth:7; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805837/; classtype:trojan-activity;sid:84668937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mt.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805838/; classtype:trojan-activity;sid:84668938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.208.164.149"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805755/; classtype:trojan-activity;sid:84668855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image099.png"; depth:13; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805656/; classtype:trojan-activity;sid:84668756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecopy777.png"; depth:17; endswith; nocase; http.host; content:"everycarebd.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805655/; classtype:trojan-activity;sid:84668755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.68"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805559/; classtype:trojan-activity;sid:84668659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3805277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"185.205.226.250"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_26; reference:url, urlhaus.abuse.ch/url/3805277/; classtype:trojan-activity;sid:84668377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetxt0074751.png"; depth:20; endswith; nocase; http.host; content:"solar-sanat.net"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_25; reference:url, urlhaus.abuse.ch/url/3804863/; classtype:trojan-activity;sid:84667963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oxfordmobilexray.zip"; depth:21; endswith; nocase; http.host; content:"oxfordmobilexray.com"; depth:20; isdataat:!1,relative; metadata:created_at 2026_03_25; reference:url, urlhaus.abuse.ch/url/3804620/; classtype:trojan-activity;sid:84667720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/bibguard/refs/heads/main/src/fetchers/guard-bib-bhoy.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804022/; classtype:trojan-activity;sid:84667122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/haucavn.github.io/refs/heads/main/purist/haucavn_github_io_v1.0.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804007/; classtype:trojan-activity;sid:84667107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/bibguard/raw/refs/heads/main/src/fetchers/guard-bib-bhoy.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804008/; classtype:trojan-activity;sid:84667108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3804012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haucavn/haucavn.github.io/raw/refs/heads/main/purist/haucavn_github_io_v1.0.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3804012/; classtype:trojan-activity;sid:84667112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/julesjujuu/wpaudit/raw/refs/heads/main/config/software-2.2.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803910/; classtype:trojan-activity;sid:84667010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombarde12/ix-ghostprotocol/raw/refs/heads/main/core/identity/protocol_ghost_i_v2.3.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803903/; classtype:trojan-activity;sid:84667003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armaan29-09-2005/ai-osint-security-analyzer/raw/refs/heads/main/.streamlit/security_a_osin_analyzer_3.9.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803904/; classtype:trojan-activity;sid:84667004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/julesjujuu/wpaudit/refs/heads/main/config/software-2.2.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803905/; classtype:trojan-activity;sid:84667005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombarde12/omaespareparts.github.io/refs/heads/main/uncasked/github-om-spareparts-io-ae-v2.0-alpha.4.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803906/; classtype:trojan-activity;sid:84667006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rianna113/blackvault/refs/heads/main/src/core/encryption_engine/black_vault_v3.4-alpha.3.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803907/; classtype:trojan-activity;sid:84667007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rianna113/blackvault/raw/refs/heads/main/src/core/encryption_engine/black_vault_v3.4-alpha.3.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803908/; classtype:trojan-activity;sid:84667008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armaan29-09-2005/ai-osint-security-analyzer/refs/heads/main/.streamlit/security_a_osin_analyzer_3.9.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803901/; classtype:trojan-activity;sid:84667001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ombarde12/ix-ghostprotocol/refs/heads/main/core/identity/protocol_ghost_i_v2.3.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803902/; classtype:trojan-activity;sid:84667002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/caidonw/refs/heads/main/thermojunction/w-caidon-v3.4.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803855/; classtype:trojan-activity;sid:84666955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zukochris/ebyte-amsi-patchless-vehhwbp/raw/refs/heads/main/hwbp-amsibypass/vehhwbp-ebyte-patchless-amsi-3.8.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803847/; classtype:trojan-activity;sid:84666947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiagoalfaro2006/autopentestx/refs/heads/main/modules/x-auto-pentest-3.1.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803848/; classtype:trojan-activity;sid:84666948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/munem-1/file-integrity-checker-cybersecurity-tool/refs/heads/main/assets/integrity_tool_cybersecurity_checker_file_3.7-alpha.5.zip"; depth:131; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803849/; classtype:trojan-activity;sid:84666949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zukochris/ebyte-amsi-patchless-vehhwbp/refs/heads/main/hwbp-amsibypass/vehhwbp-ebyte-patchless-amsi-3.8.zip"; depth:108; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803851/; classtype:trojan-activity;sid:84666951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/electrum-wallet-multi-crypto-secure-gui-multi-coin-storage-web-browser/refs/heads/main/electrum-wallet/properties/lib/secure-browser-storage-coin-wallet-web-gui-electrum-crypto-multi-1.7.zip"; depth:199; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803838/; classtype:trojan-activity;sid:84666938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elmamlaka/shopify-traffic-filter-block-bots/refs/heads/main/chernozem/bots_block_shopify_filter_traffic_v2.7.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803839/; classtype:trojan-activity;sid:84666939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiagoalfaro2006/autopentestx/raw/refs/heads/main/modules/x-auto-pentest-3.1.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803840/; classtype:trojan-activity;sid:84666940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ovifrn/llmverify-npm/raw/refs/heads/main/src/security/npm_llmverify_3.3-beta.3.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803841/; classtype:trojan-activity;sid:84666941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/electrum-wallet-multi-crypto-secure-gui-multi-coin-storage-web-browser/raw/refs/heads/main/electrum-wallet/properties/lib/secure-browser-storage-coin-wallet-web-gui-electrum-crypto-multi-1.7.zip"; depth:203; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803842/; classtype:trojan-activity;sid:84666942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elmamlaka/shopify-traffic-filter-block-bots/raw/refs/heads/main/chernozem/bots_block_shopify_filter_traffic_v2.7.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803843/; classtype:trojan-activity;sid:84666943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caidonw/caidonw/raw/refs/heads/main/thermojunction/w-caidon-v3.4.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803845/; classtype:trojan-activity;sid:84666945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/munem-1/file-integrity-checker-cybersecurity-tool/raw/refs/heads/main/assets/integrity_tool_cybersecurity_checker_file_3.7-alpha.5.zip"; depth:135; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803846/; classtype:trojan-activity;sid:84666946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/varun4gv/pumpfun-risk-analyzer/refs/heads/main/backend/services/analyzer_pumpfun_risk_1.7.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803826/; classtype:trojan-activity;sid:84666926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/varun4gv/pumpfun-risk-analyzer/raw/refs/heads/main/backend/services/analyzer_pumpfun_risk_1.7.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803827/; classtype:trojan-activity;sid:84666927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stanayo/s3tk/raw/refs/heads/main/spinnable/s_tk_3.7.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803828/; classtype:trojan-activity;sid:84666928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stanayo/s3tk/refs/heads/main/spinnable/s_tk_3.7.zip"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803829/; classtype:trojan-activity;sid:84666929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feros0/commentcrusader-burp/refs/heads/main/media/commentcrusader_burp_cessor.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803808/; classtype:trojan-activity;sid:84666908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vorexcotusar/revguard-nlp/refs/heads/main/hogling/revguard_nlp_mailguard.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803809/; classtype:trojan-activity;sid:84666909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siyahkan0637/safehold/raw/refs/heads/main/.vscode/software_3.8-alpha.2.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803810/; classtype:trojan-activity;sid:84666910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feros0/commentcrusader-burp/raw/refs/heads/main/media/commentcrusader_burp_cessor.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803811/; classtype:trojan-activity;sid:84666911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fayku57/aar-act/raw/refs/heads/main/automation/aar_act_2.1.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803812/; classtype:trojan-activity;sid:84666912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siyahkan0637/safehold/refs/heads/main/.vscode/software_3.8-alpha.2.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803813/; classtype:trojan-activity;sid:84666913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/fraud-detection-modelling-and-reporting/raw/refs/heads/main/orthotolidin/and_modelling_fraud_detection_reporting_2.6-alpha.5.zip"; depth:139; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803814/; classtype:trojan-activity;sid:84666914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiz-ui/obex/refs/heads/main/ruby/software_trickment.zip"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803815/; classtype:trojan-activity;sid:84666915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raiz-ui/obex/raw/refs/heads/main/ruby/software_trickment.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803816/; classtype:trojan-activity;sid:84666916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vorexcotusar/revguard-nlp/raw/refs/heads/main/hogling/revguard_nlp_mailguard.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803817/; classtype:trojan-activity;sid:84666917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karthik-reddy6/aegistrace-threat-intelligence/raw/refs/heads/main/docs/intelligence-threat-aegistrace-2.2.zip"; depth:110; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803818/; classtype:trojan-activity;sid:84666918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karthik-reddy6/aegistrace-threat-intelligence/refs/heads/main/docs/intelligence-threat-aegistrace-2.2.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803819/; classtype:trojan-activity;sid:84666919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsntizka/23/raw/refs/heads/main/in/23.txt"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803799/; classtype:trojan-activity;sid:84666899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wangyanjun7954/cyberdefensex_demo/refs/heads/main/agent/demo-defense-cyber-1.3.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803800/; classtype:trojan-activity;sid:84666900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juwad65/npm-malware-scanner/refs/heads/main/messmate/malware-scanner-npm-1.9.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803801/; classtype:trojan-activity;sid:84666901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juwad65/npm-malware-scanner/raw/refs/heads/main/messmate/malware-scanner-npm-1.9.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803802/; classtype:trojan-activity;sid:84666902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/exilemodforge/refs/heads/main/occupative/forge-mod-exile-1.6.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803803/; classtype:trojan-activity;sid:84666903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wangyanjun7954/cyberdefensex_demo/raw/refs/heads/main/agent/demo-defense-cyber-1.3.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803805/; classtype:trojan-activity;sid:84666905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/fraud-detection-modelling-and-reporting/refs/heads/main/orthotolidin/and_modelling_fraud_detection_reporting_2.6-alpha.5.zip"; depth:135; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803806/; classtype:trojan-activity;sid:84666906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loczek223/exilemodforge/raw/refs/heads/main/occupative/forge-mod-exile-1.6.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803807/; classtype:trojan-activity;sid:84666907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsntizka/23/refs/heads/main/in/23.txt"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803797/; classtype:trojan-activity;sid:84666897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/shannon/raw/refs/heads/main/xben-benchmark-results/xben-079-24/audit-logs/prompts/software-3.9.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803774/; classtype:trojan-activity;sid:84666874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbookbackend/raw/refs/heads/main/models/calc_backend_book_3.8.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803775/; classtype:trojan-activity;sid:84666875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/shannon/refs/heads/main/xben-benchmark-results/xben-079-24/audit-logs/prompts/software-3.9.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803776/; classtype:trojan-activity;sid:84666876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/ins_sandstorm/refs/heads/master/insurgency/config/server/sandstorm_in_v2.0.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803777/; classtype:trojan-activity;sid:84666877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunny/refs/heads/main/src/lib/utils/software-3.6.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803778/; classtype:trojan-activity;sid:84666878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbook/raw/refs/heads/main/public/images/logo/calc_book_2.1.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803780/; classtype:trojan-activity;sid:84666880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunnytweak/raw/refs/heads/main/.github/software_v1.4-alpha.1.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803781/; classtype:trojan-activity;sid:84666881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/moltbook-agent-guard/raw/refs/heads/main/integrations/guard_moltbook_agent_1.8.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803782/; classtype:trojan-activity;sid:84666882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbook/refs/heads/main/public/images/logo/calc_book_2.1.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803783/; classtype:trojan-activity;sid:84666883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/exo/refs/heads/main/src/middleware/software-v3.0-beta.3.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803786/; classtype:trojan-activity;sid:84666886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/anti_phishing_email_detector_gui/raw/refs/heads/main/anti_phishing_email_detector/data/gui-anti-phishing-email-detector-v3.9.zip"; depth:142; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803787/; classtype:trojan-activity;sid:84666887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/ifearnohost.github.io/refs/heads/main/speciousness/github_ifearnohost_io_1.9-alpha.1.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803788/; classtype:trojan-activity;sid:84666888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/ins_sandstorm/raw/refs/heads/master/insurgency/config/server/sandstorm_in_v2.0.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803790/; classtype:trojan-activity;sid:84666890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunny/raw/refs/heads/main/src/lib/utils/software-3.6.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803791/; classtype:trojan-activity;sid:84666891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/ifearnohost.github.io/raw/refs/heads/main/speciousness/github_ifearnohost_io_1.9-alpha.1.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803792/; classtype:trojan-activity;sid:84666892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/totp-otp-auth/raw/refs/heads/main/src/auth-otp-totp-v3.2.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803793/; classtype:trojan-activity;sid:84666893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cyrustmods/openclaw-skill-safe/raw/refs/heads/master/grandame/skil-safe-opencla-v3.4.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803794/; classtype:trojan-activity;sid:84666894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0zrx/rationtrack/raw/refs/heads/main/docs/docs/docs/ration-track-2.6-beta.5.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803795/; classtype:trojan-activity;sid:84666895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0zrx/rationtrack/refs/heads/main/docs/docs/docs/ration-track-2.6-beta.5.zip"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803796/; classtype:trojan-activity;sid:84666896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0zrx/b0zrx.github.io/refs/heads/main/bandstand/zrx_io_github_b_v2.6.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803761/; classtype:trojan-activity;sid:84666861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orangeok77/chrysalis-ioc-triage/refs/heads/master/docs/triage-chrysalis-ioc-1.6.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803762/; classtype:trojan-activity;sid:84666862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fayku57/eeveespotifyreborn/refs/heads/swift/.github/spotify-eevee-reborn-3.6.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803763/; classtype:trojan-activity;sid:84666863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orangeok77/chrysalis-ioc-triage/raw/refs/heads/master/docs/triage-chrysalis-ioc-1.6.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803764/; classtype:trojan-activity;sid:84666864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifearnohost/exo/raw/refs/heads/main/src/middleware/software-v3.0-beta.3.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803765/; classtype:trojan-activity;sid:84666865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/sabinakhatun14588-ctrl.github.io/raw/refs/heads/main/aigialosaurus/github-sabinakhatun-ctrl-io-v3.0.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803766/; classtype:trojan-activity;sid:84666866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/sabinakhatun14588-ctrl.github.io/refs/heads/main/aigialosaurus/github-sabinakhatun-ctrl-io-v3.0.zip"; depth:123; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803767/; classtype:trojan-activity;sid:84666867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sabinakhatun14588-ctrl/moltbook-agent-guard/refs/heads/main/integrations/guard_moltbook_agent_1.8.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803768/; classtype:trojan-activity;sid:84666868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonamebatbai/anti_phishing_email_detector_gui/refs/heads/main/anti_phishing_email_detector/data/gui-anti-phishing-email-detector-v3.9.zip"; depth:138; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803769/; classtype:trojan-activity;sid:84666869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shulpextechnology/calcbookbackend/refs/heads/main/models/calc_backend_book_3.8.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803770/; classtype:trojan-activity;sid:84666870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fayku57/eeveespotifyreborn/raw/refs/heads/swift/.github/spotify-eevee-reborn-3.6.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803771/; classtype:trojan-activity;sid:84666871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowwkezer/bunnytweak/refs/heads/main/.github/software_v1.4-alpha.1.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803772/; classtype:trojan-activity;sid:84666872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/syro-theme/refs/heads/main/images/syro_theme_v3.7.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803738/; classtype:trojan-activity;sid:84666838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nerfyjubay/phitto-phishing/refs/heads/main/lib/src/phitto-phishing-1.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803739/; classtype:trojan-activity;sid:84666839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kankertje2/anti-shannon/raw/refs/heads/main/src/wukong/anti_shannon_v2.9.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803740/; classtype:trojan-activity;sid:84666840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/anti-afk/refs/heads/main/anticrisis/anti-afk-v1.2.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803741/; classtype:trojan-activity;sid:84666841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/anti-afk/raw/refs/heads/main/anticrisis/anti-afk-v1.2.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803742/; classtype:trojan-activity;sid:84666842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forgestudi0s/wagmiwars/refs/heads/main/backend/app/software-2.2.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803743/; classtype:trojan-activity;sid:84666843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eldenisek/syro-theme/raw/refs/heads/main/images/syro_theme_v3.7.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803744/; classtype:trojan-activity;sid:84666844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krypton2355/rust-linuxgsm-watchdog/refs/heads/main/indogen/rust-watchdog-linuxgsm-bahut.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803745/; classtype:trojan-activity;sid:84666845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wileviking10/aws-security-scout/refs/heads/main/aws_scout/core/security_aws_scout_flightily.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803746/; classtype:trojan-activity;sid:84666846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/face-injector-v2-1/raw/refs/heads/main/face_injector_v2/v_face_injector_bubastite.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803747/; classtype:trojan-activity;sid:84666847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saeeed123/1af-starwars-theoldrepublicff/refs/heads/main/residentially/af_star_the_wars_old_republicff_2.5.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803749/; classtype:trojan-activity;sid:84666849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaggyt0701/prompt-shield/refs/heads/main/examples/prompt-shield-v1.3-alpha.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803750/; classtype:trojan-activity;sid:84666850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/face-injector-v2-1/refs/heads/main/face_injector_v2/v_face_injector_bubastite.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803751/; classtype:trojan-activity;sid:84666851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zidane109/cloud-honeypot-auto-block/raw/refs/heads/main/infra/terraform/auto-cloud-honeypot-block-3.5.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803752/; classtype:trojan-activity;sid:84666852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zidane109/cloud-honeypot-auto-block/refs/heads/main/infra/terraform/auto-cloud-honeypot-block-3.5.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803753/; classtype:trojan-activity;sid:84666853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shaggyt0701/prompt-shield/raw/refs/heads/main/examples/prompt-shield-v1.3-alpha.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803754/; classtype:trojan-activity;sid:84666854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saeeed123/1af-starwars-theoldrepublicff/raw/refs/heads/main/residentially/af_star_the_wars_old_republicff_2.5.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803733/; classtype:trojan-activity;sid:84666833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wileviking10/aws-security-scout/raw/refs/heads/main/aws_scout/core/security_aws_scout_flightily.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803734/; classtype:trojan-activity;sid:84666834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kankertje2/anti-shannon/refs/heads/main/src/wukong/anti_shannon_v2.9.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803735/; classtype:trojan-activity;sid:84666835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krypton2355/rust-linuxgsm-watchdog/raw/refs/heads/main/indogen/rust-watchdog-linuxgsm-bahut.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803737/; classtype:trojan-activity;sid:84666837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/metasafe-guardian-/refs/heads/main/hydramnion/meta_guardian_safe_v3.0.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803730/; classtype:trojan-activity;sid:84666830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/57karakalkan/metasafe-guardian-/raw/refs/heads/main/hydramnion/meta_guardian_safe_v3.0.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803731/; classtype:trojan-activity;sid:84666831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forgestudi0s/wagmiwars/raw/refs/heads/main/backend/app/software-2.2.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803729/; classtype:trojan-activity;sid:84666829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/ushd/raw/refs/heads/main/citharist/software-v3.9.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803720/; classtype:trojan-activity;sid:84666820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/code-audit/raw/refs/heads/main/references/frameworks/audit-code-v1.5.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803721/; classtype:trojan-activity;sid:84666821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/jeje/refs/heads/main/foreloper/software_2.7.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803718/; classtype:trojan-activity;sid:84666818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1nashiw2/nioh3-trainer-2026/raw/refs/heads/main/src/trainer-nioh-v1.9.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803719/; classtype:trojan-activity;sid:84666819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apgmightking/security-audit-framework-shell/refs/heads/main/auditreports/security_audit_shell_framework_3.8.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803709/; classtype:trojan-activity;sid:84666809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/script-/refs/heads/main/platinize/script-1.3.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803710/; classtype:trojan-activity;sid:84666810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apgmightking/security-audit-framework-shell/raw/refs/heads/main/auditreports/security_audit_shell_framework_3.8.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803712/; classtype:trojan-activity;sid:84666812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/lilx/refs/heads/main/sexannulate/software_v2.3.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803713/; classtype:trojan-activity;sid:84666813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1nashiw2/nioh3-trainer-2026/refs/heads/main/src/trainer-nioh-v1.9.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803715/; classtype:trojan-activity;sid:84666815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/lilx/raw/refs/heads/main/sexannulate/software_v2.3.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803716/; classtype:trojan-activity;sid:84666816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lukhanteanini21-glitch/jeje/raw/refs/heads/main/foreloper/software_2.7.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803717/; classtype:trojan-activity;sid:84666817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hfuhuu/nvidiacapture/raw/refs/heads/main/embind/nvidia_capture_1.8-alpha.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803705/; classtype:trojan-activity;sid:84666805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hfuhuu/nvidiacapture/refs/heads/main/embind/nvidia_capture_1.8-alpha.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_24; reference:url, urlhaus.abuse.ch/url/3803706/; classtype:trojan-activity;sid:84666806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3803384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kmjs632/png/refs/heads/main/optimizedmsi.png"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_23; reference:url, urlhaus.abuse.ch/url/3803384/; classtype:trojan-activity;sid:84666484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3802108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/charliefloud-bot/testrepository/refs/heads/main/cryptifyv2upload.txt"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3802108/; classtype:trojan-activity;sid:84665208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/refs/heads/main/das/io-github-algobytesolutions-v1.7-beta.4.zip"; depth:110; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801904/; classtype:trojan-activity;sid:84665004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/raw/refs/heads/main/das/io-github-algobytesolutions-v1.7-beta.4.zip"; depth:114; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801893/; classtype:trojan-activity;sid:84664993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/raw/refs/heads/main/das/algobytesolutions-github-io-1.8.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801862/; classtype:trojan-activity;sid:84664962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/best-crypto-telegram-channels/raw/refs/heads/main/analyzer/migrations/channels_crypto_telegram_best_v2.7.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801866/; classtype:trojan-activity;sid:84664966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/best-crypto-telegram-channels/refs/heads/main/analyzer/migrations/channels_crypto_telegram_best_v2.7.zip"; depth:123; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801868/; classtype:trojan-activity;sid:84664968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/algobytesolutions/algobytesolutions.github.io/refs/heads/main/das/algobytesolutions-github-io-1.8.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801876/; classtype:trojan-activity;sid:84664976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savagegodfather/tma-llms-txt/raw/refs/heads/main/technolithic/txt-tma-llms-v1.7.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801845/; classtype:trojan-activity;sid:84664945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/eridanux.github.io/raw/refs/heads/main/excentral/github-eridanux-io-v1.7-beta.2.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801846/; classtype:trojan-activity;sid:84664946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajkumarsingh23/nestjs-demo/refs/heads/main/nous/demo_nestjs_v2.0.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801847/; classtype:trojan-activity;sid:84664947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rajkumarsingh23/nestjs-demo/raw/refs/heads/main/nous/demo_nestjs_v2.0.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801849/; classtype:trojan-activity;sid:84664949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/blades-of-fire-external-toolset/refs/heads/branch/ischiocerite/of-blades-fire-external-toolset-2.0.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801838/; classtype:trojan-activity;sid:84664938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savagegodfather/tma-llms-txt/refs/heads/main/technolithic/txt-tma-llms-v1.7.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801839/; classtype:trojan-activity;sid:84664939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/eridanux.github.io/refs/heads/main/excentral/github-eridanux-io-v1.7-beta.2.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801840/; classtype:trojan-activity;sid:84664940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/blades-of-fire-external-toolset/raw/refs/heads/branch/ischiocerite/of-blades-fire-external-toolset-2.0.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801841/; classtype:trojan-activity;sid:84664941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/savagegodfather/savagegodfather.github.io/refs/heads/main/proctorling/savagegodfather-github-io-v2.8-beta.2.zip"; depth:112; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801843/; classtype:trojan-activity;sid:84664943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3801844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eridanux/cashu-skill/refs/heads/main/cli/cashu-skill-v3.6.zip"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_22; reference:url, urlhaus.abuse.ch/url/3801844/; classtype:trojan-activity;sid:84664944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/raw/refs/heads/main/herbivore/b-power-sq-projects-v1.6.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800856/; classtype:trojan-activity;sid:84663956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/raw/refs/heads/main/herbivore/projects_sq_power_b_v3.4.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800857/; classtype:trojan-activity;sid:84663957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/umarmoin22.github.io/raw/refs/heads/main/palpableness/umarmoin_github_io_2.6.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800855/; classtype:trojan-activity;sid:84663955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/refs/heads/main/herbivore/projects_sq_power_b_v3.4.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800854/; classtype:trojan-activity;sid:84663954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/claude-code-startup-skills/refs/heads/main/skills/compress-images/skills_claude_code_startup_v1.3.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800848/; classtype:trojan-activity;sid:84663948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/umarmoin22.github.io/refs/heads/main/palpableness/io_github_umarmoin_3.0.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800849/; classtype:trojan-activity;sid:84663949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/claude-code-startup-skills/raw/refs/heads/main/skills/compress-images/skills_claude_code_startup_v1.3.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800850/; classtype:trojan-activity;sid:84663950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umarmoin22/sql-powerbi-projects/refs/heads/main/herbivore/b-power-sq-projects-v1.6.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800852/; classtype:trojan-activity;sid:84663952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/vllm-skills/refs/heads/main/skills/skills_vllm_2.3.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800844/; classtype:trojan-activity;sid:84663944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/lr-s/refs/heads/master/gamesv/src/logic/level/s_l_1.3.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800842/; classtype:trojan-activity;sid:84663942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/lr-s/raw/refs/heads/master/gamesv/src/logic/level/s_l_1.3.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800843/; classtype:trojan-activity;sid:84663943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/davirenner88-rgb.github.io/refs/heads/main/telewriter/io_davirenner_rgb_github_2.8.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800837/; classtype:trojan-activity;sid:84663937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/davirenner88-rgb.github.io/raw/refs/heads/main/telewriter/io_davirenner_rgb_github_2.8.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800838/; classtype:trojan-activity;sid:84663938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/xrecentx.github.io/raw/refs/heads/main/carpentry/github_xrecentx_io_burnisher.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800839/; classtype:trojan-activity;sid:84663939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/xrecentx.github.io/raw/refs/heads/main/carpentry/io-github-xrecentx-v2.7.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800840/; classtype:trojan-activity;sid:84663940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xrecentx/vllm-skills/raw/refs/heads/main/skills/skills_vllm_2.3.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800841/; classtype:trojan-activity;sid:84663941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davirenner88-rgb/davirenner88-rgb.github.io/raw/refs/heads/main/telewriter/io-davirenner-rgb-github-v2.6-alpha.2.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800833/; classtype:trojan-activity;sid:84663933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kontolkambings/kontolkambings.github.io/raw/refs/heads/main/drawfiling/io_kontolkambings_github_2.7.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800825/; classtype:trojan-activity;sid:84663925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/sablive25.github.io/raw/refs/heads/main/tumor/io-github-sablive-1.8.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800822/; classtype:trojan-activity;sid:84663922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/sablive25.github.io/refs/heads/main/tumor/io-github-sablive-1.8.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800823/; classtype:trojan-activity;sid:84663923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kontolkambings/ai-inference-resources/raw/refs/heads/main/android/app/src/profile/resources_inference_ai_1.0.zip"; depth:113; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800824/; classtype:trojan-activity;sid:84663924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longtengsiha/arbitrum-dapp-skill/refs/heads/main/references/arbitrum_dapp_skill_2.7-beta.2.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800813/; classtype:trojan-activity;sid:84663913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kontolkambings/kontolkambings.github.io/refs/heads/main/drawfiling/io_kontolkambings_github_2.7.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800814/; classtype:trojan-activity;sid:84663914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longtengsiha/arbitrum-dapp-skill/raw/refs/heads/main/references/arbitrum_dapp_skill_2.7-beta.2.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800815/; classtype:trojan-activity;sid:84663915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/iranpipfix/refs/heads/main/spangled/fix-pip-iran-1.2.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800817/; classtype:trojan-activity;sid:84663917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sablive25/iranpipfix/raw/refs/heads/main/spangled/fix-pip-iran-1.2.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800818/; classtype:trojan-activity;sid:84663918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/2332245.github.io/refs/heads/main/endlichite/github_io_v3.5.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800802/; classtype:trojan-activity;sid:84663902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/starspring/raw/refs/heads/main/starspring/decorators/software-v3.8-beta.3.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800803/; classtype:trojan-activity;sid:84663903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/2332245.github.io/raw/refs/heads/main/endlichite/github_io_v3.5.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800804/; classtype:trojan-activity;sid:84663904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/opensem/raw/refs/heads/main/configs/sem_open_v2.2.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800805/; classtype:trojan-activity;sid:84663905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/opensem/refs/heads/main/configs/sem_open_v2.2.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800806/; classtype:trojan-activity;sid:84663906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/69ir.github.io/refs/heads/main/outbring/io_github_ir_v3.3.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800807/; classtype:trojan-activity;sid:84663907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2332245/starspring/refs/heads/main/starspring/decorators/software-v3.8-beta.3.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800808/; classtype:trojan-activity;sid:84663908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arkaih/vps_bot_x/refs/heads/main/vps_bot-x/modules/x_bo_vp_pitying.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800809/; classtype:trojan-activity;sid:84663909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arkaih/arkaih.github.io/raw/refs/heads/main/untractably/github-io-arkaih-v1.4.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800810/; classtype:trojan-activity;sid:84663910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69ir/69ir.github.io/raw/refs/heads/main/outbring/io_github_ir_v3.3.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800811/; classtype:trojan-activity;sid:84663911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arkaih/arkaih.github.io/refs/heads/main/untractably/github-io-arkaih-v1.4.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800801/; classtype:trojan-activity;sid:84663901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/ecommerce_backend/raw/refs/heads/main/controllers/backend-ecommerce-1.4-beta.1.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800759/; classtype:trojan-activity;sid:84663859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/ecommerce_backend/refs/heads/main/controllers/backend-ecommerce-1.4-beta.1.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800760/; classtype:trojan-activity;sid:84663860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/assignment/raw/refs/heads/main/pluricipital/software_v1.8.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800754/; classtype:trojan-activity;sid:84663854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/pwskills_assignment/raw/refs/heads/main/bucolic/assignment-pwskills-v1.6.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800746/; classtype:trojan-activity;sid:84663846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilorasovic/powersub-demo-1807/refs/heads/main/smilax/demo-powersub-v2.1.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800747/; classtype:trojan-activity;sid:84663847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/pwskills_assignment/refs/heads/main/bucolic/assignment-pwskills-v1.6.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800748/; classtype:trojan-activity;sid:84663848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/open-webui-rust/refs/heads/main/static/assets/fonts/open_rust_webui_1.4-beta.5.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800751/; classtype:trojan-activity;sid:84663851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arpan02/open-webui-rust/raw/refs/heads/main/static/assets/fonts/open_rust_webui_1.4-beta.5.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800752/; classtype:trojan-activity;sid:84663852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danilorasovic/powersub-demo-1807/raw/refs/heads/main/smilax/demo-powersub-v2.1.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800744/; classtype:trojan-activity;sid:84663844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/portfoilio/refs/heads/main/.vscode/software-1.9.zip"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800583/; classtype:trojan-activity;sid:84663683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/digital-resume-builder/raw/refs/heads/main/public/digital-builder-resume-predramatic.zip"; depth:102; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800579/; classtype:trojan-activity;sid:84663679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/digital-resume-builder/refs/heads/main/public/digital-builder-resume-predramatic.zip"; depth:98; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800581/; classtype:trojan-activity;sid:84663681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/powersub-demo-1078/refs/heads/main/shufflingly/demo_powersub_v2.0.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800577/; classtype:trojan-activity;sid:84663677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mannkalariya/powersub-demo-1078/raw/refs/heads/main/shufflingly/demo_powersub_v2.0.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800578/; classtype:trojan-activity;sid:84663678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dellarwalter/throttleai/refs/heads/main/examples/ai_throttle_2.2-beta.2.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800569/; classtype:trojan-activity;sid:84663669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/charlieallen16/vibeshell/raw/refs/heads/master/src/components/editserverdialog/software_v3.3.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800567/; classtype:trojan-activity;sid:84663667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dellarwalter/throttleai/raw/refs/heads/main/examples/ai_throttle_2.2-beta.2.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800568/; classtype:trojan-activity;sid:84663668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/charlieallen16/vibeshell/refs/heads/master/src/components/editserverdialog/software_v3.3.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800566/; classtype:trojan-activity;sid:84663666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/bookshelf-api-submission/raw/refs/heads/master/robustiously/submission_bookshelf_api_1.0.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800558/; classtype:trojan-activity;sid:84663658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/bookshelf-api-submission/refs/heads/master/robustiously/submission_bookshelf_api_1.0.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800560/; classtype:trojan-activity;sid:84663660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/rest-api-app/raw/refs/heads/main/flaskr/rest_app_api_2.7.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800561/; classtype:trojan-activity;sid:84663661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/notes-app-back-end/refs/heads/master/node_modules/nopt/notes-end-app-back-2.4.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800562/; classtype:trojan-activity;sid:84663662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/rest-api-app/refs/heads/main/flaskr/rest_app_api_2.7.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800563/; classtype:trojan-activity;sid:84663663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bramskiee/fishxcode/refs/heads/main/es/software_v2.9.zip"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800551/; classtype:trojan-activity;sid:84663651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kattimatti22/vibecode-playground/refs/heads/main/hooks/playground_vibecode_2.8.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800552/; classtype:trojan-activity;sid:84663652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/bit-of-business-os/refs/heads/master/images/os_bit_of_business_v2.9.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800553/; classtype:trojan-activity;sid:84663653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kattimatti22/vibecode-playground/raw/refs/heads/main/hooks/playground_vibecode_2.8.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800554/; classtype:trojan-activity;sid:84663654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/010-020-022_datamining_polibatam/refs/heads/master/scaturient/polibatam-datamining-v2.5.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800555/; classtype:trojan-activity;sid:84663655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/danieltulus/010-020-022_datamining_polibatam/raw/refs/heads/master/scaturient/polibatam-datamining-v2.5.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800556/; classtype:trojan-activity;sid:84663656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/hospitalbedmanagementsystem/refs/heads/main/node_modules/date-fns/fp/getweekofmonthwithoptions/hospital_system_bed_management_v2.5-alpha.4.zip"; depth:154; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800249/; classtype:trojan-activity;sid:84663349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/hospitalbedmanagementsystem/raw/refs/heads/main/node_modules/date-fns/fp/getweekofmonthwithoptions/hospital_system_bed_management_v2.5-alpha.4.zip"; depth:158; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800248/; classtype:trojan-activity;sid:84663348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eduxxhdfgfd/react-view-import/raw/refs/heads/main/src/import-react-view-tristiloquy.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800243/; classtype:trojan-activity;sid:84663343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/stargate/refs/heads/main/demography/star_gate_v3.4.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800244/; classtype:trojan-activity;sid:84663344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anjdjwjf/fastuator/refs/heads/main/examples/software-1.5.zip"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800245/; classtype:trojan-activity;sid:84663345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/stargate/raw/refs/heads/main/demography/star_gate_v3.4.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800246/; classtype:trojan-activity;sid:84663346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anjdjwjf/fastuator/raw/refs/heads/main/examples/software-1.5.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800247/; classtype:trojan-activity;sid:84663347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/tts/refs/heads/master/sugarless/software-2.2-beta.2.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800236/; classtype:trojan-activity;sid:84663336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ongbinlong/tts/raw/refs/heads/master/sugarless/software-2.2-beta.2.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800237/; classtype:trojan-activity;sid:84663337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eduxxhdfgfd/react-view-import/refs/heads/main/src/import-react-view-tristiloquy.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800238/; classtype:trojan-activity;sid:84663338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasjan2137/azure-ml-pipeline/refs/heads/main/components/pipeline-azure-ml-3.8.zip"; depth:82; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800240/; classtype:trojan-activity;sid:84663340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasjan2137/azure-ml-pipeline/raw/refs/heads/main/components/pipeline-azure-ml-3.8.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800242/; classtype:trojan-activity;sid:84663342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rainmeriloo/cf-browser-cdp/raw/refs/heads/master/src/cdp-browser-cf-1.2-beta.4.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800223/; classtype:trojan-activity;sid:84663323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3800219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rainmeriloo/cf-browser-cdp/refs/heads/master/src/cdp-browser-cf-1.2-beta.4.zip"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_20; reference:url, urlhaus.abuse.ch/url/3800219/; classtype:trojan-activity;sid:84663319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/rematch-open-source-release/raw/refs/heads/branch/phrynoid/source-open-release-rematch-1.5.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799995/; classtype:trojan-activity;sid:84663095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/rematch-open-source-release/refs/heads/branch/phrynoid/source-open-release-rematch-1.5.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799997/; classtype:trojan-activity;sid:84663097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/python-group-2/raw/refs/heads/master/data/group-python-notidanian.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799998/; classtype:trojan-activity;sid:84663098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/f959.github.io/raw/refs/heads/main/coelomesoblast/github_f_io_2.2.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799991/; classtype:trojan-activity;sid:84663091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f959/f959.github.io/refs/heads/main/coelomesoblast/github_f_io_2.2.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799993/; classtype:trojan-activity;sid:84663093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pirateshadow/nan111de/raw/refs/heads/main/spiketop/na_de_presentably.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799901/; classtype:trojan-activity;sid:84663001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pirateshadow/nan111de/refs/heads/main/spiketop/na_de_presentably.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799902/; classtype:trojan-activity;sid:84663002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fezarecool/mcp-claude-hackernews/raw/refs/heads/master/entach/hackernews_mcp_claude_v1.9.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799874/; classtype:trojan-activity;sid:84662974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohame524z/bagsfun-bundler-dbc/refs/heads/main/joola/bagsfun-bundler-dbc-1.5.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799872/; classtype:trojan-activity;sid:84662972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fezarecool/mcp-claude-hackernews/refs/heads/master/entach/hackernews_mcp_claude_v1.9.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799873/; classtype:trojan-activity;sid:84662973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muturi-kelvin/free-algorithm-learning/raw/refs/heads/master/archpresbyter/free_algorithm_learning_2.0.zip"; depth:106; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799869/; classtype:trojan-activity;sid:84662969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muturi-kelvin/free-algorithm-learning/refs/heads/master/archpresbyter/free_algorithm_learning_2.0.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799867/; classtype:trojan-activity;sid:84662967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leozin143/ai-terminal-x/refs/heads/main/img/x-terminal-ai-v2.1.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799868/; classtype:trojan-activity;sid:84662968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lennor-tan/openrouter-free-model/refs/heads/main/messages/free_openrouter_model_1.3.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799863/; classtype:trojan-activity;sid:84662963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/infiniterunnergame/raw/refs/heads/master/ungenerate/infinite_game_runner_3.4.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799860/; classtype:trojan-activity;sid:84662960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/pong/raw/refs/heads/master/pong_game/software-v2.0.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799857/; classtype:trojan-activity;sid:84662957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/homework/raw/refs/heads/master/heteroeciousness/software-1.8.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799858/; classtype:trojan-activity;sid:84662958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/les-moders/refs/heads/main/les-modern/les_moders_v2.2.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799851/; classtype:trojan-activity;sid:84662951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/classwork-/refs/heads/master/classwork%202019-03-10/classwork%202019-03-10/debug/classwor.929ce1fa.tlog/classwork_v1.4-alpha.5.zip"; depth:143; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799852/; classtype:trojan-activity;sid:84662952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jarrenstyle/classwork-/raw/refs/heads/master/classwork%202019-03-10/classwork%202019-03-10/debug/classwor.929ce1fa.tlog/classwork_v1.4-alpha.5.zip"; depth:147; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_19; reference:url, urlhaus.abuse.ch/url/3799854/; classtype:trojan-activity;sid:84662954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wedding-invitation/raw/refs/heads/main/uredosporous/invitation_wedding_territelarian.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799339/; classtype:trojan-activity;sid:84662439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/tech-educa/raw/refs/heads/main/annoyment/tech-educa-wried.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799330/; classtype:trojan-activity;sid:84662430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/sistem-cis/raw/refs/heads/main/assets/js/core/cis_siste_v1.4.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799332/; classtype:trojan-activity;sid:84662432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/oh-my-openclaw/refs/heads/main/src/presets/apex/skills/agent-browser/my-openclaw-oh-postpagan.zip"; depth:113; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799333/; classtype:trojan-activity;sid:84662433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wordpress/refs/heads/main/standard/software_v1.4.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799336/; classtype:trojan-activity;sid:84662436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/test-pull/refs/heads/main/volucrine/test-pull-v2.3.zip"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799337/; classtype:trojan-activity;sid:84662437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/test-pull/raw/refs/heads/main/volucrine/test-pull-v2.3.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799338/; classtype:trojan-activity;sid:84662438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/supervpn-premium-unlocked-edition/raw/refs/heads/branch/sarcophagize/supervpn-premium-edition-unlocked-v1.4.zip"; depth:127; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799323/; classtype:trojan-activity;sid:84662423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/php/raw/refs/heads/main/kerbstone/software_v1.4.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799324/; classtype:trojan-activity;sid:84662424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/php/refs/heads/main/kerbstone/software_v1.4.zip"; depth:63; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799325/; classtype:trojan-activity;sid:84662425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/tech-educa/refs/heads/main/annoyment/tech-educa-wried.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799326/; classtype:trojan-activity;sid:84662426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/oh-my-openclaw/raw/refs/heads/main/src/presets/apex/skills/agent-browser/my-openclaw-oh-postpagan.zip"; depth:117; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799327/; classtype:trojan-activity;sid:84662427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/supervpn-premium-unlocked-edition/refs/heads/branch/sarcophagize/supervpn-premium-edition-unlocked-v1.4.zip"; depth:123; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799328/; classtype:trojan-activity;sid:84662428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wordpress/raw/refs/heads/main/standard/software_v1.4.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799329/; classtype:trojan-activity;sid:84662429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fathanghani864/wedding-invitation/refs/heads/main/uredosporous/invitation_wedding_territelarian.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799320/; classtype:trojan-activity;sid:84662420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milescarson/milescarson.github.io/refs/heads/main/acarophobia/github-io-milescarson-v3.6-alpha.2.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799224/; classtype:trojan-activity;sid:84662324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/1-20-assignment/raw/refs/heads/master/isandrous/assignment_1.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799218/; classtype:trojan-activity;sid:84662318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/testing1/raw/refs/heads/master/mullidae/testing-romanesque.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799219/; classtype:trojan-activity;sid:84662319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/universalvideotranscriber/raw/refs/heads/main/universalvideotranscriber/assets.xcassets/appicon.appiconset/video-universal-transcriber-antisoporific.zip"; depth:163; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799208/; classtype:trojan-activity;sid:84662308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/1-20-assignment/refs/heads/master/isandrous/assignment_1.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799210/; classtype:trojan-activity;sid:84662310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/21-40-assignment/raw/refs/heads/main/21-40%20assignment/assignment-sphagnologist.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799213/; classtype:trojan-activity;sid:84662313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milescarson/milescarson.github.io/raw/refs/heads/main/acarophobia/github-io-milescarson-v3.6-alpha.2.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799214/; classtype:trojan-activity;sid:84662314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/21-40-assignment/refs/heads/main/21-40%20assignment/assignment-sphagnologist.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799215/; classtype:trojan-activity;sid:84662315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/universalvideotranscriber/refs/heads/main/universalvideotranscriber/assets.xcassets/appicon.appiconset/video-universal-transcriber-antisoporific.zip"; depth:159; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799216/; classtype:trojan-activity;sid:84662316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkkshah/testing1/refs/heads/master/mullidae/testing-romanesque.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799217/; classtype:trojan-activity;sid:84662317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/rmisimplebanksystem/raw/refs/heads/master/src/bank-system-rmi-simple-2.8.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799207/; classtype:trojan-activity;sid:84662307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nassimos19/skill-bridge/refs/heads/main/server/bootstrap/bridge-skill-2.3-beta.5.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799202/; classtype:trojan-activity;sid:84662302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/warrior/raw/refs/heads/main/teapotful/software_2.2.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799182/; classtype:trojan-activity;sid:84662282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/xsinopx.github.io/raw/refs/heads/main/tenemental/github_io_xsinopx_v1.2.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799183/; classtype:trojan-activity;sid:84662283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/not-anybody-ever/tower-vib/raw/refs/heads/main/results/vib-tower-3.9.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799184/; classtype:trojan-activity;sid:84662284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/go2rtc/raw/refs/heads/master/internal/gopro/rtc-go-depraver.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799185/; classtype:trojan-activity;sid:84662285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adammtn/wincam-no-trial/raw/refs/heads/main/bandrol/trial-win-no-cam-2.1.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799186/; classtype:trojan-activity;sid:84662286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/txt-to-video-leech-uploader/raw/refs/heads/main/dodecahydrated/t_tx_vide_leec_uploader_3.7.zip"; depth:107; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799187/; classtype:trojan-activity;sid:84662287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nassimos19/skill-bridge/raw/refs/heads/main/server/bootstrap/bridge-skill-2.3-beta.5.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799188/; classtype:trojan-activity;sid:84662288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsnicuur/youtube-work-/raw/refs/heads/main/consulage/youtube-work-pensively.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799189/; classtype:trojan-activity;sid:84662289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unresponsive-in384/temporal_reasoning_vision_system/raw/refs/heads/main/utils/reasoning-vision-system-temporal-inauration.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799190/; classtype:trojan-activity;sid:84662290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/aifeedtracker/raw/refs/heads/main/docs/ai_feed_tracker_2.6.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799191/; classtype:trojan-activity;sid:84662291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/go2rtc/refs/heads/master/internal/gopro/rtc-go-depraver.zip"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799192/; classtype:trojan-activity;sid:84662292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/not-anybody-ever/tower-vib/refs/heads/main/results/vib-tower-3.9.zip"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799193/; classtype:trojan-activity;sid:84662293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wsnicuur/youtube-work-/refs/heads/main/consulage/youtube-work-pensively.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799194/; classtype:trojan-activity;sid:84662294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/warrior/refs/heads/main/teapotful/software_2.2.zip"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799195/; classtype:trojan-activity;sid:84662295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsinopx/xsinopx.github.io/refs/heads/main/tenemental/github_io_xsinopx_v1.2.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799196/; classtype:trojan-activity;sid:84662296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suyogwariror/aifeedtracker/refs/heads/main/docs/ai_feed_tracker_2.6.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799197/; classtype:trojan-activity;sid:84662297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adammtn/wincam-no-trial/refs/heads/main/bandrol/trial-win-no-cam-2.1.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799198/; classtype:trojan-activity;sid:84662298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/rmisimplebanksystem/refs/heads/master/src/bank-system-rmi-simple-2.8.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799199/; classtype:trojan-activity;sid:84662299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unresponsive-in384/temporal_reasoning_vision_system/refs/heads/main/utils/reasoning-vision-system-temporal-inauration.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799200/; classtype:trojan-activity;sid:84662300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chester1900/txt-to-video-leech-uploader/refs/heads/main/dodecahydrated/t_tx_vide_leec_uploader_3.7.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799201/; classtype:trojan-activity;sid:84662301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameer2135/offcam/refs/heads/main/opinable/cam_off_v2.2.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799177/; classtype:trojan-activity;sid:84662277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameer2135/offcam/raw/refs/heads/main/opinable/cam_off_v2.2.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799178/; classtype:trojan-activity;sid:84662278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shivansh-aiml/vuejs-cicd-deploy-on-github-pages/refs/heads/main/src/github_on_cicd_deploy_vuejs_pages_3.6-beta.2.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799155/; classtype:trojan-activity;sid:84662255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shivansh-aiml/vuejs-cicd-deploy-on-github-pages/raw/refs/heads/main/src/github_on_cicd_deploy_vuejs_pages_3.6-beta.2.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799156/; classtype:trojan-activity;sid:84662256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roop81/interlink-multi-bot/raw/refs/heads/main/chiwere/interlink_bot_multi_2.7.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799152/; classtype:trojan-activity;sid:84662252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/philiplaurence123/brilliant-crypto-bot-crypto-game-auto-farm-clicker-cheat-token-hack-api/raw/refs/heads/main/brilliantcrypto-bot/minigames/cheat-clicker-crypto-game-api-hack-farm-auto-bot-brilliant-token-3.3-alpha.3.zip"; depth:221; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799139/; classtype:trojan-activity;sid:84662239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/philiplaurence123/brilliant-crypto-bot-crypto-game-auto-farm-clicker-cheat-token-hack-api/refs/heads/main/brilliantcrypto-bot/minigames/cheat-clicker-crypto-game-api-hack-farm-auto-bot-brilliant-token-3.3-alpha.3.zip"; depth:217; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799138/; classtype:trojan-activity;sid:84662238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lop435/gata-auto-farmer/raw/refs/heads/main/schemy/gata-farmer-auto-photoconductivity.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799134/; classtype:trojan-activity;sid:84662234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiliams11h/forgotten-runiverse-crypto-bot-crypto-game-auto-farm-clicker-cheat-api-1v/refs/heads/main/glycolylurea/farm_cheat_crypto_clicker_bot_api_auto_forgotten_v_runiverse_game_2.3.zip"; depth:188; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799130/; classtype:trojan-activity;sid:84662230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiliams11h/forgotten-runiverse-crypto-bot-crypto-game-auto-farm-clicker-cheat-api-1v/raw/refs/heads/main/glycolylurea/farm_cheat_crypto_clicker_bot_api_auto_forgotten_v_runiverse_game_2.3.zip"; depth:192; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799131/; classtype:trojan-activity;sid:84662231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/izeredon/pixels-bot-autofarm/refs/heads/main/sample/pixels_bot_farm_auto_electioneer.zip"; depth:89; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799129/; classtype:trojan-activity;sid:84662229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/izeredon/pixels-bot-autofarm/raw/refs/heads/main/sample/pixels_bot_farm_auto_electioneer.zip"; depth:93; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799128/; classtype:trojan-activity;sid:84662228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atabey9860/axie-infinity-bot-crypto-cheat-auto-farm-clicker-game-api-hack/refs/heads/main/axie-infinity-exp/axieenergycounter/properties/auto_hack_cheat_infinity_bot_api_axie_clicker_farm_game_crypto_3.3.zip"; depth:208; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799120/; classtype:trojan-activity;sid:84662220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roter515stuhl/aavegotchi-cheat-crypto-bot-auto-farm-clicker-game-api-hack/raw/refs/heads/main/aavegotchi-autoplay/aavegotchi-app/properties/cheat_game_auto_bot_hack_aavegotchi_crypto_api_clicker_farm_2.4.zip"; depth:208; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799114/; classtype:trojan-activity;sid:84662214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roter515stuhl/aavegotchi-cheat-crypto-bot-auto-farm-clicker-game-api-hack/refs/heads/main/aavegotchi-autoplay/aavegotchi-app/properties/cheat_game_auto_bot_hack_aavegotchi_crypto_api_clicker_farm_2.4.zip"; depth:204; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799113/; classtype:trojan-activity;sid:84662213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aeptr67/gashero-finance-game-bot-auto-farm-clicker-crypto-blockchain-hack-cheat/raw/refs/heads/main/.vs/farm_hack_crypto_hero_cheat_auto_finance_gas_game_blockchain_clicker_bot_1.1.zip"; depth:185; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799111/; classtype:trojan-activity;sid:84662211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-muhammadahmad/best-blox-fruits-auto-farming-2025/raw/refs/heads/master/src/views/activitymanagement/reports/mylogsummaryreport/list/components/columns/farming-blox-auto-fruits-best-v3.0.zip"; depth:192; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799108/; classtype:trojan-activity;sid:84662208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i-muhammadahmad/best-blox-fruits-auto-farming-2025/refs/heads/master/src/views/activitymanagement/reports/mylogsummaryreport/list/components/columns/farming-blox-auto-fruits-best-v3.0.zip"; depth:188; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799109/; classtype:trojan-activity;sid:84662209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/kelasdeb.github.io/refs/heads/main/whun/kelasdeb-github-io-2.8.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799099/; classtype:trojan-activity;sid:84662199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/kelasdeb.github.io/raw/refs/heads/main/whun/kelasdeb-github-io-2.8.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799098/; classtype:trojan-activity;sid:84662198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/customnamesforgeysermc/refs/heads/main/verby/for-geyser-custom-names-mc-v3.5.zip"; depth:90; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799096/; classtype:trojan-activity;sid:84662196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelasdeb/customnamesforgeysermc/raw/refs/heads/main/verby/for-geyser-custom-names-mc-v3.5.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799097/; classtype:trojan-activity;sid:84662197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/fitworrior/refs/heads/main/css/software-v1.0.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799095/; classtype:trojan-activity;sid:84662195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/rl-name-changer/raw/refs/heads/main/src/name-r-changer-v2.3.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799092/; classtype:trojan-activity;sid:84662192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/rl-name-changer/refs/heads/main/src/name-r-changer-v2.3.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799093/; classtype:trojan-activity;sid:84662193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brahimelgarouaoui/fitworrior/raw/refs/heads/main/css/software-v1.0.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799094/; classtype:trojan-activity;sid:84662194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josemaq/5536/raw/refs/heads/main/26/85.txt"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799090/; classtype:trojan-activity;sid:84662190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3799089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/josemaq/5536/refs/heads/main/26/85.txt"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3799089/; classtype:trojan-activity;sid:84662189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lolo10201/trial-project/refs/heads/main/login_page.txt"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798895/; classtype:trojan-activity;sid:84661995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lolo10201/trial-project/raw/refs/heads/main/login_page.txt"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798896/; classtype:trojan-activity;sid:84661996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/159zhx/pet-simulator-99/refs/heads/main/barbasco/pet_simulator_v2.5.zip"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798873/; classtype:trojan-activity;sid:84661973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skata123a/roblox-fisch-script/raw/refs/heads/main/overchief/script_fisch_roblox_v3.3.zip"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798870/; classtype:trojan-activity;sid:84661970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paul111-beep/roblox-murder-mystery/raw/refs/heads/main/sanballat/mystery_roblox_murder_v2.2-alpha.5.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798868/; classtype:trojan-activity;sid:84661968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paul111-beep/roblox-murder-mystery/refs/heads/main/sanballat/mystery_roblox_murder_v2.2-alpha.5.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798867/; classtype:trojan-activity;sid:84661967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artistic-minds9/roblox-death-ball-script/raw/refs/heads/main/vesiculose/ball-roblox-script-death-2.2.zip"; depth:105; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798850/; classtype:trojan-activity;sid:84661950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artistic-minds9/roblox-death-ball-script/refs/heads/main/vesiculose/ball-roblox-script-death-2.2.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798849/; classtype:trojan-activity;sid:84661949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marik201517/roblox-death-ball-script/refs/heads/main/perpera/ball_roblox_script_death_v3.4.zip"; depth:95; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798847/; classtype:trojan-activity;sid:84661947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marik201517/roblox-death-ball-script/raw/refs/heads/main/perpera/ball_roblox_script_death_v3.4.zip"; depth:99; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798848/; classtype:trojan-activity;sid:84661948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/igmp24184/roblox-macro-v3.0.0/raw/refs/heads/main/language/roblo-macr-v2.1.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798845/; classtype:trojan-activity;sid:84661945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/igmp24184/roblox-macro-v3.0.0/refs/heads/main/language/roblo-macr-v2.1.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798844/; classtype:trojan-activity;sid:84661944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/gsc-project/raw/refs/heads/backend/packages/portable.bouncycastle.1.9.0/project-gs-v1.3.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798840/; classtype:trojan-activity;sid:84661940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/studentchecklist/raw/refs/heads/api/fileschecklist/bin/debug/net8.0/zh-hant/check-student-list-v3.3.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798841/; classtype:trojan-activity;sid:84661941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/version8project/refs/heads/main/gsc-inventoryproject/obj/release/project-version-v3.1.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798837/; classtype:trojan-activity;sid:84661937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/example/refs/heads/main/fileschecklist/bin/debug/net8.0/software_2.5.zip"; depth:85; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798839/; classtype:trojan-activity;sid:84661939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/roblox-executor/refs/heads/master/inventorybackend/packages/k4os.hash.xxhash.1.0.6/roblox-executor-kayles.zip"; depth:122; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798833/; classtype:trojan-activity;sid:84661933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknown4522/roblox-executor/raw/refs/heads/master/inventorybackend/packages/k4os.hash.xxhash.1.0.6/roblox-executor-kayles.zip"; depth:126; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798834/; classtype:trojan-activity;sid:84661934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edwinango/synchronizer/raw/refs/heads/main/docs-site/software_2.7-beta.1.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798830/; classtype:trojan-activity;sid:84661930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edwinango/synchronizer/refs/heads/main/docs-site/software_2.7-beta.1.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798831/; classtype:trojan-activity;sid:84661931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/damartr23/fischroblox/raw/refs/heads/main/assure/fisch-roblox-3.4-alpha.3.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798829/; classtype:trojan-activity;sid:84661929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naruto1233958/roblox-fisch-script/refs/heads/main/mull/script-roblox-fisch-v1.0-beta.5.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798823/; classtype:trojan-activity;sid:84661923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naruto1233958/roblox-fisch-script/raw/refs/heads/main/mull/script-roblox-fisch-v1.0-beta.5.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798824/; classtype:trojan-activity;sid:84661924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localdumbass2112/adoptmescript/raw/refs/heads/main/marshalman/software-v3.9.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798825/; classtype:trojan-activity;sid:84661925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvcj503/permission_studio/refs/heads/main/permission_studio/config/studio-permission-2.9.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798826/; classtype:trojan-activity;sid:84661926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvcj503/permission_studio/raw/refs/heads/main/permission_studio/config/studio-permission-2.9.zip"; depth:97; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798827/; classtype:trojan-activity;sid:84661927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localdumbass2112/adoptmescript/refs/heads/main/marshalman/software-v3.9.zip"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798828/; classtype:trojan-activity;sid:84661928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/damartr23/fischroblox/refs/heads/main/assure/fisch-roblox-3.4-alpha.3.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798822/; classtype:trojan-activity;sid:84661922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jazzman08/adopt-me-script/refs/heads/main/cornification/me_adopt_script_2.0.zip"; depth:80; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798819/; classtype:trojan-activity;sid:84661919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jazzman08/adopt-me-script/raw/refs/heads/main/cornification/me_adopt_script_2.0.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798820/; classtype:trojan-activity;sid:84661920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/cv/raw/refs/heads/main/relayman/software-v3.3.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798813/; classtype:trojan-activity;sid:84661913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/cv/refs/heads/main/relayman/software-v3.3.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798812/; classtype:trojan-activity;sid:84661912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/drumkit/refs/heads/main/images/kit_drum_v2.7.zip"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798810/; classtype:trojan-activity;sid:84661910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/drumkit/raw/refs/heads/main/images/kit_drum_v2.7.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798811/; classtype:trojan-activity;sid:84661911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/rbxfpsunlocker/refs/heads/main/sheepwalker/software_v2.5.zip"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798808/; classtype:trojan-activity;sid:84661908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linapatel518/rbxfpsunlocker/raw/refs/heads/main/sheepwalker/software_v2.5.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798809/; classtype:trojan-activity;sid:84661909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fraze76/open-aimbot/refs/heads/main/tremulant/open-aimbot-1.7.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798803/; classtype:trojan-activity;sid:84661903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qouzk/now.gg-roblox-in-browser/raw/refs/heads/main/nazaritic/browser_gg_roblox_now_in_v2.4.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798802/; classtype:trojan-activity;sid:84661902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ishu-276/adoptmescript/refs/heads/main/archduchy/software_v3.0.zip"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798799/; classtype:trojan-activity;sid:84661899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oceanremodeling/fischroblox/refs/heads/main/trichroic/fisch-roblox-3.5.zip"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798797/; classtype:trojan-activity;sid:84661897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayuxxxxx/build-a-truck-roblox-toolkit/refs/heads/branch/icelandic/a_truck_toolkit_build_roblox_v2.4.zip"; depth:104; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798794/; classtype:trojan-activity;sid:84661894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ibrahim832023/adoptme-script-download/raw/refs/heads/main/palingenesy/script_m_adopt_download_v1.6.zip"; depth:103; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798795/; classtype:trojan-activity;sid:84661895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayuxxxxx/build-a-truck-roblox-toolkit/raw/refs/heads/branch/icelandic/a_truck_toolkit_build_roblox_v2.4.zip"; depth:108; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798793/; classtype:trojan-activity;sid:84661893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ibrahim832023/adoptme-script-download/refs/heads/main/palingenesy/script_m_adopt_download_v1.6.zip"; depth:99; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798792/; classtype:trojan-activity;sid:84661892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/expect8iondev/towersim-hardcore-evolution/raw/refs/heads/branch/capitolium/hardcore_towersim_evolution_2.1.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798789/; classtype:trojan-activity;sid:84661889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/expect8iondev/towersim-hardcore-evolution/refs/heads/branch/capitolium/hardcore_towersim_evolution_2.1.zip"; depth:107; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798790/; classtype:trojan-activity;sid:84661890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mahmoudwagih1/ant-man-simulator-toolkit/refs/heads/branch/barrabkie/toolkit_simulator_ant_man_pursily.zip"; depth:106; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798787/; classtype:trojan-activity;sid:84661887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mahmoudwagih1/ant-man-simulator-toolkit/raw/refs/heads/branch/barrabkie/toolkit_simulator_ant_man_pursily.zip"; depth:110; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798788/; classtype:trojan-activity;sid:84661888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"174.105.154.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798745/; classtype:trojan-activity;sid:84661845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_140830.png"; depth:15; endswith; nocase; http.host; content:"controliumbt.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798726/; classtype:trojan-activity;sid:84661826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_182028.png"; depth:15; endswith; nocase; http.host; content:"controliumbt.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798727/; classtype:trojan-activity;sid:84661827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3798630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amuthan1808/valorant-efi-drivver-cheat-hack/refs/heads/main/hyprism/valoran_drivve_hack_cheat_ef_nephrosclerosis.zip"; depth:117; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_18; reference:url, urlhaus.abuse.ch/url/3798630/; classtype:trojan-activity;sid:84661730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"174.105.154.212"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_15; reference:url, urlhaus.abuse.ch/url/3796886/; classtype:trojan-activity;sid:84659986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-website/refs/heads/main/src/website_my_v1.2.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796292/; classtype:trojan-activity;sid:84659392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-website/raw/refs/heads/main/src/website_my_v1.2.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796291/; classtype:trojan-activity;sid:84659391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/gabssama12.github.io/refs/heads/main/paganishly/github-gabssama-io-3.7-beta.1.zip"; depth:93; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796278/; classtype:trojan-activity;sid:84659378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/plugin.video.netflix/refs/heads/master/docs/netflix-video-plugin-3.0-beta.1.zip"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796279/; classtype:trojan-activity;sid:84659379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/plugin.video.netflix/raw/refs/heads/master/docs/netflix-video-plugin-3.0-beta.1.zip"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796280/; classtype:trojan-activity;sid:84659380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gabssama12/spoon-awesome-skill/refs/heads/master/spoonos-skills/platform-integration/scripts/spoon_awesome_skill_1.0.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796276/; classtype:trojan-activity;sid:84659376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nirmallimbachiya/ignite/raw/refs/heads/main/js/software-2.5.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796273/; classtype:trojan-activity;sid:84659373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nirmallimbachiya/ignite/refs/heads/main/js/software-2.5.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796274/; classtype:trojan-activity;sid:84659374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/capitaltaser/qwen3-tts-dubflow/refs/heads/main/dramaturge/dub-qwen-flow-tt-v1.1.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796272/; classtype:trojan-activity;sid:84659372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tianlanyb/gemini-in-chrome/raw/refs/heads/master/eighteen/in_gemini_chrome_preadherent.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796266/; classtype:trojan-activity;sid:84659366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tianlanyb/gemini-in-chrome/refs/heads/master/eighteen/in_gemini_chrome_preadherent.zip"; depth:87; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796267/; classtype:trojan-activity;sid:84659367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhonatanait14/dictate.sh/refs/heads/main/docs/sh-dictate-2.9-alpha.5.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796264/; classtype:trojan-activity;sid:84659364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jhonatanait14/dictate.sh/raw/refs/heads/main/docs/sh-dictate-2.9-alpha.5.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796265/; classtype:trojan-activity;sid:84659365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hggodhand33/skills/refs/heads/main/skills/.curated/doc/scripts/software_v3.3.zip"; depth:81; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796261/; classtype:trojan-activity;sid:84659361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hggodhand33/skills/raw/refs/heads/main/skills/.curated/doc/scripts/software_v3.3.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796262/; classtype:trojan-activity;sid:84659362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theking1212wr/db_tools/refs/heads/main/opencode/skills/db_tools_v2.2.zip"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796260/; classtype:trojan-activity;sid:84659360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theking1212wr/db_tools/raw/refs/heads/main/opencode/skills/db_tools_v2.2.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796259/; classtype:trojan-activity;sid:84659359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi_163251.png"; depth:15; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796221/; classtype:trojan-activity;sid:84659321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img_173622.png"; depth:15; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796222/; classtype:trojan-activity;sid:84659322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samuelhaxk/41369/refs/heads/main/256/233.txt"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796092/; classtype:trojan-activity;sid:84659192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samuelhaxk/41369/raw/refs/heads/main/256/233.txt"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796087/; classtype:trojan-activity;sid:84659187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-crazy-skills/raw/refs/heads/main/skills/workflows/skills_crazy_my_1.7.zip"; depth:92; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796080/; classtype:trojan-activity;sid:84659180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3796058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul123gautam/my-crazy-skills/refs/heads/main/skills/workflows/skills_crazy_my_1.7.zip"; depth:88; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3796058/; classtype:trojan-activity;sid:84659158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pm68k"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795847/; classtype:trojan-activity;sid:84658947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pmpsl"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795848/; classtype:trojan-activity;sid:84658948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pppc"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795843/; classtype:trojan-activity;sid:84658943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm5"; depth:11; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795837/; classtype:trojan-activity;sid:84658937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/parm"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795833/; classtype:trojan-activity;sid:84658933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/pspc"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795826/; classtype:trojan-activity;sid:84658926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/psh4"; depth:10; endswith; nocase; http.host; content:"94.156.152.238"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_14; reference:url, urlhaus.abuse.ch/url/3795823/; classtype:trojan-activity;sid:84658923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pardufrigi_installer_1.0.p1.exe"; depth:32; endswith; nocase; http.host; content:"pardu.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795199/; classtype:trojan-activity;sid:84658299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/1yan6rsv"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795193/; classtype:trojan-activity;sid:84658293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m1-nc/roukii/main/up.png"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795149/; classtype:trojan-activity;sid:84658249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3795145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m1-nc/roukii/main/ud.txt"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_13; reference:url, urlhaus.abuse.ch/url/3795145/; classtype:trojan-activity;sid:84658245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1827897262/mh/inject3.ps1"; depth:26; endswith; nocase; http.host; content:"1827897262.v.123pan.cn"; depth:22; isdataat:!1,relative; metadata:created_at 2026_03_12; reference:url, urlhaus.abuse.ch/url/3794604/; classtype:trojan-activity;sid:84657704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3794079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/setup/autocad_v1.4.exe"; depth:30; endswith; nocase; http.host; content:"cad.659t.cn"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_11; reference:url, urlhaus.abuse.ch/url/3794079/; classtype:trojan-activity;sid:84657179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"96.66.24.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_10; reference:url, urlhaus.abuse.ch/url/3793666/; classtype:trojan-activity;sid:84656766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdf/pdf/screenconnect.clientsetup.msi"; depth:38; endswith; nocase; http.host; content:"preciosasjoyitas.com.mx"; depth:23; isdataat:!1,relative; metadata:created_at 2026_03_10; reference:url, urlhaus.abuse.ch/url/3793659/; classtype:trojan-activity;sid:84656759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3793628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"96.66.24.241"; depth:12; isdataat:!1,relative; metadata:created_at 2026_03_10; reference:url, urlhaus.abuse.ch/url/3793628/; classtype:trojan-activity;sid:84656728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p"; depth:2; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792979/; classtype:trojan-activity;sid:84656079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/busybox"; depth:8; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792980/; classtype:trojan-activity;sid:84656080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/for"; depth:4; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792977/; classtype:trojan-activity;sid:84656077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/republicofbotv109/llm-engineering-cheatsheet/raw/refs/heads/main/byreman/llm_engineering_cheatsheet_v3.4.zip"; depth:109; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792798/; classtype:trojan-activity;sid:84655898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/republicofbotv109/llm-engineering-cheatsheet/refs/heads/main/byreman/llm_engineering_cheatsheet_v3.4.zip"; depth:105; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_09; reference:url, urlhaus.abuse.ch/url/3792799/; classtype:trojan-activity;sid:84655899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kinsing"; depth:8; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3792566/; classtype:trojan-activity;sid:84655666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kinsing_aarch64"; depth:16; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3792567/; classtype:trojan-activity;sid:84655667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3792474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrget.exe"; depth:11; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3792474/; classtype:trojan-activity;sid:84655574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/umari4u2get-cmd/encoder/refs/heads/main/include/encoder1.txt"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_03_08; reference:url, urlhaus.abuse.ch/url/3791877/; classtype:trojan-activity;sid:84654977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fish.txt"; depth:9; endswith; nocase; http.host; content:"fertas.com.tr"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791595/; classtype:trojan-activity;sid:84654695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3791280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery.min-4.0.2.js"; depth:20; endswith; nocase; http.host; content:"union.macoms.la"; depth:15; isdataat:!1,relative; metadata:created_at 2026_03_07; reference:url, urlhaus.abuse.ch/url/3791280/; classtype:trojan-activity;sid:84654380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.m68k"; depth:19; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790904/; classtype:trojan-activity;sid:84654004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.arm7"; depth:22; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790903/; classtype:trojan-activity;sid:84654003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.x86_64"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790890/; classtype:trojan-activity;sid:84653990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.x86_32"; depth:24; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790891/; classtype:trojan-activity;sid:84653991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.sh4"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790892/; classtype:trojan-activity;sid:84653992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.arc"; depth:18; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790893/; classtype:trojan-activity;sid:84653993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.spc"; depth:18; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790894/; classtype:trojan-activity;sid:84653994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.arm7"; depth:19; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790895/; classtype:trojan-activity;sid:84653995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.ppc440"; depth:24; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790896/; classtype:trojan-activity;sid:84653996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.sh4"; depth:18; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790897/; classtype:trojan-activity;sid:84653997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.arc"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790898/; classtype:trojan-activity;sid:84653998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.spc"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790899/; classtype:trojan-activity;sid:84653999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.ppc"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790901/; classtype:trojan-activity;sid:84654001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.mips"; depth:22; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790902/; classtype:trojan-activity;sid:84654002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.x86_32"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790873/; classtype:trojan-activity;sid:84653973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.arm6"; depth:19; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790874/; classtype:trojan-activity;sid:84653974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.mipsl"; depth:20; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790875/; classtype:trojan-activity;sid:84653975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.m68k"; depth:22; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790876/; classtype:trojan-activity;sid:84653976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.i486"; depth:22; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790877/; classtype:trojan-activity;sid:84653977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.i686"; depth:22; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790878/; classtype:trojan-activity;sid:84653978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.arm5"; depth:19; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790879/; classtype:trojan-activity;sid:84653979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.mips"; depth:19; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790880/; classtype:trojan-activity;sid:84653980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.mipsl"; depth:23; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790881/; classtype:trojan-activity;sid:84653981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.arm5"; depth:22; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790882/; classtype:trojan-activity;sid:84653982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.ppc440"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790883/; classtype:trojan-activity;sid:84653983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.arm"; depth:21; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790884/; classtype:trojan-activity;sid:84653984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.arm"; depth:18; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790885/; classtype:trojan-activity;sid:84653985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.ppc"; depth:18; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790886/; classtype:trojan-activity;sid:84653986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.i686"; depth:19; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790887/; classtype:trojan-activity;sid:84653987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/jawirbot.i486"; depth:19; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790888/; classtype:trojan-activity;sid:84653988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huhu/debug/debug.x86_64"; depth:24; endswith; nocase; http.host; content:"142.248.80.139"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790889/; classtype:trojan-activity;sid:84653989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/poop"; depth:10; endswith; nocase; http.host; content:"107.175.89.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790743/; classtype:trojan-activity;sid:84653843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuts/bolts"; depth:11; endswith; nocase; http.host; content:"107.175.89.136"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790733/; classtype:trojan-activity;sid:84653833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w1/lib/autoit3.exe"; depth:19; endswith; nocase; http.host; content:"176.190.153.160.host.secureserver.net"; depth:37; isdataat:!1,relative; metadata:created_at 2026_03_06; reference:url, urlhaus.abuse.ch/url/3790490/; classtype:trojan-activity;sid:84653590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3790120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3"; depth:2; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_05; reference:url, urlhaus.abuse.ch/url/3790120/; classtype:trojan-activity;sid:84653220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/encrypt.ps1"; depth:16; endswith; nocase; http.host; content:"shahamanatme.com"; depth:16; isdataat:!1,relative; metadata:created_at 2026_03_05; reference:url, urlhaus.abuse.ch/url/3789876/; classtype:trojan-activity;sid:84652976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"203.203.81.19"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_05; reference:url, urlhaus.abuse.ch/url/3789780/; classtype:trojan-activity;sid:84652880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ti/dajoke2.exe"; depth:15; endswith; nocase; http.host; content:"imagefiles-backup.oss-ap-southeast-7.aliyuncs.com"; depth:49; isdataat:!1,relative; metadata:created_at 2026_03_04; reference:url, urlhaus.abuse.ch/url/3789461/; classtype:trojan-activity;sid:84652561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3789369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kbikdoe.txt"; depth:12; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_03_04; reference:url, urlhaus.abuse.ch/url/3789369/; classtype:trojan-activity;sid:84652469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788407/; classtype:trojan-activity;sid:84651507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/components/com_media/m1vebzk/jt1wulk/wxhmvac/new/optimized_msi.png"; depth:67; endswith; nocase; http.host; content:"chungminhtaichinhsaigon.net"; depth:27; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788389/; classtype:trojan-activity;sid:84651489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"coralasargetia.ro"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788379/; classtype:trojan-activity;sid:84651479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"separadordecc.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_03_02; reference:url, urlhaus.abuse.ch/url/3788376/; classtype:trojan-activity;sid:84651476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3788070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pg.sh"; depth:6; endswith; nocase; http.host; content:"78.153.140.16"; depth:13; isdataat:!1,relative; metadata:created_at 2026_03_01; reference:url, urlhaus.abuse.ch/url/3788070/; classtype:trojan-activity;sid:84651170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|filename=xxwconvertedfile.txt"; depth:34; endswith; nocase; http.host; content:"bafybeidp7zdy2lu6yxvbgoev4b6xokuaa6jljr34vkflxzel2ya2gc3plm.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2026_02_28; reference:url, urlhaus.abuse.ch/url/3787416/; classtype:trojan-activity;sid:84650516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"137.175.205.63"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3787075/; classtype:trojan-activity;sid:84650175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3787077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"37.142.77.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3787077/; classtype:trojan-activity;sid:84650177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jack5tr.sh"; depth:11; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786982/; classtype:trojan-activity;sid:84650082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc1.sh"; depth:8; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786983/; classtype:trojan-activity;sid:84650083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc3.sh"; depth:8; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786984/; classtype:trojan-activity;sid:84650084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc2.sh"; depth:8; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786985/; classtype:trojan-activity;sid:84650085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786981/; classtype:trojan-activity;sid:84650081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssa_statement.msi"; depth:18; endswith; nocase; http.host; content:"bnet.playm8ru.win"; depth:17; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786888/; classtype:trojan-activity;sid:84649988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssa_statement.msi"; depth:18; endswith; nocase; http.host; content:"bnet-api.playm8ru.win"; depth:21; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786879/; classtype:trojan-activity;sid:84649979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssa_statement.msi"; depth:18; endswith; nocase; http.host; content:"212.224.107.246"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786841/; classtype:trojan-activity;sid:84649941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jyng2002/cracked-enhancer-for-trello-extension/refs/heads/main/hangworthy/cracked_trello_enhancer_for_extension_v1.3.zip"; depth:121; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786726/; classtype:trojan-activity;sid:84649826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teskkkkk/cracked-todoist-for-chrome/raw/refs/heads/main/fieldworker/cracked-chrome-for-todoist-v3.0.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786725/; classtype:trojan-activity;sid:84649825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teskkkkk/cracked-todoist-for-chrome/refs/heads/main/fieldworker/cracked-chrome-for-todoist-v3.0.zip"; depth:100; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786724/; classtype:trojan-activity;sid:84649824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maybedesxie7/cracked-webpage-annotator-extension/raw/refs/heads/main/decrepitation/cracked-annotator-webpage-extension-2.1-beta.4.zip"; depth:134; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786720/; classtype:trojan-activity;sid:84649820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkphatom/cracked-awesome-autocomplete-for-git-hub-extension/refs/heads/main/elegit/cracked_autocomplete_for_git_extension_awesome_hub_2.5.zip"; depth:144; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786715/; classtype:trojan-activity;sid:84649815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/darkphatom/cracked-awesome-autocomplete-for-git-hub-extension/raw/refs/heads/main/elegit/cracked_autocomplete_for_git_extension_awesome_hub_2.5.zip"; depth:148; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786714/; classtype:trojan-activity;sid:84649814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameeronwheels/cracked-save-to-milanote-extension/main/nonnucleated/to-extension-save-cracked-milanote-revalidate.zip"; depth:118; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786712/; classtype:trojan-activity;sid:84649812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sameeronwheels/cracked-save-to-milanote-extension/raw/refs/heads/main/nonnucleated/to-extension-save-cracked-milanote-revalidate.zip"; depth:133; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_27; reference:url, urlhaus.abuse.ch/url/3786713/; classtype:trojan-activity;sid:84649813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"115.190.250.28"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786364/; classtype:trojan-activity;sid:84649464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.120.20.86"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786363/; classtype:trojan-activity;sid:84649463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"37.142.77.163"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786353/; classtype:trojan-activity;sid:84649453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/186def/%e7%bd%91%e6%98%93%e4%ba%91%e9%9f%b3%e4%b9%90.exe"; depth:59; endswith; nocase; http.host; content:"dubapkg.cmcmcdn.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786320/; classtype:trojan-activity;sid:84649420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"203.57.109.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786317/; classtype:trojan-activity;sid:84649417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786136/; classtype:trojan-activity;sid:84649236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786137/; classtype:trojan-activity;sid:84649237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786138/; classtype:trojan-activity;sid:84649238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786139/; classtype:trojan-activity;sid:84649239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786140/; classtype:trojan-activity;sid:84649240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786141/; classtype:trojan-activity;sid:84649241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786142/; classtype:trojan-activity;sid:84649242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786143/; classtype:trojan-activity;sid:84649243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786144/; classtype:trojan-activity;sid:84649244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786145/; classtype:trojan-activity;sid:84649245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"103.116.52.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786135/; classtype:trojan-activity;sid:84649235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3786055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/sshd/ubuntu/log"; depth:26; endswith; nocase; http.host; content:"77.221.157.206"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3786055/; classtype:trojan-activity;sid:84649155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soloobr/z-loops/refs/heads/master/updatelm/properties/loops_z_v2.9.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3785810/; classtype:trojan-activity;sid:84648910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soloobr/z-loops/raw/refs/heads/master/updatelm/properties/loops_z_v2.9.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3785811/; classtype:trojan-activity;sid:84648911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soloobr/z-loops/raw/refs/heads/master/breathseller/z-loops.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_26; reference:url, urlhaus.abuse.ch/url/3785788/; classtype:trojan-activity;sid:84648888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.3.45.42"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785492/; classtype:trojan-activity;sid:84648592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"47.152.112.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785486/; classtype:trojan-activity;sid:84648586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.166.91.145"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785484/; classtype:trojan-activity;sid:84648584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/satish-ss/roblox-matcha/raw/refs/heads/master/bacula/matcha-roblox-v3.9-beta.1.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_25; reference:url, urlhaus.abuse.ch/url/3785380/; classtype:trojan-activity;sid:84648480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3785098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n4.jpg"; depth:7; endswith; nocase; http.host; content:"77.83.39.153"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3785098/; classtype:trojan-activity;sid:84648198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/666666.png"; depth:11; endswith; nocase; http.host; content:"c.fi3.me"; depth:8; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3784955/; classtype:trojan-activity;sid:84648055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16784059/p.zip"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3784859/; classtype:trojan-activity;sid:84647959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16784059/p.zip"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3784860/; classtype:trojan-activity;sid:84647960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3784720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"118.38.58.242"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_24; reference:url, urlhaus.abuse.ch/url/3784720/; classtype:trojan-activity;sid:84647820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/6/6/20180724185728_petk_uc_1.4.0.apk"; depth:39; endswith; nocase; http.host; content:"downali.game.uc.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783631/; classtype:trojan-activity;sid:84646731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e5%88%92%e5%ad%a6%e5%8f%b7v2--%e6%9e%81%e9%80%9f%e7%89%88.exe"; depth:63; endswith; nocase; http.host; content:"xn--h6qpop2cq9nl9c.pages.dev"; depth:28; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783627/; classtype:trojan-activity;sid:84646727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/soft/111210/1_0048481261.rar"; depth:37; endswith; nocase; http.host; content:"cn.unionlever.com"; depth:17; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783623/; classtype:trojan-activity;sid:84646723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/approved%20document%23402.vbs"; depth:30; endswith; nocase; http.host; content:"pub-bbbdebc2599c4d74b04c5d53e439f7a7.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783597/; classtype:trojan-activity;sid:84646697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qbix01.exe"; depth:11; endswith; nocase; http.host; content:"sutterpoint.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783601/; classtype:trojan-activity;sid:84646701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.60.107.150"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783423/; classtype:trojan-activity;sid:84646523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"87.138.104.129"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783426/; classtype:trojan-activity;sid:84646526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"159.196.16.186"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783414/; classtype:trojan-activity;sid:84646514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"176.35.149.73"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783406/; classtype:trojan-activity;sid:84646506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"82.139.95.202"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783405/; classtype:trojan-activity;sid:84646505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.237.41.72"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783402/; classtype:trojan-activity;sid:84646502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"124.36.156.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783403/; classtype:trojan-activity;sid:84646503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.129.16.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783397/; classtype:trojan-activity;sid:84646497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"66.232.181.198"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783394/; classtype:trojan-activity;sid:84646494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"218.103.122.102"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783395/; classtype:trojan-activity;sid:84646495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"77.174.79.191"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783379/; classtype:trojan-activity;sid:84646479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"62.45.171.82"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783380/; classtype:trojan-activity;sid:84646480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"193.165.245.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783384/; classtype:trojan-activity;sid:84646484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"92.43.24.71"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783372/; classtype:trojan-activity;sid:84646472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.101.79.178"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783369/; classtype:trojan-activity;sid:84646469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.175.181.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783366/; classtype:trojan-activity;sid:84646466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"109.167.133.17"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783363/; classtype:trojan-activity;sid:84646463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"182.54.141.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783365/; classtype:trojan-activity;sid:84646465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"84.86.236.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783352/; classtype:trojan-activity;sid:84646452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"210.149.155.4"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783354/; classtype:trojan-activity;sid:84646454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.44.199.50"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783343/; classtype:trojan-activity;sid:84646443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"203.38.121.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783351/; classtype:trojan-activity;sid:84646451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"88.180.236.68"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783332/; classtype:trojan-activity;sid:84646432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"49.176.254.54"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783331/; classtype:trojan-activity;sid:84646431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"116.91.125.215"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783324/; classtype:trojan-activity;sid:84646424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"75.214.255.79"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783326/; classtype:trojan-activity;sid:84646426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"180.35.14.93"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783310/; classtype:trojan-activity;sid:84646410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.1.138.245"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783302/; classtype:trojan-activity;sid:84646402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"108.41.80.142"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783304/; classtype:trojan-activity;sid:84646404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"2.238.146.33"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783306/; classtype:trojan-activity;sid:84646406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.71.233.23"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783298/; classtype:trojan-activity;sid:84646398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"104.4.43.233"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783293/; classtype:trojan-activity;sid:84646393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"42.200.182.63"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783274/; classtype:trojan-activity;sid:84646374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"182.93.58.234"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783275/; classtype:trojan-activity;sid:84646375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"190.115.114.38"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783270/; classtype:trojan-activity;sid:84646370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.6.210.123"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783266/; classtype:trojan-activity;sid:84646366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.111.82.210"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783256/; classtype:trojan-activity;sid:84646356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"188.167.179.75"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783257/; classtype:trojan-activity;sid:84646357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"62.246.109.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783255/; classtype:trojan-activity;sid:84646355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.140.76.210"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783253/; classtype:trojan-activity;sid:84646353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"153.136.164.199"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783252/; classtype:trojan-activity;sid:84646352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"174.71.238.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783244/; classtype:trojan-activity;sid:84646344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"109.129.108.174"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783246/; classtype:trojan-activity;sid:84646346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"153.179.12.165"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783232/; classtype:trojan-activity;sid:84646332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"96.49.197.7"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783230/; classtype:trojan-activity;sid:84646330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"220.246.34.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783231/; classtype:trojan-activity;sid:84646331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"73.179.119.149"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783225/; classtype:trojan-activity;sid:84646325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"80.147.3.138"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783213/; classtype:trojan-activity;sid:84646313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"218.188.43.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783202/; classtype:trojan-activity;sid:84646302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"121.6.96.248"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783206/; classtype:trojan-activity;sid:84646306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"222.154.246.166"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783211/; classtype:trojan-activity;sid:84646311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"94.168.120.202"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783196/; classtype:trojan-activity;sid:84646296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"141.134.214.46"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783197/; classtype:trojan-activity;sid:84646297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"90.177.125.64"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783198/; classtype:trojan-activity;sid:84646298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"31.55.236.199"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783199/; classtype:trojan-activity;sid:84646299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"188.15.129.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783200/; classtype:trojan-activity;sid:84646300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"182.54.141.236"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783201/; classtype:trojan-activity;sid:84646301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"99.53.69.161"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783184/; classtype:trojan-activity;sid:84646284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"58.87.231.196"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783187/; classtype:trojan-activity;sid:84646287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3783189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.200.67.119"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3783189/; classtype:trojan-activity;sid:84646289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.sh4"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782795/; classtype:trojan-activity;sid:84645895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782784/; classtype:trojan-activity;sid:84645884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.x86"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782785/; classtype:trojan-activity;sid:84645885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.ppc"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782787/; classtype:trojan-activity;sid:84645887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm6"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782773/; classtype:trojan-activity;sid:84645873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.spc"; depth:16; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782783/; classtype:trojan-activity;sid:84645883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm5"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782756/; classtype:trojan-activity;sid:84645856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.mips"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782758/; classtype:trojan-activity;sid:84645858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.m68k"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782759/; classtype:trojan-activity;sid:84645859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.mpsl"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782764/; classtype:trojan-activity;sid:84645864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.x86_64"; depth:19; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782745/; classtype:trojan-activity;sid:84645845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/network/bin.arm7"; depth:17; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782746/; classtype:trojan-activity;sid:84645846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ohshit.sh"; depth:10; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782695/; classtype:trojan-activity;sid:84645795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3782689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"45.90.163.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_22; reference:url, urlhaus.abuse.ch/url/3782689/; classtype:trojan-activity;sid:84645789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"81.68.89.216"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781950/; classtype:trojan-activity;sid:84645050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.106.141.136"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781948/; classtype:trojan-activity;sid:84645048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.89.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781942/; classtype:trojan-activity;sid:84645042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h64.exe"; depth:8; endswith; nocase; http.host; content:"aaronart.com"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781617/; classtype:trojan-activity;sid:84644717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m64.exe"; depth:8; endswith; nocase; http.host; content:"creativevoltage.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_02_20; reference:url, urlhaus.abuse.ch/url/3781614/; classtype:trojan-activity;sid:84644714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"111.228.4.54"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781331/; classtype:trojan-activity;sid:84644431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.104.195.210"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781329/; classtype:trojan-activity;sid:84644429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.89.62"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781328/; classtype:trojan-activity;sid:84644428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3781324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.106.63.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_19; reference:url, urlhaus.abuse.ch/url/3781324/; classtype:trojan-activity;sid:84644424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.15.155.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780546/; classtype:trojan-activity;sid:84643646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"43.249.54.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780321/; classtype:trojan-activity;sid:84643421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"200.54.221.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780319/; classtype:trojan-activity;sid:84643419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghost.bot.apk.v13.apk"; depth:22; endswith; nocase; http.host; content:"shadowbot-dih.pages.dev"; depth:23; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780170/; classtype:trojan-activity;sid:84643270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3780164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shadow-bot-v11.apk"; depth:19; endswith; nocase; http.host; content:"shadowbot-dih.pages.dev"; depth:23; isdataat:!1,relative; metadata:created_at 2026_02_18; reference:url, urlhaus.abuse.ch/url/3780164/; classtype:trojan-activity;sid:84643264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"213.6.196.230"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779934/; classtype:trojan-activity;sid:84643034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filepath.mp4"; depth:13; endswith; nocase; http.host; content:"kavacanada.ca"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779909/; classtype:trojan-activity;sid:84643009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc2.sh"; depth:8; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779635/; classtype:trojan-activity;sid:84642735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc1.sh"; depth:8; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779637/; classtype:trojan-activity;sid:84642737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc3.sh"; depth:8; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779638/; classtype:trojan-activity;sid:84642738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779630/; classtype:trojan-activity;sid:84642730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm6"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779626/; classtype:trojan-activity;sid:84642726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm5"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779622/; classtype:trojan-activity;sid:84642722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debug.dbg"; depth:10; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779621/; classtype:trojan-activity;sid:84642721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779620/; classtype:trojan-activity;sid:84642720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m68k"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779617/; classtype:trojan-activity;sid:84642717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ppc"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779618/; classtype:trojan-activity;sid:84642718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spc"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779606/; classtype:trojan-activity;sid:84642706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sh4"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779608/; classtype:trojan-activity;sid:84642708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779615/; classtype:trojan-activity;sid:84642715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779603/; classtype:trojan-activity;sid:84642703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mpsl"; depth:5; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779604/; classtype:trojan-activity;sid:84642704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; endswith; nocase; http.host; content:"bbos.minet.vn"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779605/; classtype:trojan-activity;sid:84642705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.209.57.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779262/; classtype:trojan-activity;sid:84642362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3779259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"217.209.57.38"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_17; reference:url, urlhaus.abuse.ch/url/3779259/; classtype:trojan-activity;sid:84642359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.186.90.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778861/; classtype:trojan-activity;sid:84641961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/ueditor/php/upload/file/20250114/x1/ref-cli%20v1.0.3.exe"; depth:62; endswith; nocase; http.host; content:"m.meta-dm.com"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778793/; classtype:trojan-activity;sid:84641893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.15.155.121"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778789/; classtype:trojan-activity;sid:84641889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15%ec%8b%ac%ed%94%8c%ec%8a%a4%ec%ba%94.exe"; depth:43; endswith; nocase; http.host; content:"m.jkoa.co.kr"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_16; reference:url, urlhaus.abuse.ch/url/3778746/; classtype:trojan-activity;sid:84641846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3778490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.191.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_15; reference:url, urlhaus.abuse.ch/url/3778490/; classtype:trojan-activity;sid:84641590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.74.5.124"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777931/; classtype:trojan-activity;sid:84641031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.139.167.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777918/; classtype:trojan-activity;sid:84641018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"172.96.189.153"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777919/; classtype:trojan-activity;sid:84641019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins/cloudflare/challenge/ishuman/id53728/"; depth:46; endswith; nocase; http.host; content:"widexenmexico.com.mx"; depth:20; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777916/; classtype:trojan-activity;sid:84641016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old_backup/"; depth:12; endswith; nocase; http.host; content:"216.119.126.23"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777906/; classtype:trojan-activity;sid:84641006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.148.18.221"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_14; reference:url, urlhaus.abuse.ch/url/3777793/; classtype:trojan-activity;sid:84640893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.251.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777242/; classtype:trojan-activity;sid:84640342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.55.251.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777243/; classtype:trojan-activity;sid:84640343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.173.12.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777214/; classtype:trojan-activity;sid:84640314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.8.20.75"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777182/; classtype:trojan-activity;sid:84640282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777171/; classtype:trojan-activity;sid:84640271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777173/; classtype:trojan-activity;sid:84640273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777174/; classtype:trojan-activity;sid:84640274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777175/; classtype:trojan-activity;sid:84640275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777176/; classtype:trojan-activity;sid:84640276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.151.191.4"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777170/; classtype:trojan-activity;sid:84640270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fscan32.exe"; depth:12; endswith; nocase; http.host; content:"124.44.3.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777084/; classtype:trojan-activity;sid:84640184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beacon.exe"; depth:11; endswith; nocase; http.host; content:"124.44.3.74"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777069/; classtype:trojan-activity;sid:84640169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/re45766712.msi"; depth:15; endswith; nocase; http.host; content:"drevos.ro"; depth:9; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777050/; classtype:trojan-activity;sid:84640150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scr/omgo/approval3546.msi"; depth:26; endswith; nocase; http.host; content:"luizmatoso.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777049/; classtype:trojan-activity;sid:84640149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3777048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ref62535.msi"; depth:13; endswith; nocase; http.host; content:"vizyonuniversitesi.web.tr"; depth:25; isdataat:!1,relative; metadata:created_at 2026_02_13; reference:url, urlhaus.abuse.ch/url/3777048/; classtype:trojan-activity;sid:84640148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3776660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ftgyxe"; depth:7; endswith; nocase; http.host; content:"fukt.link"; depth:9; isdataat:!1,relative; metadata:created_at 2026_02_12; reference:url, urlhaus.abuse.ch/url/3776660/; classtype:trojan-activity;sid:84639760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3776653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joh/encrypted.ps1"; depth:18; endswith; nocase; http.host; content:"refaccionesalma.com.mx"; depth:22; isdataat:!1,relative; metadata:created_at 2026_02_12; reference:url, urlhaus.abuse.ch/url/3776653/; classtype:trojan-activity;sid:84639753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3775926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.158.90.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_11; reference:url, urlhaus.abuse.ch/url/3775926/; classtype:trojan-activity;sid:84639026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watching"; depth:9; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774774/; classtype:trojan-activity;sid:84637874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gs-netcat_linux-x86_64"; depth:23; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774775/; classtype:trojan-activity;sid:84637875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ss"; depth:3; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774739/; classtype:trojan-activity;sid:84637839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/busybox-armv7l"; depth:15; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774709/; classtype:trojan-activity;sid:84637809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.181.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774678/; classtype:trojan-activity;sid:84637778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"115.190.140.220"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774677/; classtype:trojan-activity;sid:84637777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"179.43.186.214"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774663/; classtype:trojan-activity;sid:84637763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.219.76.168"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774640/; classtype:trojan-activity;sid:84637740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"192.3.233.166"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774635/; classtype:trojan-activity;sid:84637735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"46.8.78.15"; depth:10; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774447/; classtype:trojan-activity;sid:84637547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2025/09/27/1758984967-5707.jpeg"; depth:32; endswith; nocase; http.host; content:"i.404.pm"; depth:8; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774338/; classtype:trojan-activity;sid:84637438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2025/11/12/1762933913-224.jpeg"; depth:31; endswith; nocase; http.host; content:"i.404.pm"; depth:8; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774350/; classtype:trojan-activity;sid:84637450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.30.92.188"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774265/; classtype:trojan-activity;sid:84637365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"81.16.251.131"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774267/; classtype:trojan-activity;sid:84637367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.171.188.254"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_08; reference:url, urlhaus.abuse.ch/url/3774247/; classtype:trojan-activity;sid:84637347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qst"; depth:4; endswith; nocase; http.host; content:"87.121.79.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774078/; classtype:trojan-activity;sid:84637178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nbv"; depth:4; endswith; nocase; http.host; content:"87.121.79.78"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774079/; classtype:trojan-activity;sid:84637179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/armv4l"; depth:18; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774076/; classtype:trojan-activity;sid:84637176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/mips"; depth:16; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774074/; classtype:trojan-activity;sid:84637174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/aarch64"; depth:19; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774075/; classtype:trojan-activity;sid:84637175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/mpsl"; depth:16; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774073/; classtype:trojan-activity;sid:84637173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/armv6l"; depth:18; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774071/; classtype:trojan-activity;sid:84637171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3774072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2onsolana/x86"; depth:15; endswith; nocase; http.host; content:"156.246.93.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3774072/; classtype:trojan-activity;sid:84637172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gif.gif"; depth:8; endswith; nocase; http.host; content:"pjsn.hi2.ro"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773540/; classtype:trojan-activity;sid:84636640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"43.229.20.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773435/; classtype:trojan-activity;sid:84636535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"77.50.222.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773429/; classtype:trojan-activity;sid:84636529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"184.160.27.44"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_07; reference:url, urlhaus.abuse.ch/url/3773432/; classtype:trojan-activity;sid:84636532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.55.251.93"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773292/; classtype:trojan-activity;sid:84636392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.112.101.200"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773270/; classtype:trojan-activity;sid:84636370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"45.173.12.30"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773268/; classtype:trojan-activity;sid:84636368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"138.219.58.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773257/; classtype:trojan-activity;sid:84636357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"83.218.189.41"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773251/; classtype:trojan-activity;sid:84636351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.185.1.70"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773253/; classtype:trojan-activity;sid:84636353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3773225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"62.99.58.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3773225/; classtype:trojan-activity;sid:84636325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download_invitee.php"; depth:21; endswith; nocase; http.host; content:"biducaconfeitos.com.br"; depth:22; isdataat:!1,relative; metadata:created_at 2026_02_06; reference:url, urlhaus.abuse.ch/url/3772916/; classtype:trojan-activity;sid:84636016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"50.43.160.231"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772764/; classtype:trojan-activity;sid:84635864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.1.110.226"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772754/; classtype:trojan-activity;sid:84635854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"112.124.33.87"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772607/; classtype:trojan-activity;sid:84635707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.201"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772577/; classtype:trojan-activity;sid:84635677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.94"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772575/; classtype:trojan-activity;sid:84635675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"196.39.143.113"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772572/; classtype:trojan-activity;sid:84635672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"213.5.194.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772548/; classtype:trojan-activity;sid:84635648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"77.46.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772543/; classtype:trojan-activity;sid:84635643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.88.6.203"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772534/; classtype:trojan-activity;sid:84635634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.220.234.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772536/; classtype:trojan-activity;sid:84635636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"213.91.236.237"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772527/; classtype:trojan-activity;sid:84635627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"184.185.30.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772528/; classtype:trojan-activity;sid:84635628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftteamupdate.msi"; depth:24; endswith; nocase; http.host; content:"vrajras.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772510/; classtype:trojan-activity;sid:84635610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"114.215.193.12"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772458/; classtype:trojan-activity;sid:84635558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.186.90.66"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_05; reference:url, urlhaus.abuse.ch/url/3772365/; classtype:trojan-activity;sid:84635465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3772096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"bafybeieq7tctzxkqidqpq4fjvtznbupqrpo2w4n4lfmzksehei4dinilii.ipfs.w3s.link"; depth:73; isdataat:!1,relative; metadata:created_at 2026_02_04; reference:url, urlhaus.abuse.ch/url/3772096/; classtype:trojan-activity;sid:84635196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.62.202.150"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771741/; classtype:trojan-activity;sid:84634841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"70.45.151.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771659/; classtype:trojan-activity;sid:84634759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"70.45.151.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771648/; classtype:trojan-activity;sid:84634748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.121.236.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771493/; classtype:trojan-activity;sid:84634593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771458/; classtype:trojan-activity;sid:84634558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771442/; classtype:trojan-activity;sid:84634542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771420/; classtype:trojan-activity;sid:84634520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771416/; classtype:trojan-activity;sid:84634516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771410/; classtype:trojan-activity;sid:84634510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771405/; classtype:trojan-activity;sid:84634505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771394/; classtype:trojan-activity;sid:84634494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771393/; classtype:trojan-activity;sid:84634493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771357/; classtype:trojan-activity;sid:84634457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.121.236.145"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771336/; classtype:trojan-activity;sid:84634436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771319/; classtype:trojan-activity;sid:84634419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771258/; classtype:trojan-activity;sid:84634358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.226.249.227"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771242/; classtype:trojan-activity;sid:84634342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"47.201.14.128"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771234/; classtype:trojan-activity;sid:84634334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771237/; classtype:trojan-activity;sid:84634337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771218/; classtype:trojan-activity;sid:84634318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"203.212.222.22"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771220/; classtype:trojan-activity;sid:84634320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"98.195.187.75"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771206/; classtype:trojan-activity;sid:84634306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/31%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771061/; classtype:trojan-activity;sid:84634161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/08%2008%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771062/; classtype:trojan-activity;sid:84634162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/24%2010%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771063/; classtype:trojan-activity;sid:84634163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/10%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771059/; classtype:trojan-activity;sid:84634159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/27%2007%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771057/; classtype:trojan-activity;sid:84634157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/30%2009%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771058/; classtype:trojan-activity;sid:84634158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/10%2001%202026/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771054/; classtype:trojan-activity;sid:84634154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/20%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771055/; classtype:trojan-activity;sid:84634155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/20%2009%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771050/; classtype:trojan-activity;sid:84634150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/24%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771051/; classtype:trojan-activity;sid:84634151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/15%2010%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771052/; classtype:trojan-activity;sid:84634152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/16%2001%202026/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771053/; classtype:trojan-activity;sid:84634153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/20%2007%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771048/; classtype:trojan-activity;sid:84634148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/12%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771045/; classtype:trojan-activity;sid:84634145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ser%20costa%20luz/02%2012%202025/info.zip"; depth:42; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771039/; classtype:trojan-activity;sid:84634139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3771036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bitrix/cache/js/s1/universe_s1/kernel_main/kernel_main_v1.js"; depth:61; endswith; nocase; http.host; content:"alternativas.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2026_02_03; reference:url, urlhaus.abuse.ch/url/3771036/; classtype:trojan-activity;sid:84634136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3770100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3770100/; classtype:trojan-activity;sid:84633200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3767404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.161"; depth:14; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3767404/; classtype:trojan-activity;sid:84630504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3767197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"62.99.58.93"; depth:11; isdataat:!1,relative; metadata:created_at 2026_02_01; reference:url, urlhaus.abuse.ch/url/3767197/; classtype:trojan-activity;sid:84630297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty2"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766633/; classtype:trojan-activity;sid:84629733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty3"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766628/; classtype:trojan-activity;sid:84629728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty4"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766630/; classtype:trojan-activity;sid:84629730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty5"; depth:5; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766631/; classtype:trojan-activity;sid:84629731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pty10"; depth:6; endswith; nocase; http.host; content:"69.46.43.35"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766632/; classtype:trojan-activity;sid:84629732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.38.70.37"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766592/; classtype:trojan-activity;sid:84629692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.5.194.56"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766587/; classtype:trojan-activity;sid:84629687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"120.196.95.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766584/; classtype:trojan-activity;sid:84629684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.46.91"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_31; reference:url, urlhaus.abuse.ch/url/3766565/; classtype:trojan-activity;sid:84629665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get/cl.msi"; depth:11; endswith; nocase; http.host; content:"corporacioncrf.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766226/; classtype:trojan-activity;sid:84629326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filejantn.txt"; depth:14; endswith; nocase; http.host; content:"bafybeiffpkay6l7heq55epccneb563p5chjzclxnso3vkozyorphlz6ana.ipfs.w3s.link"; depth:73; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766219/; classtype:trojan-activity;sid:84629319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3766021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/optimized_msi.png"; depth:18; endswith; nocase; http.host; content:"bafybeibfoyi7ruuyoncarf4xr55qa3lthsjjjgrktk4ia4z3upesawb4ry.ipfs.w3s.link"; depth:73; isdataat:!1,relative; metadata:created_at 2026_01_30; reference:url, urlhaus.abuse.ch/url/3766021/; classtype:trojan-activity;sid:84629121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3765258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"120.196.95.249"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_28; reference:url, urlhaus.abuse.ch/url/3765258/; classtype:trojan-activity;sid:84628358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3764383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/order2390.msi"; depth:25; endswith; nocase; http.host; content:"audicontadores.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_26; reference:url, urlhaus.abuse.ch/url/3764383/; classtype:trojan-activity;sid:84627483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.96.96.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_25; reference:url, urlhaus.abuse.ch/url/3763665/; classtype:trojan-activity;sid:84626765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/cr.sh"; depth:38; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763338/; classtype:trojan-activity;sid:84626438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/javae"; depth:38; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763336/; classtype:trojan-activity;sid:84626436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/pnscan-1.14.1.tar.gz"; depth:53; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763333/; classtype:trojan-activity;sid:84626433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins-dist/safehtml/lang/font/1.0.5.tar.gz"; depth:45; endswith; nocase; http.host; content:"34.70.205.211"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763334/; classtype:trojan-activity;sid:84626434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3763137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.90.205.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_24; reference:url, urlhaus.abuse.ch/url/3763137/; classtype:trojan-activity;sid:84626237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.120.32.72"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762681/; classtype:trojan-activity;sid:84625781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.23.89.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762674/; classtype:trojan-activity;sid:84625774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.155.243.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762403/; classtype:trojan-activity;sid:84625503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"95.155.243.196"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_23; reference:url, urlhaus.abuse.ch/url/3762391/; classtype:trojan-activity;sid:84625491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hamzaabiadi/cracked-tab-organizer-extension/main/altisonous/cracked-tab-organizer-extension.zip"; depth:96; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762176/; classtype:trojan-activity;sid:84625276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.23.89.5"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762083/; classtype:trojan-activity;sid:84625183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762054/; classtype:trojan-activity;sid:84625154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3762050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3762050/; classtype:trojan-activity;sid:84625150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caio-arc/links/raw/refs/heads/main/application.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761843/; classtype:trojan-activity;sid:84624943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keyur-m/hometask/raw/refs/heads/main/application.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761841/; classtype:trojan-activity;sid:84624941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teeeeeeeeeellkall/cracked-tab-groups-extension/main/clackety/cracked-tab-groups-extension.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761824/; classtype:trojan-activity;sid:84624924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teskkkkk/cracked-todoist-for-chrome/main/fieldworker/cracked-todoist-for-chrome.zip"; depth:84; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761823/; classtype:trojan-activity;sid:84624923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/class1k/cracked-save-to-mondaycom-extension/main/textbookless/cracked-save-to-mondaycom-extension.zip"; depth:102; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761822/; classtype:trojan-activity;sid:84624922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsm2raj/cracked-webpage-highlighter-extension/main/innkeeper/cracked-webpage-highlighter-extension.zip"; depth:103; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761818/; classtype:trojan-activity;sid:84624918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shifaishfaque/cracked-save-to-click-up-extension/raw/refs/heads/main/doddart/cracked-save-to-click-up-extension.zip"; depth:116; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761819/; classtype:trojan-activity;sid:84624919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lazzydave/cracked-webpage-snapshot-extension/main/sketchiness/cracked-webpage-snapshot-extension.zip"; depth:101; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761816/; classtype:trojan-activity;sid:84624916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bibabiboreal/cracked-save-to-airtable-base-extension/main/rectifiable/cracked-save-to-airtable-base-extension.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761813/; classtype:trojan-activity;sid:84624913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kayraizm3131/cracked-webpage-tag-manager-extension/main/pteroclomorphic/cracked-webpage-tag-manager-extension.zip"; depth:114; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761807/; classtype:trojan-activity;sid:84624907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3761795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crandd1/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_22; reference:url, urlhaus.abuse.ch/url/3761795/; classtype:trojan-activity;sid:84624895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3760824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.7.114.186"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_20; reference:url, urlhaus.abuse.ch/url/3760824/; classtype:trojan-activity;sid:84623924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3760734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"www.backupallfresh2030.com"; depth:26; isdataat:!1,relative; metadata:created_at 2026_01_20; reference:url, urlhaus.abuse.ch/url/3760734/; classtype:trojan-activity;sid:84623834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3759998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"59.7.114.186"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_18; reference:url, urlhaus.abuse.ch/url/3759998/; classtype:trojan-activity;sid:84623098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3759759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.178.246"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_18; reference:url, urlhaus.abuse.ch/url/3759759/; classtype:trojan-activity;sid:84622859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/upload/other/20220313/1647160611412907.apk"; depth:50; endswith; nocase; http.host; content:"www.longfeng188.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_16; reference:url, urlhaus.abuse.ch/url/3758944/; classtype:trojan-activity;sid:84622044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3758943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/laizi_wzzdh.apk"; depth:21; endswith; nocase; http.host; content:"n.vs108.com"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_16; reference:url, urlhaus.abuse.ch/url/3758943/; classtype:trojan-activity;sid:84622043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.95.137.155"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757989/; classtype:trojan-activity;sid:84621089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/imgs.exe"; depth:13; endswith; nocase; http.host; content:"wittenhorst.eu"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757953/; classtype:trojan-activity;sid:84621053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syrins/chatgpt-app/raw/9d9a3d9ce5ba4eb03b7738f99458773e3b4ce7de/inat%20tv.apk"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757907/; classtype:trojan-activity;sid:84621007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757803/; classtype:trojan-activity;sid:84620903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2011%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757804/; classtype:trojan-activity;sid:84620904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/04%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757806/; classtype:trojan-activity;sid:84620906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/02%2012%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757809/; classtype:trojan-activity;sid:84620909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/04%2008%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757811/; classtype:trojan-activity;sid:84620911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/05%2010%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757802/; classtype:trojan-activity;sid:84620902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/03%2011%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757799/; classtype:trojan-activity;sid:84620899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/info.zip"; depth:14; endswith; nocase; http.host; content:"182.163.114.232"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757800/; classtype:trojan-activity;sid:84620900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/03%2009%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757796/; classtype:trojan-activity;sid:84620896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/04%2011%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757794/; classtype:trojan-activity;sid:84620894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/03%2008%202025/info.zip"; depth:37; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_14; reference:url, urlhaus.abuse.ch/url/3757791/; classtype:trojan-activity;sid:84620891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.197.62.195"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_13; reference:url, urlhaus.abuse.ch/url/3757377/; classtype:trojan-activity;sid:84620477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"154.0.129.114"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_13; reference:url, urlhaus.abuse.ch/url/3757126/; classtype:trojan-activity;sid:84620226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3757074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netsyst81.dll"; depth:14; endswith; nocase; http.host; content:"steam66.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2026_01_13; reference:url, urlhaus.abuse.ch/url/3757074/; classtype:trojan-activity;sid:84620174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3756255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"70.45.151.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3756255/; classtype:trojan-activity;sid:84619355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3756023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"70.45.151.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3756023/; classtype:trojan-activity;sid:84619123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3756018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"70.45.151.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3756018/; classtype:trojan-activity;sid:84619118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t36"; depth:4; endswith; nocase; http.host; content:"42.192.39.152"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_11; reference:url, urlhaus.abuse.ch/url/3755992/; classtype:trojan-activity;sid:84619092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"115.190.237.175"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755558/; classtype:trojan-activity;sid:84618658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"71.7.239.142"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755217/; classtype:trojan-activity;sid:84618317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"70.45.151.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755119/; classtype:trojan-activity;sid:84618219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3755067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"70.45.151.28"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_10; reference:url, urlhaus.abuse.ch/url/3755067/; classtype:trojan-activity;sid:84618167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"154.84.212.18"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754766/; classtype:trojan-activity;sid:84617866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"79.175.42.18"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754752/; classtype:trojan-activity;sid:84617852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"186.121.239.114"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754756/; classtype:trojan-activity;sid:84617856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"37.157.212.138"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754761/; classtype:trojan-activity;sid:84617861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"202.131.234.26"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754764/; classtype:trojan-activity;sid:84617864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/%24recycle.bin/photo.scr"; depth:30; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754744/; classtype:trojan-activity;sid:84617844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/reynold/av.scr"; depth:20; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754745/; classtype:trojan-activity;sid:84617845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/%24recycle.bin/s-1-5-21-513737667-1919666884-561045330-1001/%24rs1r5lt.scr"; depth:80; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754741/; classtype:trojan-activity;sid:84617841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"128.127.102.134"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754708/; classtype:trojan-activity;sid:84617808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.140.32.219"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754695/; classtype:trojan-activity;sid:84617795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"172.85.143.74"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754701/; classtype:trojan-activity;sid:84617801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"154.0.129.134"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754703/; classtype:trojan-activity;sid:84617803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"195.158.88.156"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754690/; classtype:trojan-activity;sid:84617790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoldownload/"; depth:13; endswith; nocase; http.host; content:"down10d.zol.com.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754685/; classtype:trojan-activity;sid:84617785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.164.117.74"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754677/; classtype:trojan-activity;sid:84617777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"83.218.189.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754656/; classtype:trojan-activity;sid:84617756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"200.54.221.234"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754662/; classtype:trojan-activity;sid:84617762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"197.159.1.58"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754573/; classtype:trojan-activity;sid:84617673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"151.237.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754552/; classtype:trojan-activity;sid:84617652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754556/; classtype:trojan-activity;sid:84617656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"178.77.228.166"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754547/; classtype:trojan-activity;sid:84617647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn7.exe"; depth:26; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754542/; classtype:trojan-activity;sid:84617642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpnx2.exe"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754543/; classtype:trojan-activity;sid:84617643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimidrv.sys"; depth:20; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754540/; classtype:trojan-activity;sid:84617640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"212.107.232.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754534/; classtype:trojan-activity;sid:84617634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"217.75.193.34"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754530/; classtype:trojan-activity;sid:84617630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"81.16.250.173"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754532/; classtype:trojan-activity;sid:84617632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"190.128.195.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754520/; classtype:trojan-activity;sid:84617620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"190.12.99.194"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754521/; classtype:trojan-activity;sid:84617621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"87.119.108.21"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754517/; classtype:trojan-activity;sid:84617617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"37.252.69.10"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754511/; classtype:trojan-activity;sid:84617611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"81.16.249.96"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754443/; classtype:trojan-activity;sid:84617543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"178.220.234.5"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754444/; classtype:trojan-activity;sid:84617544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"94.244.113.217"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754438/; classtype:trojan-activity;sid:84617538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"181.129.182.138"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754425/; classtype:trojan-activity;sid:84617525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.173.173.98"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754427/; classtype:trojan-activity;sid:84617527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"78.29.14.127"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754432/; classtype:trojan-activity;sid:84617532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"174.78.254.83"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754433/; classtype:trojan-activity;sid:84617533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"171.231.131.90"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754390/; classtype:trojan-activity;sid:84617490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.179.121.235"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754384/; classtype:trojan-activity;sid:84617484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.12.78.161"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754377/; classtype:trojan-activity;sid:84617477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"83.166.197.212"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754378/; classtype:trojan-activity;sid:84617478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptography_module/base_library.zip"; depth:37; endswith; nocase; http.host; content:"122.170.110.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754379/; classtype:trojan-activity;sid:84617479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"115.240.70.185"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754373/; classtype:trojan-activity;sid:84617473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pc/pdfconvert/"; depth:15; endswith; nocase; http.host; content:"download.pdf00.com"; depth:18; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754331/; classtype:trojan-activity;sid:84617431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namu864.exe"; depth:20; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754327/; classtype:trojan-activity;sid:84617427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn32.zip"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754328/; classtype:trojan-activity;sid:84617428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"37.9.25.206"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754324/; classtype:trojan-activity;sid:84617424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpnx2/namuvpnx2.exe"; depth:37; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754325/; classtype:trojan-activity;sid:84617425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"46.151.56.42"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754299/; classtype:trojan-activity;sid:84617399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namuxp.zip"; depth:19; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754282/; classtype:trojan-activity;sid:84617382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"91.147.91.21"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754276/; classtype:trojan-activity;sid:84617376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namuvpn7.exe"; depth:21; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754274/; classtype:trojan-activity;sid:84617374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debugview%2b%2b.exe"; depth:20; endswith; nocase; http.host; content:"119.91.58.97"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754265/; classtype:trojan-activity;sid:84617365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn7.zip"; depth:26; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754262/; classtype:trojan-activity;sid:84617362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754253/; classtype:trojan-activity;sid:84617353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"43.249.54.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754244/; classtype:trojan-activity;sid:84617344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn7/namuvpn7.exe"; depth:35; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754238/; classtype:trojan-activity;sid:84617338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/back/namuvpn32.exe"; depth:27; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754218/; classtype:trojan-activity;sid:84617318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"223.197.231.77"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754202/; classtype:trojan-activity;sid:84617302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptodata/archive_to_send_decr.zip"; depth:36; endswith; nocase; http.host; content:"122.170.110.131"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754194/; classtype:trojan-activity;sid:84617294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/debugview%2b%2b.exe"; depth:20; endswith; nocase; http.host; content:"114.132.86.182"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754176/; classtype:trojan-activity;sid:84617276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"115.127.68.162"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754170/; classtype:trojan-activity;sid:84617270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3754166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"110.4.13.252"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3754166/; classtype:trojan-activity;sid:84617266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3753765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/img001.exe"; depth:15; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_09; reference:url, urlhaus.abuse.ch/url/3753765/; classtype:trojan-activity;sid:84616865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"meetvideogoogle.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752359/; classtype:trojan-activity;sid:84615459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"videomeetgoogle.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752363/; classtype:trojan-activity;sid:84615463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"194.67.127.229"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752358/; classtype:trojan-activity;sid:84615458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3752304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.203.24"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_07; reference:url, urlhaus.abuse.ch/url/3752304/; classtype:trojan-activity;sid:84615404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3751589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"81.229.60.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_06; reference:url, urlhaus.abuse.ch/url/3751589/; classtype:trojan-activity;sid:84614689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3750631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security/wizvera/delfino-g3/delfino-g3.exe"; depth:43; endswith; nocase; http.host; content:"download.kbcard.com"; depth:19; isdataat:!1,relative; metadata:created_at 2026_01_05; reference:url, urlhaus.abuse.ch/url/3750631/; classtype:trojan-activity;sid:84613731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3750143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.49.202.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_04; reference:url, urlhaus.abuse.ch/url/3750143/; classtype:trojan-activity;sid:84613243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buding/dbghelp.dll"; depth:19; endswith; nocase; http.host; content:"45.125.44.137"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_03; reference:url, urlhaus.abuse.ch/url/3749771/; classtype:trojan-activity;sid:84612871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.134.8.43"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3749167/; classtype:trojan-activity;sid:84612267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.249.107.216"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3749168/; classtype:trojan-activity;sid:84612268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3749159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.136.145.238"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3749159/; classtype:trojan-activity;sid:84612259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"14.49.202.139"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3748996/; classtype:trojan-activity;sid:84612096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.229.60.159"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_02; reference:url, urlhaus.abuse.ch/url/3748863/; classtype:trojan-activity;sid:84611963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"116.44.185.140"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748377/; classtype:trojan-activity;sid:84611477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.241.42.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748325/; classtype:trojan-activity;sid:84611425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"162.215.130.152"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748326/; classtype:trojan-activity;sid:84611426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"104.199.248.167"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748285/; classtype:trojan-activity;sid:84611385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"199.168.184.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748279/; classtype:trojan-activity;sid:84611379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"165.73.81.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748261/; classtype:trojan-activity;sid:84611361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"167.99.0.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748259/; classtype:trojan-activity;sid:84611359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"199.168.184.115"; depth:15; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748253/; classtype:trojan-activity;sid:84611353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"69.48.143.20"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748255/; classtype:trojan-activity;sid:84611355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"3.18.128.17"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748247/; classtype:trojan-activity;sid:84611347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"118.139.167.36"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748243/; classtype:trojan-activity;sid:84611343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"5.35.124.133"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748204/; classtype:trojan-activity;sid:84611304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"94.130.229.174"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748205/; classtype:trojan-activity;sid:84611305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"112.220.72.117"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748201/; classtype:trojan-activity;sid:84611301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"165.73.81.241"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748193/; classtype:trojan-activity;sid:84611293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"98.70.13.131"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748194/; classtype:trojan-activity;sid:84611294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"185.80.0.36"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748180/; classtype:trojan-activity;sid:84611280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"125.253.125.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748175/; classtype:trojan-activity;sid:84611275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"103.241.42.40"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748166/; classtype:trojan-activity;sid:84611266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"125.253.125.72"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748170/; classtype:trojan-activity;sid:84611270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"209.250.2.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748152/; classtype:trojan-activity;sid:84611252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"201.182.25.51"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748165/; classtype:trojan-activity;sid:84611265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"209.250.2.244"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748137/; classtype:trojan-activity;sid:84611237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"150.95.27.35"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748127/; classtype:trojan-activity;sid:84611227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"18.176.47.246"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748104/; classtype:trojan-activity;sid:84611204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"44.208.147.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748110/; classtype:trojan-activity;sid:84611210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"95.154.194.17"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748112/; classtype:trojan-activity;sid:84611212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"192.155.93.247"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748115/; classtype:trojan-activity;sid:84611215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"35.226.92.8"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748119/; classtype:trojan-activity;sid:84611219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"69.57.163.151"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748122/; classtype:trojan-activity;sid:84611222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"178.210.83.9"; depth:12; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748069/; classtype:trojan-activity;sid:84611169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"74.50.99.45"; depth:11; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748074/; classtype:trojan-activity;sid:84611174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3748028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"13.58.223.243"; depth:13; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3748028/; classtype:trojan-activity;sid:84611128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.lnk"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747725/; classtype:trojan-activity;sid:84610825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.scr"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747694/; classtype:trojan-activity;sid:84610794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.lnk"; depth:12; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747690/; classtype:trojan-activity;sid:84610790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.scr"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747685/; classtype:trojan-activity;sid:84610785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.scr"; depth:12; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747686/; classtype:trojan-activity;sid:84610786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.lnk"; depth:15; endswith; nocase; http.host; content:"58.182.146.104"; depth:14; isdataat:!1,relative; metadata:created_at 2026_01_01; reference:url, urlhaus.abuse.ch/url/3747684/; classtype:trojan-activity;sid:84610784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3747046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maishywuqoskfa.zip"; depth:19; endswith; nocase; http.host; content:"www.hotelrhousecuscoperu.com"; depth:28; isdataat:!1,relative; metadata:created_at 2025_12_31; reference:url, urlhaus.abuse.ch/url/3747046/; classtype:trojan-activity;sid:84610146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3746867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_30; reference:url, urlhaus.abuse.ch/url/3746867/; classtype:trojan-activity;sid:84609967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3746316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxp/i/522f8dbab717f669a06afa9122107971.js"; depth:42; endswith; nocase; http.host; content:"ob.youstarsbuilding.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_12_30; reference:url, urlhaus.abuse.ch/url/3746316/; classtype:trojan-activity;sid:84609416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3746314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxp/i/522f8dbab717f669a06afa9122107971.js"; depth:42; endswith; nocase; http.host; content:"euob.youstarsbuilding.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_12_30; reference:url, urlhaus.abuse.ch/url/3746314/; classtype:trojan-activity;sid:84609414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745195/; classtype:trojan-activity;sid:84608295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745196/; classtype:trojan-activity;sid:84608296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745197/; classtype:trojan-activity;sid:84608297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745192/; classtype:trojan-activity;sid:84608292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3745193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_28; reference:url, urlhaus.abuse.ch/url/3745193/; classtype:trojan-activity;sid:84608293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c"; depth:2; endswith; nocase; http.host; content:"152.89.247.153"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743457/; classtype:trojan-activity;sid:84606557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxp/i/522f8dbab717f669a06afa9122107971.js"; depth:42; endswith; nocase; http.host; content:"euob.youstarsbuilding.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743405/; classtype:trojan-activity;sid:84606505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e6%80%80%e6%97%a7%e8%af%9b%e4%bb%99.exe"; depth:41; endswith; nocase; http.host; content:"202.189.11.21"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743375/; classtype:trojan-activity;sid:84606475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/plugins/sess1594985553/sessiontools/uvsodsae.msi"; depth:55; endswith; nocase; http.host; content:"royalindiancurryclub.com"; depth:24; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743323/; classtype:trojan-activity;sid:84606423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743272/; classtype:trojan-activity;sid:84606372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3743271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_25; reference:url, urlhaus.abuse.ch/url/3743271/; classtype:trojan-activity;sid:84606371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3742013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3742013/; classtype:trojan-activity;sid:84605113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3742005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3742005/; classtype:trojan-activity;sid:84605105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741991/; classtype:trojan-activity;sid:84605091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"183.83.186.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741976/; classtype:trojan-activity;sid:84605076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741974/; classtype:trojan-activity;sid:84605074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741972/; classtype:trojan-activity;sid:84605072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741971/; classtype:trojan-activity;sid:84605071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"106.54.220.107"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741968/; classtype:trojan-activity;sid:84605068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250811/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741966/; classtype:trojan-activity;sid:84605066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250809/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741967/; classtype:trojan-activity;sid:84605067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741965/; classtype:trojan-activity;sid:84605065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210408/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741962/; classtype:trojan-activity;sid:84605062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250101/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741963/; classtype:trojan-activity;sid:84605063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741947/; classtype:trojan-activity;sid:84605047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741948/; classtype:trojan-activity;sid:84605048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741949/; classtype:trojan-activity;sid:84605049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"61.240.239.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_24; reference:url, urlhaus.abuse.ch/url/3741940/; classtype:trojan-activity;sid:84605040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"171.231.131.90"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741528/; classtype:trojan-activity;sid:84604628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.187.54.142"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741523/; classtype:trojan-activity;sid:84604623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.187.54.142"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741524/; classtype:trojan-activity;sid:84604624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/auhavkiq.msi"; depth:19; endswith; nocase; http.host; content:"royalindiancurryclub.com"; depth:24; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741336/; classtype:trojan-activity;sid:84604436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741204/; classtype:trojan-activity;sid:84604304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741201/; classtype:trojan-activity;sid:84604301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741202/; classtype:trojan-activity;sid:84604302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741193/; classtype:trojan-activity;sid:84604293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741182/; classtype:trojan-activity;sid:84604282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"23.241.17.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741183/; classtype:trojan-activity;sid:84604283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741153/; classtype:trojan-activity;sid:84604253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741109/; classtype:trojan-activity;sid:84604209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741086/; classtype:trojan-activity;sid:84604186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741068/; classtype:trojan-activity;sid:84604168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"182.163.114.232"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741029/; classtype:trojan-activity;sid:84604129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741026/; classtype:trojan-activity;sid:84604126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741024/; classtype:trojan-activity;sid:84604124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3741009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"124.230.216.19"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3741009/; classtype:trojan-activity;sid:84604109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3740979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3740979/; classtype:trojan-activity;sid:84604079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3740945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"152.230.111.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_23; reference:url, urlhaus.abuse.ch/url/3740945/; classtype:trojan-activity;sid:84604045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3739840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"171.231.131.90"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_22; reference:url, urlhaus.abuse.ch/url/3739840/; classtype:trojan-activity;sid:84602940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3739797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"46.6.14.135"; depth:11; isdataat:!1,relative; metadata:created_at 2025_12_22; reference:url, urlhaus.abuse.ch/url/3739797/; classtype:trojan-activity;sid:84602897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3739558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/4thepool_miner.sh"; depth:26; endswith; nocase; http.host; content:"31.57.109.131"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_21; reference:url, urlhaus.abuse.ch/url/3739558/; classtype:trojan-activity;sid:84602658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3738164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.81.169"; depth:11; isdataat:!1,relative; metadata:created_at 2025_12_20; reference:url, urlhaus.abuse.ch/url/3738164/; classtype:trojan-activity;sid:84601264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3736211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom.xml"; depth:9; endswith; nocase; http.host; content:"hotelsep.blogspot.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_12_18; reference:url, urlhaus.abuse.ch/url/3736211/; classtype:trojan-activity;sid:84599311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3736212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nimper.pdf"; depth:11; endswith; nocase; http.host; content:"www.backupallfresh2030.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_12_18; reference:url, urlhaus.abuse.ch/url/3736212/; classtype:trojan-activity;sid:84599312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"2.187.6.236"; depth:11; isdataat:!1,relative; metadata:created_at 2025_12_18; reference:url, urlhaus.abuse.ch/url/3735974/; classtype:trojan-activity;sid:84599074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3735377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.110.182.187"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_17; reference:url, urlhaus.abuse.ch/url/3735377/; classtype:trojan-activity;sid:84598477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3734705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.109.198.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_16; reference:url, urlhaus.abuse.ch/url/3734705/; classtype:trojan-activity;sid:84597805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3734700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.6.196.230"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_16; reference:url, urlhaus.abuse.ch/url/3734700/; classtype:trojan-activity;sid:84597800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3733913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usr/uploads/file/202002/20200210195059_78353.rar"; depth:49; endswith; nocase; http.host; content:"zhigao5191.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_15; reference:url, urlhaus.abuse.ch/url/3733913/; classtype:trojan-activity;sid:84597013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"217.75.193.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732386/; classtype:trojan-activity;sid:84595486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732383/; classtype:trojan-activity;sid:84595483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"93.39.215.44"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732378/; classtype:trojan-activity;sid:84595478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3732133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eathena/tools/bymyzter/eabackup.rar"; depth:36; endswith; nocase; http.host; content:"paradox924x.pages.dev"; depth:21; isdataat:!1,relative; metadata:created_at 2025_12_12; reference:url, urlhaus.abuse.ch/url/3732133/; classtype:trojan-activity;sid:84595233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modelo/cr.exe"; depth:14; endswith; nocase; http.host; content:"joyeriatauro.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_12_11; reference:url, urlhaus.abuse.ch/url/3731630/; classtype:trojan-activity;sid:84594730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modelo/v1d.exe"; depth:15; endswith; nocase; http.host; content:"joyeriatauro.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_12_11; reference:url, urlhaus.abuse.ch/url/3731351/; classtype:trojan-activity;sid:84594451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modelo/c1i.exe"; depth:15; endswith; nocase; http.host; content:"joyeriatauro.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_12_11; reference:url, urlhaus.abuse.ch/url/3731347/; classtype:trojan-activity;sid:84594447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/molo243r/fivem-weather-control/main/pneumonorrhagia/fivem-weather-control.zip"; depth:78; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731299/; classtype:trojan-activity;sid:84594399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nalleysh/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731286/; classtype:trojan-activity;sid:84594386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/el1nns/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731287/; classtype:trojan-activity;sid:84594387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d3xxth/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731283/; classtype:trojan-activity;sid:84594383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1llenth/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731271/; classtype:trojan-activity;sid:84594371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rayn1e/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731257/; classtype:trojan-activity;sid:84594357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arcellys/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731243/; classtype:trojan-activity;sid:84594343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n1elcery/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731242/; classtype:trojan-activity;sid:84594342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recctan1o/fivem-spoofer/raw/refs/heads/main/cfxbypass.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731239/; classtype:trojan-activity;sid:84594339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kesslyy27/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731238/; classtype:trojan-activity;sid:84594338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssten1/temp-spoofer-lifetime/raw/refs/heads/main/tempspoofer.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731232/; classtype:trojan-activity;sid:84594332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3731096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"114.242.100.72"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3731096/; classtype:trojan-activity;sid:84594196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730787/; classtype:trojan-activity;sid:84593887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730785/; classtype:trojan-activity;sid:84593885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730754/; classtype:trojan-activity;sid:84593854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730727/; classtype:trojan-activity;sid:84593827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730681/; classtype:trojan-activity;sid:84593781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730669/; classtype:trojan-activity;sid:84593769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"203.187.227.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730651/; classtype:trojan-activity;sid:84593751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"217.168.136.87"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730594/; classtype:trojan-activity;sid:84593694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/config.json"; depth:31; endswith; nocase; http.host; content:"acaviationsupplies.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730310/; classtype:trojan-activity;sid:84593410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xi3twfy4"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_10; reference:url, urlhaus.abuse.ch/url/3730311/; classtype:trojan-activity;sid:84593411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3730017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkjmt.exe"; depth:11; endswith; nocase; http.host; content:"www.mevetlab.cl"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_09; reference:url, urlhaus.abuse.ch/url/3730017/; classtype:trojan-activity;sid:84593117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"180.76.141.175"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_09; reference:url, urlhaus.abuse.ch/url/3729861/; classtype:trojan-activity;sid:84592961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.129.182.138"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_09; reference:url, urlhaus.abuse.ch/url/3729846/; classtype:trojan-activity;sid:84592946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/panel/uploads/optimized_msi.png"; depth:35; endswith; nocase; http.host; content:"bvaco.com"; depth:9; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729416/; classtype:trojan-activity;sid:84592516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/clean/clean.apk"; depth:23; endswith; nocase; http.host; content:"static.youdm.cn"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729248/; classtype:trojan-activity;sid:84592348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3729188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"86.89.95.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_12_08; reference:url, urlhaus.abuse.ch/url/3729188/; classtype:trojan-activity;sid:84592288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3726789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test"; depth:5; endswith; nocase; http.host; content:"141.11.240.103"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_06; reference:url, urlhaus.abuse.ch/url/3726789/; classtype:trojan-activity;sid:84589889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3726005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receipt_11_26_2025.msi"; depth:23; endswith; nocase; http.host; content:"alineeleuterio.com.br"; depth:21; isdataat:!1,relative; metadata:created_at 2025_12_05; reference:url, urlhaus.abuse.ch/url/3726005/; classtype:trojan-activity;sid:84589105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rd.exe"; depth:7; endswith; nocase; http.host; content:"193.37.69.43"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725511/; classtype:trojan-activity;sid:84588611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"182.73.129.30"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725395/; classtype:trojan-activity;sid:84588495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/redmi%20ax3000/%e8%b7%af%e7%94%b1%e5%99%a8%e4%bf%ae%e5%a4%8d%e5%b7%a5%e5%85%b7/miwifirepairtool.x86.zip"; depth:109; endswith; nocase; http.host; content:"hzxcaq-github-io.pages.dev"; depth:26; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725201/; classtype:trojan-activity;sid:84588301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"115.190.161.178"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725129/; classtype:trojan-activity;sid:84588229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3725126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.137.149.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3725126/; classtype:trojan-activity;sid:84588226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gretech/promotion_sw/gomplayer/fastping_silent_v4.exe"; depth:54; endswith; nocase; http.host; content:"cdn.gomlab.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3724888/; classtype:trojan-activity;sid:84587988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/linux/linux.tar.gz"; depth:23; endswith; nocase; http.host; content:"miner.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3724884/; classtype:trojan-activity;sid:84587984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win/miner.zip"; depth:18; endswith; nocase; http.host; content:"miner.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_04; reference:url, urlhaus.abuse.ch/url/3724883/; classtype:trojan-activity;sid:84587983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hrcxpywfcshe8.bin"; depth:18; endswith; nocase; http.host; content:"www.mobimpex.ro"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724236/; classtype:trojan-activity;sid:84587336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/res/keditor/2019_11/3c7a829a_893c_4f02_a407_6b0918c321c2.rar"; depth:61; endswith; nocase; http.host; content:"en.taichuan.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724034/; classtype:trojan-activity;sid:84587134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3724008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/krnl.lua.script.injector.v1.3.4.zip"; depth:36; endswith; nocase; http.host; content:"injectroblox.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3724008/; classtype:trojan-activity;sid:84587108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3723880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftbs.exe"; depth:16; endswith; nocase; http.host; content:"120.48.115.29"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_03; reference:url, urlhaus.abuse.ch/url/3723880/; classtype:trojan-activity;sid:84586980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3722915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fent.mpsl"; depth:10; endswith; nocase; http.host; content:"23.95.248.41"; depth:12; isdataat:!1,relative; metadata:created_at 2025_12_02; reference:url, urlhaus.abuse.ch/url/3722915/; classtype:trojan-activity;sid:84586015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3722385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"138.219.58.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_12_01; reference:url, urlhaus.abuse.ch/url/3722385/; classtype:trojan-activity;sid:84585485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3722069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/top8bet.apk"; depth:16; endswith; nocase; http.host; content:"top8onlinegame.com"; depth:18; isdataat:!1,relative; metadata:created_at 2025_12_01; reference:url, urlhaus.abuse.ch/url/3722069/; classtype:trojan-activity;sid:84585169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"106.13.29.104"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721477/; classtype:trojan-activity;sid:84584577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"72.201.150.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721465/; classtype:trojan-activity;sid:84584565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e4%ba%a7%e5%93%81%e8%b5%84%e6%96%99%e5%8c%85/%e6%99%ae%e9%80%9a%e5%9e%8b%e4%ba%a7%e5%93%81%e8%b5%84%e6%96%99%e5%8c%85/485%e5%9e%8b%e8%ae%be%e5%a4%87%e8%b5%84%e6%96%99%e5%8c%85.rar"; depth:181; endswith; nocase; http.host; content:"save.jnrsmcu.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721055/; classtype:trojan-activity;sid:84584155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3721052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/%e5%a5%87%e5%a6%99%e5%8a%a0%e9%80%9f%e5%99%a8_2_10004379.exe/%c3%a5%c2%a5%c2%87%c3%a5%c2%a6%c2%99%c3%a5%c2%8a%c2%a0%c3%a9%c2%80%c2%9f%c3%a5%c2%99%c2%a8_2_10004379.exe/%c3%83%c2%a5%c3%82%c2%a5%c3%82%c2%87%c3%83%c2%a5%c3%82%c2%a6%c3%82%c2%99%c3%83%25...~311~...%ef%bf%bd%c3%82%c2%a8_2_10004379.exe"; depth:305; endswith; nocase; http.host; content:"pvsa.gxfugy.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_30; reference:url, urlhaus.abuse.ch/url/3721052/; classtype:trojan-activity;sid:84584152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/payment_receipt_11_28_2025.msi"; depth:31; endswith; nocase; http.host; content:"vizyonuniversitesi.com.tr"; depth:25; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720416/; classtype:trojan-activity;sid:84583516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.107.229.23"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720366/; classtype:trojan-activity;sid:84583466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/av.lnk"; depth:16; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720339/; classtype:trojan-activity;sid:84583439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720337/; classtype:trojan-activity;sid:84583437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/av.scr"; depth:16; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720335/; classtype:trojan-activity;sid:84583435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720330/; classtype:trojan-activity;sid:84583430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/av.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720331/; classtype:trojan-activity;sid:84583431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/video.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720332/; classtype:trojan-activity;sid:84583432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720333/; classtype:trojan-activity;sid:84583433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720334/; classtype:trojan-activity;sid:84583434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720329/; classtype:trojan-activity;sid:84583429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/video.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720327/; classtype:trojan-activity;sid:84583427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720328/; classtype:trojan-activity;sid:84583428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"31.0.222.123"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720042/; classtype:trojan-activity;sid:84583142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3720037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"31.0.222.123"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3720037/; classtype:trojan-activity;sid:84583137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3719973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"31.0.222.123"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_29; reference:url, urlhaus.abuse.ch/url/3719973/; classtype:trojan-activity;sid:84583073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"89.228.74.4"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718861/; classtype:trojan-activity;sid:84581961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.141.249.234"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718856/; classtype:trojan-activity;sid:84581956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.6.14.135"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718859/; classtype:trojan-activity;sid:84581959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.66.224.73"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_28; reference:url, urlhaus.abuse.ch/url/3718843/; classtype:trojan-activity;sid:84581943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3718114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.86.33.195"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_27; reference:url, urlhaus.abuse.ch/url/3718114/; classtype:trojan-activity;sid:84581214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3717880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newwfs/support/customfont.apk"; depth:30; endswith; nocase; http.host; content:"upaicdn.xinmei365.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_11_27; reference:url, urlhaus.abuse.ch/url/3717880/; classtype:trojan-activity;sid:84580980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pafh99/nanocore-rat-2/raw/refs/heads/master/nanocore_portable.exe"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_26; reference:url, urlhaus.abuse.ch/url/3716962/; classtype:trojan-activity;sid:84580062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/clientbin/dowonline.installer.exe"; depth:34; endswith; nocase; http.host; content:"dowonline.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716299/; classtype:trojan-activity;sid:84579399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baixar/suporte%20winxp-7-8.zip"; depth:31; endswith; nocase; http.host; content:"compuserviceonline.com.br"; depth:25; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716290/; classtype:trojan-activity;sid:84579390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3716195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/application/workspace/15/15d4031688cbb71def72a06cf15d7fa1/installer_%e6%99%ba%e8%83%bd%e7%bf%bb%e8%af%91%e5%ae%98_r1.7.9.exe"; depth:125; endswith; nocase; http.host; content:"download2.huduntech.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_25; reference:url, urlhaus.abuse.ch/url/3716195/; classtype:trojan-activity;sid:84579295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3715638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/37/cqsj/official/37cqsj.exe"; depth:28; endswith; nocase; http.host; content:"d.wanyouxi7.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_24; reference:url, urlhaus.abuse.ch/url/3715638/; classtype:trojan-activity;sid:84578738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3715587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elc/filesave/setupfile/edmslaunchersetup.exe"; depth:45; endswith; nocase; http.host; content:"lcportal.kbinsure.co.kr"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_24; reference:url, urlhaus.abuse.ch/url/3715587/; classtype:trojan-activity;sid:84578687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3715175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fo-wsftp605.exe"; depth:16; endswith; nocase; http.host; content:"landonirwin.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_23; reference:url, urlhaus.abuse.ch/url/3715175/; classtype:trojan-activity;sid:84578275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3714116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wizvera/delfino/down/delfino-g3-sha2.exe"; depth:41; endswith; nocase; http.host; content:"www.hwgeneralins.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3714116/; classtype:trojan-activity;sid:84577216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cleaner"; depth:8; endswith; nocase; http.host; content:"gutando.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_22; reference:url, urlhaus.abuse.ch/url/3713850/; classtype:trojan-activity;sid:84576950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.190.74.159"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713493/; classtype:trojan-activity;sid:84576593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stage1.ps1"; depth:11; endswith; nocase; http.host; content:"fb6390d5.infinityindians.pages.dev"; depth:34; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713469/; classtype:trojan-activity;sid:84576569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amsibypass.ps1"; depth:15; endswith; nocase; http.host; content:"fb6390d5.infinityindians.pages.dev"; depth:34; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713470/; classtype:trojan-activity;sid:84576570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/bexitor%20installer.exe"; depth:30; endswith; nocase; http.host; content:"matthewsigmondv5.pages.dev"; depth:26; isdataat:!1,relative; metadata:created_at 2025_11_21; reference:url, urlhaus.abuse.ch/url/3713467/; classtype:trojan-activity;sid:84576567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3713131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5t6t.js"; depth:8; endswith; nocase; http.host; content:"petitesalope.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3713131/; classtype:trojan-activity;sid:84576231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"43.156.63.124"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712904/; classtype:trojan-activity;sid:84576004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/av.lnk"; depth:16; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712796/; classtype:trojan-activity;sid:84575896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712795/; classtype:trojan-activity;sid:84575895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712794/; classtype:trojan-activity;sid:84575894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.scr"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712791/; classtype:trojan-activity;sid:84575891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/av.scr"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712792/; classtype:trojan-activity;sid:84575892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/av.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712787/; classtype:trojan-activity;sid:84575887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/video.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712788/; classtype:trojan-activity;sid:84575888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/photo.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712789/; classtype:trojan-activity;sid:84575889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/mom/photo.lnk"; depth:19; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712785/; classtype:trojan-activity;sid:84575885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/rachel/video.lnk"; depth:22; endswith; nocase; http.host; content:"27.125.169.235"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712786/; classtype:trojan-activity;sid:84575886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/gof.com.my/gz2v8w/y0qt8nphhv1v"; depth:33; endswith; nocase; http.host; content:"smartermail.host"; depth:16; isdataat:!1,relative; metadata:created_at 2025_11_20; reference:url, urlhaus.abuse.ch/url/3712393/; classtype:trojan-activity;sid:84575493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3712017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/horioninjector.exe"; depth:23; endswith; nocase; http.host; content:"horion-static.pages.dev"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_19; reference:url, urlhaus.abuse.ch/url/3712017/; classtype:trojan-activity;sid:84575117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bog.apk"; depth:8; endswith; nocase; http.host; content:"bombayonline.in"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_19; reference:url, urlhaus.abuse.ch/url/3711792/; classtype:trojan-activity;sid:84574892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.236.149.142"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3711282/; classtype:trojan-activity;sid:84574382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.107.136.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3711277/; classtype:trojan-activity;sid:84574377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"47.121.137.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3711278/; classtype:trojan-activity;sid:84574378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3711212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.154.90.21"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3711212/; classtype:trojan-activity;sid:84574312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sfyhmsqlexrtjetiqydog74.bin"; depth:28; endswith; nocase; http.host; content:"dexios.co.za"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3710993/; classtype:trojan-activity;sid:84574093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brkopsluth.emz"; depth:15; endswith; nocase; http.host; content:"dexios.co.za"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_18; reference:url, urlhaus.abuse.ch/url/3710988/; classtype:trojan-activity;sid:84574088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auo1.exe"; depth:9; endswith; nocase; http.host; content:"a-gwo.pages.dev"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710498/; classtype:trojan-activity;sid:84573598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/screenconnect.clientsetup.msi"; depth:34; endswith; nocase; http.host; content:"rheddh.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710456/; classtype:trojan-activity;sid:84573556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-19/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710416/; classtype:trojan-activity;sid:84573516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-29/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710404/; classtype:trojan-activity;sid:84573504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-03-23/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710394/; classtype:trojan-activity;sid:84573494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-03/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710388/; classtype:trojan-activity;sid:84573488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-04-23/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710390/; classtype:trojan-activity;sid:84573490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-10-11/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710385/; classtype:trojan-activity;sid:84573485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-02-26/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710370/; classtype:trojan-activity;sid:84573470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-27/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710371/; classtype:trojan-activity;sid:84573471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-09-25/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710362/; classtype:trojan-activity;sid:84573462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-06-22/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710351/; classtype:trojan-activity;sid:84573451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2019-07-05/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710353/; classtype:trojan-activity;sid:84573453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2023-02-01/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710340/; classtype:trojan-activity;sid:84573440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-07-27/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710343/; classtype:trojan-activity;sid:84573443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-06/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710334/; classtype:trojan-activity;sid:84573434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-11/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710323/; classtype:trojan-activity;sid:84573423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-11-22/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710327/; classtype:trojan-activity;sid:84573427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-09-28/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710316/; classtype:trojan-activity;sid:84573416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-12-23/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710318/; classtype:trojan-activity;sid:84573418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/2019-05-02/info.zip"; depth:69; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710311/; classtype:trojan-activity;sid:84573411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-12-14/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710313/; classtype:trojan-activity;sid:84573413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-21/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710287/; classtype:trojan-activity;sid:84573387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-18/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710288/; classtype:trojan-activity;sid:84573388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-06-20/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_17; reference:url, urlhaus.abuse.ch/url/3710284/; classtype:trojan-activity;sid:84573384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soulclientwtf/lnk/raw/refs/heads/main/execute"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_16; reference:url, urlhaus.abuse.ch/url/3710011/; classtype:trojan-activity;sid:84573111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3710010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soulclientwtf/lnk/refs/heads/main/execute"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_11_16; reference:url, urlhaus.abuse.ch/url/3710010/; classtype:trojan-activity;sid:84573110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709309/; classtype:trojan-activity;sid:84572409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-05-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709306/; classtype:trojan-activity;sid:84572406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709292/; classtype:trojan-activity;sid:84572392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709293/; classtype:trojan-activity;sid:84572393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-03-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709294/; classtype:trojan-activity;sid:84572394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709296/; classtype:trojan-activity;sid:84572396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-08-23/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709298/; classtype:trojan-activity;sid:84572398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709299/; classtype:trojan-activity;sid:84572399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-05-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709301/; classtype:trojan-activity;sid:84572401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-10-20/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709302/; classtype:trojan-activity;sid:84572402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-03-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709303/; classtype:trojan-activity;sid:84572403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-05-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709304/; classtype:trojan-activity;sid:84572404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-24/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709305/; classtype:trojan-activity;sid:84572405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-08-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709288/; classtype:trojan-activity;sid:84572388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709290/; classtype:trojan-activity;sid:84572390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2024-01-26/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709291/; classtype:trojan-activity;sid:84572391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-07-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709272/; classtype:trojan-activity;sid:84572372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-08-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709273/; classtype:trojan-activity;sid:84572373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-08-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709274/; classtype:trojan-activity;sid:84572374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-04-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709275/; classtype:trojan-activity;sid:84572375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709276/; classtype:trojan-activity;sid:84572376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2022-01-20/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709277/; classtype:trojan-activity;sid:84572377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709278/; classtype:trojan-activity;sid:84572378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-06-29/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709280/; classtype:trojan-activity;sid:84572380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709284/; classtype:trojan-activity;sid:84572384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709285/; classtype:trojan-activity;sid:84572385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-11-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709286/; classtype:trojan-activity;sid:84572386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-10-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709287/; classtype:trojan-activity;sid:84572387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2020-10-10/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709271/; classtype:trojan-activity;sid:84572371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-01-29/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709255/; classtype:trojan-activity;sid:84572355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-06-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709258/; classtype:trojan-activity;sid:84572358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709261/; classtype:trojan-activity;sid:84572361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2022-03-02/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709262/; classtype:trojan-activity;sid:84572362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-08-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709263/; classtype:trojan-activity;sid:84572363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-05-11/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709264/; classtype:trojan-activity;sid:84572364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-03-03/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709248/; classtype:trojan-activity;sid:84572348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-11/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709250/; classtype:trojan-activity;sid:84572350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-11-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709251/; classtype:trojan-activity;sid:84572351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2024-01-17/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709253/; classtype:trojan-activity;sid:84572353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-11-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709254/; classtype:trojan-activity;sid:84572354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709244/; classtype:trojan-activity;sid:84572344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709245/; classtype:trojan-activity;sid:84572345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-01-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709247/; classtype:trojan-activity;sid:84572347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-07-07/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709240/; classtype:trojan-activity;sid:84572340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-02-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709239/; classtype:trojan-activity;sid:84572339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-11-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709234/; classtype:trojan-activity;sid:84572334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709235/; classtype:trojan-activity;sid:84572335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709236/; classtype:trojan-activity;sid:84572336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-04-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709237/; classtype:trojan-activity;sid:84572337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-07-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709238/; classtype:trojan-activity;sid:84572338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709229/; classtype:trojan-activity;sid:84572329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2022-07-22/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709230/; classtype:trojan-activity;sid:84572330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-10-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709231/; classtype:trojan-activity;sid:84572331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709232/; classtype:trojan-activity;sid:84572332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-09-16/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709233/; classtype:trojan-activity;sid:84572333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2019-07-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709220/; classtype:trojan-activity;sid:84572320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-03-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709221/; classtype:trojan-activity;sid:84572321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-07-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709223/; classtype:trojan-activity;sid:84572323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-12-26/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709224/; classtype:trojan-activity;sid:84572324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-03-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709225/; classtype:trojan-activity;sid:84572325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-03-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709227/; classtype:trojan-activity;sid:84572327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709219/; classtype:trojan-activity;sid:84572319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-06-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709217/; classtype:trojan-activity;sid:84572317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709213/; classtype:trojan-activity;sid:84572313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-01-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709214/; classtype:trojan-activity;sid:84572314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709209/; classtype:trojan-activity;sid:84572309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-07-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709210/; classtype:trojan-activity;sid:84572310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-04-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709211/; classtype:trojan-activity;sid:84572311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2022-03-06/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709201/; classtype:trojan-activity;sid:84572301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-03-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709202/; classtype:trojan-activity;sid:84572302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709203/; classtype:trojan-activity;sid:84572303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2020-10-12/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709204/; classtype:trojan-activity;sid:84572304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709205/; classtype:trojan-activity;sid:84572305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-03-02/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709206/; classtype:trojan-activity;sid:84572306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-02-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709207/; classtype:trojan-activity;sid:84572307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-04-04/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709193/; classtype:trojan-activity;sid:84572293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709194/; classtype:trojan-activity;sid:84572294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-05-01/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709195/; classtype:trojan-activity;sid:84572295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-08-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709197/; classtype:trojan-activity;sid:84572297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-11/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709199/; classtype:trojan-activity;sid:84572299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2019-10-15/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709200/; classtype:trojan-activity;sid:84572300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2020-07-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709192/; classtype:trojan-activity;sid:84572292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709190/; classtype:trojan-activity;sid:84572290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-11-28/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709191/; classtype:trojan-activity;sid:84572291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-07-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709186/; classtype:trojan-activity;sid:84572286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-10-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709187/; classtype:trojan-activity;sid:84572287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-07-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709188/; classtype:trojan-activity;sid:84572288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2025-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709175/; classtype:trojan-activity;sid:84572275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-05-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709176/; classtype:trojan-activity;sid:84572276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709177/; classtype:trojan-activity;sid:84572277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709179/; classtype:trojan-activity;sid:84572279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-09-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709180/; classtype:trojan-activity;sid:84572280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709181/; classtype:trojan-activity;sid:84572281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709182/; classtype:trojan-activity;sid:84572282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-08-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709185/; classtype:trojan-activity;sid:84572285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-07-17/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709165/; classtype:trojan-activity;sid:84572265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-07-04/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709166/; classtype:trojan-activity;sid:84572266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000162/2024-01-22/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709167/; classtype:trojan-activity;sid:84572267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2022-01-27/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709168/; classtype:trojan-activity;sid:84572268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-06-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709169/; classtype:trojan-activity;sid:84572269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-02/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709170/; classtype:trojan-activity;sid:84572270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709171/; classtype:trojan-activity;sid:84572271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-11-15/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709172/; classtype:trojan-activity;sid:84572272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-12-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709173/; classtype:trojan-activity;sid:84572273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-08-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709161/; classtype:trojan-activity;sid:84572261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709162/; classtype:trojan-activity;sid:84572262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-01-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709159/; classtype:trojan-activity;sid:84572259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-07-06/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709158/; classtype:trojan-activity;sid:84572258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000758/2022-03-02/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709152/; classtype:trojan-activity;sid:84572252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2019-10-17/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709153/; classtype:trojan-activity;sid:84572253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2024-01-24/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709154/; classtype:trojan-activity;sid:84572254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-06-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709155/; classtype:trojan-activity;sid:84572255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709156/; classtype:trojan-activity;sid:84572256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2023-08-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709157/; classtype:trojan-activity;sid:84572257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-05-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709143/; classtype:trojan-activity;sid:84572243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-10-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709145/; classtype:trojan-activity;sid:84572245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-07-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709147/; classtype:trojan-activity;sid:84572247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709149/; classtype:trojan-activity;sid:84572249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709150/; classtype:trojan-activity;sid:84572250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-05-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709151/; classtype:trojan-activity;sid:84572251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-09-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709140/; classtype:trojan-activity;sid:84572240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709141/; classtype:trojan-activity;sid:84572241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-08-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709139/; classtype:trojan-activity;sid:84572239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-11-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709138/; classtype:trojan-activity;sid:84572238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-08-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709130/; classtype:trojan-activity;sid:84572230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709131/; classtype:trojan-activity;sid:84572231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2019-05-31/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709132/; classtype:trojan-activity;sid:84572232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709133/; classtype:trojan-activity;sid:84572233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-11-27/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709135/; classtype:trojan-activity;sid:84572235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-06-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709136/; classtype:trojan-activity;sid:84572236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709128/; classtype:trojan-activity;sid:84572228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-09-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709112/; classtype:trojan-activity;sid:84572212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709113/; classtype:trojan-activity;sid:84572213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-11-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709114/; classtype:trojan-activity;sid:84572214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-04-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709115/; classtype:trojan-activity;sid:84572215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-03-17/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709116/; classtype:trojan-activity;sid:84572216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709117/; classtype:trojan-activity;sid:84572217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-12-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709119/; classtype:trojan-activity;sid:84572219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-03-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709120/; classtype:trojan-activity;sid:84572220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-08-16/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709121/; classtype:trojan-activity;sid:84572221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709123/; classtype:trojan-activity;sid:84572223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-06-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709124/; classtype:trojan-activity;sid:84572224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-03-16/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709126/; classtype:trojan-activity;sid:84572226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709109/; classtype:trojan-activity;sid:84572209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-06-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709111/; classtype:trojan-activity;sid:84572211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709104/; classtype:trojan-activity;sid:84572204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2024-12-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709105/; classtype:trojan-activity;sid:84572205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-08-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709107/; classtype:trojan-activity;sid:84572207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709108/; classtype:trojan-activity;sid:84572208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-09-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709103/; classtype:trojan-activity;sid:84572203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-10-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709096/; classtype:trojan-activity;sid:84572196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-15/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709097/; classtype:trojan-activity;sid:84572197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-31/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709098/; classtype:trojan-activity;sid:84572198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-12-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709099/; classtype:trojan-activity;sid:84572199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-07-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709100/; classtype:trojan-activity;sid:84572200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709088/; classtype:trojan-activity;sid:84572188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-10-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709089/; classtype:trojan-activity;sid:84572189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-11-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709090/; classtype:trojan-activity;sid:84572190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709091/; classtype:trojan-activity;sid:84572191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-01-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709092/; classtype:trojan-activity;sid:84572192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2022-10-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709093/; classtype:trojan-activity;sid:84572193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2021-03-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709078/; classtype:trojan-activity;sid:84572178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2024-09-27/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709079/; classtype:trojan-activity;sid:84572179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2024-09-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709080/; classtype:trojan-activity;sid:84572180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-09-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709081/; classtype:trojan-activity;sid:84572181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709083/; classtype:trojan-activity;sid:84572183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-17/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709084/; classtype:trojan-activity;sid:84572184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-11-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709085/; classtype:trojan-activity;sid:84572185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-12/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709086/; classtype:trojan-activity;sid:84572186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709087/; classtype:trojan-activity;sid:84572187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-05-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709075/; classtype:trojan-activity;sid:84572175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-01-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709076/; classtype:trojan-activity;sid:84572176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-05-30/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709077/; classtype:trojan-activity;sid:84572177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2023-06-24/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709054/; classtype:trojan-activity;sid:84572154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-05-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709055/; classtype:trojan-activity;sid:84572155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2019-09-26/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709056/; classtype:trojan-activity;sid:84572156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-07-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709059/; classtype:trojan-activity;sid:84572159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-02-20/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709060/; classtype:trojan-activity;sid:84572160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2021-02-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709061/; classtype:trojan-activity;sid:84572161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2022-10-05/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709064/; classtype:trojan-activity;sid:84572164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-06-01/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709065/; classtype:trojan-activity;sid:84572165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2020-11-02/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709066/; classtype:trojan-activity;sid:84572166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-18/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709067/; classtype:trojan-activity;sid:84572167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-01-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709069/; classtype:trojan-activity;sid:84572169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000136/2020-07-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709070/; classtype:trojan-activity;sid:84572170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-09-29/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709072/; classtype:trojan-activity;sid:84572172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-11-18/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709042/; classtype:trojan-activity;sid:84572142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-09-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709043/; classtype:trojan-activity;sid:84572143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2024-09-17/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709044/; classtype:trojan-activity;sid:84572144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-04-28/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709045/; classtype:trojan-activity;sid:84572145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000677/2019-03-20/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709046/; classtype:trojan-activity;sid:84572146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-06-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709047/; classtype:trojan-activity;sid:84572147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709048/; classtype:trojan-activity;sid:84572148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-10-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709049/; classtype:trojan-activity;sid:84572149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000910/2023-06-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709050/; classtype:trojan-activity;sid:84572150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-03-17/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709051/; classtype:trojan-activity;sid:84572151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3709052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos%20autom%c3%a1ticos/2022-11-06/info.zip"; depth:77; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_15; reference:url, urlhaus.abuse.ch/url/3709052/; classtype:trojan-activity;sid:84572152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3708476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.143.158.122"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_14; reference:url, urlhaus.abuse.ch/url/3708476/; classtype:trojan-activity;sid:84571576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3707697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2019/04/pieletjf.exe"; depth:40; endswith; nocase; http.host; content:"theoremaoliveoil.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_11_14; reference:url, urlhaus.abuse.ch/url/3707697/; classtype:trojan-activity;sid:84570797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.101.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704600/; classtype:trojan-activity;sid:84567700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.216.139.127"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704602/; classtype:trojan-activity;sid:84567702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.78.182.254"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704547/; classtype:trojan-activity;sid:84567647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.101.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704523/; classtype:trojan-activity;sid:84567623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3704158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leinchchanceleinch/jik/raw/refs/heads/main/dev.msi"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_11_13; reference:url, urlhaus.abuse.ch/url/3704158/; classtype:trojan-activity;sid:84567258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3703801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_12; reference:url, urlhaus.abuse.ch/url/3703801/; classtype:trojan-activity;sid:84566901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3703731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_12; reference:url, urlhaus.abuse.ch/url/3703731/; classtype:trojan-activity;sid:84566831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702204/; classtype:trojan-activity;sid:84565304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702202/; classtype:trojan-activity;sid:84565302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702201/; classtype:trojan-activity;sid:84565301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702199/; classtype:trojan-activity;sid:84565299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702178/; classtype:trojan-activity;sid:84565278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702166/; classtype:trojan-activity;sid:84565266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250416/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702156/; classtype:trojan-activity;sid:84565256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702157/; classtype:trojan-activity;sid:84565257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702158/; classtype:trojan-activity;sid:84565258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702152/; classtype:trojan-activity;sid:84565252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702147/; classtype:trojan-activity;sid:84565247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702142/; classtype:trojan-activity;sid:84565242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702143/; classtype:trojan-activity;sid:84565243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250416/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702134/; classtype:trojan-activity;sid:84565234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702136/; classtype:trojan-activity;sid:84565236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702130/; classtype:trojan-activity;sid:84565230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250416/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702131/; classtype:trojan-activity;sid:84565231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702132/; classtype:trojan-activity;sid:84565232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702122/; classtype:trojan-activity;sid:84565222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702123/; classtype:trojan-activity;sid:84565223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702121/; classtype:trojan-activity;sid:84565221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702119/; classtype:trojan-activity;sid:84565219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702115/; classtype:trojan-activity;sid:84565215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702105/; classtype:trojan-activity;sid:84565205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702102/; classtype:trojan-activity;sid:84565202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3702103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220623/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3702103/; classtype:trojan-activity;sid:84565203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701934/; classtype:trojan-activity;sid:84565034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701924/; classtype:trojan-activity;sid:84565024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701905/; classtype:trojan-activity;sid:84565005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20180102/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_10; reference:url, urlhaus.abuse.ch/url/3701906/; classtype:trojan-activity;sid:84565006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"144.2.111.169"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_09; reference:url, urlhaus.abuse.ch/url/3701320/; classtype:trojan-activity;sid:84564420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3701203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scoto.jpb"; depth:10; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_09; reference:url, urlhaus.abuse.ch/url/3701203/; classtype:trojan-activity;sid:84564303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700329/; classtype:trojan-activity;sid:84563429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"36.158.34.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700268/; classtype:trojan-activity;sid:84563368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700199/; classtype:trojan-activity;sid:84563299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"36.158.34.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700187/; classtype:trojan-activity;sid:84563287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700112/; classtype:trojan-activity;sid:84563212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3700015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3700015/; classtype:trojan-activity;sid:84563115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699997/; classtype:trojan-activity;sid:84563097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"119.91.141.214"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699967/; classtype:trojan-activity;sid:84563067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699839/; classtype:trojan-activity;sid:84562939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699812/; classtype:trojan-activity;sid:84562912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699768/; classtype:trojan-activity;sid:84562868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"190.196.38.77"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699578/; classtype:trojan-activity;sid:84562678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699459/; classtype:trojan-activity;sid:84562559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3699462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"163.53.178.8"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_08; reference:url, urlhaus.abuse.ch/url/3699462/; classtype:trojan-activity;sid:84562562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reprofo.mso"; depth:12; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_07; reference:url, urlhaus.abuse.ch/url/3698699/; classtype:trojan-activity;sid:84561799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"83.229.126.183"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698418/; classtype:trojan-activity;sid:84561518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.241.74.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698365/; classtype:trojan-activity;sid:84561465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698078/; classtype:trojan-activity;sid:84561178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698077/; classtype:trojan-activity;sid:84561177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230517/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698067/; classtype:trojan-activity;sid:84561167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250210/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698070/; classtype:trojan-activity;sid:84561170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20140730/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698059/; classtype:trojan-activity;sid:84561159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250309/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698057/; classtype:trojan-activity;sid:84561157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3698058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20240113/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3698058/; classtype:trojan-activity;sid:84561158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zddtxxyxb.zip"; depth:14; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697910/; classtype:trojan-activity;sid:84561010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i24.bin"; depth:8; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697909/; classtype:trojan-activity;sid:84561009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/husk.zip"; depth:9; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697908/; classtype:trojan-activity;sid:84561008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/without_hook.zip"; depth:17; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697906/; classtype:trojan-activity;sid:84561006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/husk.py"; depth:8; endswith; nocase; http.host; content:"101.35.56.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697870/; classtype:trojan-activity;sid:84560970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697816/; classtype:trojan-activity;sid:84560916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"36.158.34.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697809/; classtype:trojan-activity;sid:84560909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tran.dsp"; depth:9; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697791/; classtype:trojan-activity;sid:84560891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3697789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aibkp63.bin"; depth:12; endswith; nocase; http.host; content:"www.jozefinskiatelje.si"; depth:23; isdataat:!1,relative; metadata:created_at 2025_11_06; reference:url, urlhaus.abuse.ch/url/3697789/; classtype:trojan-activity;sid:84560889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1l4m/2e771fb306028fabfc8e098427181f78/raw/37f3db6b29d64f1045fb60967d6297f525ddf443/iamthedanger.txt"; depth:101; endswith; nocase; http.host; content:"gist.githubusercontent.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_11_05; reference:url, urlhaus.abuse.ch/url/3696992/; classtype:trojan-activity;sid:84560092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696133/; classtype:trojan-activity;sid:84559233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696129/; classtype:trojan-activity;sid:84559229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696114/; classtype:trojan-activity;sid:84559214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696096/; classtype:trojan-activity;sid:84559196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696086/; classtype:trojan-activity;sid:84559186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696066/; classtype:trojan-activity;sid:84559166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"144.2.111.169"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696043/; classtype:trojan-activity;sid:84559143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696003/; classtype:trojan-activity;sid:84559103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3696004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3696004/; classtype:trojan-activity;sid:84559104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.94.199.139"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695955/; classtype:trojan-activity;sid:84559055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"166.143.253.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695937/; classtype:trojan-activity;sid:84559037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695898/; classtype:trojan-activity;sid:84558998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.94.199.139"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695884/; classtype:trojan-activity;sid:84558984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.94.199.139"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695875/; classtype:trojan-activity;sid:84558975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695854/; classtype:trojan-activity;sid:84558954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"63.47.210.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_04; reference:url, urlhaus.abuse.ch/url/3695827/; classtype:trojan-activity;sid:84558927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.242.9"; depth:12; isdataat:!1,relative; metadata:created_at 2025_11_03; reference:url, urlhaus.abuse.ch/url/3695119/; classtype:trojan-activity;sid:84558219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.227.134"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_03; reference:url, urlhaus.abuse.ch/url/3695114/; classtype:trojan-activity;sid:84558214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3695080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.86.246.233"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_03; reference:url, urlhaus.abuse.ch/url/3695080/; classtype:trojan-activity;sid:84558180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3693496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"36.92.110.187"; depth:13; isdataat:!1,relative; metadata:created_at 2025_11_01; reference:url, urlhaus.abuse.ch/url/3693496/; classtype:trojan-activity;sid:84556596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3691444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.137.149.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_30; reference:url, urlhaus.abuse.ch/url/3691444/; classtype:trojan-activity;sid:84554544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3691440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"179.43.186.214"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_30; reference:url, urlhaus.abuse.ch/url/3691440/; classtype:trojan-activity;sid:84554540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3689713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"8.137.149.67"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_28; reference:url, urlhaus.abuse.ch/url/3689713/; classtype:trojan-activity;sid:84552813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3689700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.197.62.195"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_28; reference:url, urlhaus.abuse.ch/url/3689700/; classtype:trojan-activity;sid:84552800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmr.exe"; depth:8; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688692/; classtype:trojan-activity;sid:84551792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1"; depth:2; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688658/; classtype:trojan-activity;sid:84551758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32.exe"; depth:7; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688659/; classtype:trojan-activity;sid:84551759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3688660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2"; depth:2; endswith; nocase; http.host; content:"178.16.54.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_27; reference:url, urlhaus.abuse.ch/url/3688660/; classtype:trojan-activity;sid:84551760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3687916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y6m2uw0dgi.js"; depth:14; endswith; nocase; http.host; content:"filerit.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_26; reference:url, urlhaus.abuse.ch/url/3687916/; classtype:trojan-activity;sid:84551016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3687914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4aa9fqc792.ps1"; depth:15; endswith; nocase; http.host; content:"pub-bfc34934a91a4893817098f73415917a.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2025_10_26; reference:url, urlhaus.abuse.ch/url/3687914/; classtype:trojan-activity;sid:84551014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3687753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zibll001/ffff/refs/heads/main/web.sh"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_26; reference:url, urlhaus.abuse.ch/url/3687753/; classtype:trojan-activity;sid:84550853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3685141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/var/albums/etkinlikler/toplanti/2013/soran.jpg.jpeg"; depth:52; endswith; nocase; http.host; content:"galeri3.arkitera.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_10_24; reference:url, urlhaus.abuse.ch/url/3685141/; classtype:trojan-activity;sid:84548241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoom/windows/download.php"; depth:26; endswith; nocase; http.host; content:"khoancatbetong89.vn"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684806/; classtype:trojan-activity;sid:84547906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/photo.scr"; depth:15; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684352/; classtype:trojan-activity;sid:84547452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/video.lnk"; depth:19; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684353/; classtype:trojan-activity;sid:84547453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/av.lnk"; depth:16; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684354/; classtype:trojan-activity;sid:84547454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/upg/video.scr"; depth:19; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684347/; classtype:trojan-activity;sid:84547447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/av.scr"; depth:12; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684348/; classtype:trojan-activity;sid:84547448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3684350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sda1/video.scr"; depth:15; endswith; nocase; http.host; content:"218.212.2.95"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_23; reference:url, urlhaus.abuse.ch/url/3684350/; classtype:trojan-activity;sid:84547450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onastroll-2000f5n/5vcye/releases/download/v1.2/launcher.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_22; reference:url, urlhaus.abuse.ch/url/3683567/; classtype:trojan-activity;sid:84546667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=107.173.101.114|7c|26|7c|p=10000|7c|26|7c|t=tcp|7c|26|7c|a=w64|7c|26|7c|stage=true"; depth:89; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_21; reference:url, urlhaus.abuse.ch/url/3683253/; classtype:trojan-activity;sid:84546353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/|3f|h=107.173.101.114|7c|26|7c|p=10000|7c|26|7c|t=tcp|7c|26|7c|a=w32|7c|26|7c|stage=true"; depth:89; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_21; reference:url, urlhaus.abuse.ch/url/3683254/; classtype:trojan-activity;sid:84546354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3683250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/swt"; depth:4; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_21; reference:url, urlhaus.abuse.ch/url/3683250/; classtype:trojan-activity;sid:84546350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3682316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wheatw.pfm"; depth:11; endswith; nocase; http.host; content:"tehnomag.rs"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_20; reference:url, urlhaus.abuse.ch/url/3682316/; classtype:trojan-activity;sid:84545416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3681048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"143.92.43.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_18; reference:url, urlhaus.abuse.ch/url/3681048/; classtype:trojan-activity;sid:84544148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3680322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/x64-setup.exe"; depth:18; endswith; nocase; http.host; content:"tapestryoftruth.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_18; reference:url, urlhaus.abuse.ch/url/3680322/; classtype:trojan-activity;sid:84543422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3678940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prefiction.mp4"; depth:15; endswith; nocase; http.host; content:"www.sgeseducation.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_10_15; reference:url, urlhaus.abuse.ch/url/3678940/; classtype:trojan-activity;sid:84542040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3678923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"50.43.160.231"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_15; reference:url, urlhaus.abuse.ch/url/3678923/; classtype:trojan-activity;sid:84542023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3678015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.234.234.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_14; reference:url, urlhaus.abuse.ch/url/3678015/; classtype:trojan-activity;sid:84541115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3677521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/info.zip"; depth:19; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_14; reference:url, urlhaus.abuse.ch/url/3677521/; classtype:trojan-activity;sid:84540621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3669939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.140.248.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_12; reference:url, urlhaus.abuse.ch/url/3669939/; classtype:trojan-activity;sid:84533039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3669896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/build.exe"; depth:31; endswith; nocase; http.host; content:"serasoo.direct.quickconnect.to"; depth:30; isdataat:!1,relative; metadata:created_at 2025_10_12; reference:url, urlhaus.abuse.ch/url/3669896/; classtype:trojan-activity;sid:84532996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3668647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.24.0/xmrig-6.24.0-windows-x64.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_11; reference:url, urlhaus.abuse.ch/url/3668647/; classtype:trojan-activity;sid:84531747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3668586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"apn-87-251-249-41.static.gprs.plus.pl"; depth:37; isdataat:!1,relative; metadata:created_at 2025_10_11; reference:url, urlhaus.abuse.ch/url/3668586/; classtype:trojan-activity;sid:84531686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667589/; classtype:trojan-activity;sid:84530689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/av.scr"; depth:20; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667586/; classtype:trojan-activity;sid:84530686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667588/; classtype:trojan-activity;sid:84530688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/photo.scr"; depth:23; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667585/; classtype:trojan-activity;sid:84530685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667584/; classtype:trojan-activity;sid:84530684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3667583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"132.red-81-42-249.staticip.rima-tde.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_10_10; reference:url, urlhaus.abuse.ch/url/3667583/; classtype:trojan-activity;sid:84530683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666095/; classtype:trojan-activity;sid:84529195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3666091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-07/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3666091/; classtype:trojan-activity;sid:84529191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"120.79.192.88"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665801/; classtype:trojan-activity;sid:84528901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665803/; classtype:trojan-activity;sid:84528903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665799/; classtype:trojan-activity;sid:84528899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"75.144.208.234"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665788/; classtype:trojan-activity;sid:84528888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"75.144.208.234"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665779/; classtype:trojan-activity;sid:84528879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665767/; classtype:trojan-activity;sid:84528867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"210.91.88.90"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665760/; classtype:trojan-activity;sid:84528860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"102.53.15.17"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665747/; classtype:trojan-activity;sid:84528847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"195.103.203.106"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665742/; classtype:trojan-activity;sid:84528842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"126.23.203.236"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665715/; classtype:trojan-activity;sid:84528815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665712/; classtype:trojan-activity;sid:84528812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"81.133.96.61"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665709/; classtype:trojan-activity;sid:84528809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665699/; classtype:trojan-activity;sid:84528799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"81.133.96.61"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665677/; classtype:trojan-activity;sid:84528777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"87.227.140.66"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665669/; classtype:trojan-activity;sid:84528769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665664/; classtype:trojan-activity;sid:84528764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"130.185.193.208"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665656/; classtype:trojan-activity;sid:84528756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachment/productcode/info.zip"; depth:32; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665645/; classtype:trojan-activity;sid:84528745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachment/trkjob/info.zip"; depth:27; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665643/; classtype:trojan-activity;sid:84528743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/info.zip"; depth:23; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665644/; classtype:trojan-activity;sid:84528744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/system_web/info.zip"; depth:34; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665639/; classtype:trojan-activity;sid:84528739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check_update_apk/info.zip"; depth:26; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665635/; classtype:trojan-activity;sid:84528735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/info.zip"; depth:14; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665636/; classtype:trojan-activity;sid:84528736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc/aspnet_client/system_web/info.zip"; depth:39; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665637/; classtype:trojan-activity;sid:84528737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/template/info.zip"; depth:18; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665634/; classtype:trojan-activity;sid:84528734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc/info.zip"; depth:14; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665633/; classtype:trojan-activity;sid:84528733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfg/info.zip"; depth:13; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665630/; classtype:trojan-activity;sid:84528730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc/aspnet_client/info.zip"; depth:28; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665627/; classtype:trojan-activity;sid:84528727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toupdateapk/info.zip"; depth:21; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665626/; classtype:trojan-activity;sid:84528726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc/cys/info.zip"; depth:18; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665625/; classtype:trojan-activity;sid:84528725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachment/sysreport/info.zip"; depth:30; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665624/; classtype:trojan-activity;sid:84528724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc/testappicon/info.zip"; depth:26; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665622/; classtype:trojan-activity;sid:84528722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc/null/info.zip"; depth:19; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665623/; classtype:trojan-activity;sid:84528723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachment/info.zip"; depth:20; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665621/; classtype:trojan-activity;sid:84528721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc-testapp-/info.zip"; depth:23; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665619/; classtype:trojan-activity;sid:84528719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qdsc/liubin/info.zip"; depth:21; endswith; nocase; http.host; content:"106.38.32.194"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665616/; classtype:trojan-activity;sid:84528716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3665612)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"80.147.155.189"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_09; reference:url, urlhaus.abuse.ch/url/3665612/; classtype:trojan-activity;sid:84528712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3664885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"120.79.192.88"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_08; reference:url, urlhaus.abuse.ch/url/3664885/; classtype:trojan-activity;sid:84527985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3662908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"143.92.43.153"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_07; reference:url, urlhaus.abuse.ch/url/3662908/; classtype:trojan-activity;sid:84526008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3662805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asmroyal/cd4/releases/download/cd4/cd4.exe"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_07; reference:url, urlhaus.abuse.ch/url/3662805/; classtype:trojan-activity;sid:84525905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3661435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1afutsiefohaia02gkfjdbgn-kk91hksb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_10_07; reference:url, urlhaus.abuse.ch/url/3661435/; classtype:trojan-activity;sid:84524535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660696/; classtype:trojan-activity;sid:84523796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660690/; classtype:trojan-activity;sid:84523790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660688/; classtype:trojan-activity;sid:84523788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660679/; classtype:trojan-activity;sid:84523779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660677/; classtype:trojan-activity;sid:84523777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660676/; classtype:trojan-activity;sid:84523776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660675/; classtype:trojan-activity;sid:84523775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660674/; classtype:trojan-activity;sid:84523774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660672/; classtype:trojan-activity;sid:84523772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660671/; classtype:trojan-activity;sid:84523771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660670/; classtype:trojan-activity;sid:84523770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660668/; classtype:trojan-activity;sid:84523768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660669/; classtype:trojan-activity;sid:84523769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660666/; classtype:trojan-activity;sid:84523766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660660/; classtype:trojan-activity;sid:84523760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660659/; classtype:trojan-activity;sid:84523759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660657/; classtype:trojan-activity;sid:84523757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660658/; classtype:trojan-activity;sid:84523758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660655/; classtype:trojan-activity;sid:84523755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660656/; classtype:trojan-activity;sid:84523756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660654/; classtype:trojan-activity;sid:84523754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660652/; classtype:trojan-activity;sid:84523752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660653/; classtype:trojan-activity;sid:84523753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660647/; classtype:trojan-activity;sid:84523747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660648/; classtype:trojan-activity;sid:84523748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660649/; classtype:trojan-activity;sid:84523749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/av.scr"; depth:20; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660644/; classtype:trojan-activity;sid:84523744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-02-radiole/photo.scr"; depth:23; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660642/; classtype:trojan-activity;sid:84523742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660641/; classtype:trojan-activity;sid:84523741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660640/; classtype:trojan-activity;sid:84523740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660639/; classtype:trojan-activity;sid:84523739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660638/; classtype:trojan-activity;sid:84523738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660637/; classtype:trojan-activity;sid:84523737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20220801/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660636/; classtype:trojan-activity;sid:84523736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660635/; classtype:trojan-activity;sid:84523735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660634/; classtype:trojan-activity;sid:84523734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660633/; classtype:trojan-activity;sid:84523733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660631/; classtype:trojan-activity;sid:84523731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660630/; classtype:trojan-activity;sid:84523730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660629/; classtype:trojan-activity;sid:84523729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660627/; classtype:trojan-activity;sid:84523727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660626/; classtype:trojan-activity;sid:84523726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660624/; classtype:trojan-activity;sid:84523724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660622/; classtype:trojan-activity;sid:84523722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660623/; classtype:trojan-activity;sid:84523723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660621/; classtype:trojan-activity;sid:84523721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660620/; classtype:trojan-activity;sid:84523720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660619/; classtype:trojan-activity;sid:84523719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660618/; classtype:trojan-activity;sid:84523718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660615/; classtype:trojan-activity;sid:84523715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660616/; classtype:trojan-activity;sid:84523716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660614/; classtype:trojan-activity;sid:84523714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660613/; classtype:trojan-activity;sid:84523713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660611/; classtype:trojan-activity;sid:84523711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660608/; classtype:trojan-activity;sid:84523708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660607/; classtype:trojan-activity;sid:84523707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660605/; classtype:trojan-activity;sid:84523705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660603/; classtype:trojan-activity;sid:84523703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250302/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660599/; classtype:trojan-activity;sid:84523699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660596/; classtype:trojan-activity;sid:84523696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660595/; classtype:trojan-activity;sid:84523695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660594/; classtype:trojan-activity;sid:84523694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660592/; classtype:trojan-activity;sid:84523692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660593/; classtype:trojan-activity;sid:84523693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660590/; classtype:trojan-activity;sid:84523690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660591/; classtype:trojan-activity;sid:84523691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660587/; classtype:trojan-activity;sid:84523687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660588/; classtype:trojan-activity;sid:84523688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250408/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660589/; classtype:trojan-activity;sid:84523689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660584/; classtype:trojan-activity;sid:84523684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250726/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660581/; classtype:trojan-activity;sid:84523681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660582/; classtype:trojan-activity;sid:84523682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20221020/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660580/; classtype:trojan-activity;sid:84523680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660577/; classtype:trojan-activity;sid:84523677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250703/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660575/; classtype:trojan-activity;sid:84523675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20210118/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660576/; classtype:trojan-activity;sid:84523676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660573/; classtype:trojan-activity;sid:84523673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250724/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660574/; classtype:trojan-activity;sid:84523674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250615/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660571/; classtype:trojan-activity;sid:84523671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660569/; classtype:trojan-activity;sid:84523669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250621/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660570/; classtype:trojan-activity;sid:84523670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250725/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660568/; classtype:trojan-activity;sid:84523668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660563/; classtype:trojan-activity;sid:84523663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660564/; classtype:trojan-activity;sid:84523664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660559/; classtype:trojan-activity;sid:84523659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250721/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660560/; classtype:trojan-activity;sid:84523660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250708/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660561/; classtype:trojan-activity;sid:84523661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20230507/photo.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660558/; classtype:trojan-activity;sid:84523658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660552/; classtype:trojan-activity;sid:84523652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250722/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660553/; classtype:trojan-activity;sid:84523653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/20250713/photo.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660554/; classtype:trojan-activity;sid:84523654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pathdata/info.zip"; depth:18; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660536/; classtype:trojan-activity;sid:84523636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sxs/info.zip"; depth:13; endswith; nocase; http.host; content:"110.227.197.204"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660537/; classtype:trojan-activity;sid:84523637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/info.zip"; depth:14; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660538/; classtype:trojan-activity;sid:84523638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"143.92.43.231"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660513/; classtype:trojan-activity;sid:84523613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.246.178.42"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660487/; classtype:trojan-activity;sid:84523587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660332/; classtype:trojan-activity;sid:84523432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660331/; classtype:trojan-activity;sid:84523431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660329/; classtype:trojan-activity;sid:84523429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660328/; classtype:trojan-activity;sid:84523428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3660327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"81.42.249.132"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3660327/; classtype:trojan-activity;sid:84523427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659836/; classtype:trojan-activity;sid:84522936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"46.77.51.179"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659835/; classtype:trojan-activity;sid:84522935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659834/; classtype:trojan-activity;sid:84522934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659833/; classtype:trojan-activity;sid:84522933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"46.77.51.179"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659801/; classtype:trojan-activity;sid:84522901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"93.82.169.218"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659796/; classtype:trojan-activity;sid:84522896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"93.82.169.218"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659797/; classtype:trojan-activity;sid:84522897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3659779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"46.77.52.190"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_06; reference:url, urlhaus.abuse.ch/url/3659779/; classtype:trojan-activity;sid:84522879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2025-01-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658970/; classtype:trojan-activity;sid:84522070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2019-10-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658962/; classtype:trojan-activity;sid:84522062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2020-09-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658957/; classtype:trojan-activity;sid:84522057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-07-30/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658903/; classtype:trojan-activity;sid:84522003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000640/2023-11-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658778/; classtype:trojan-activity;sid:84521878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/situa%c3%a7%c3%a3o/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658670/; classtype:trojan-activity;sid:84521770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-03-10/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658610/; classtype:trojan-activity;sid:84521710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2023-03-04/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658568/; classtype:trojan-activity;sid:84521668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2021-07-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658555/; classtype:trojan-activity;sid:84521655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2020-12-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658437/; classtype:trojan-activity;sid:84521537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2022-04-22/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658282/; classtype:trojan-activity;sid:84521382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2023-11-09/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658247/; classtype:trojan-activity;sid:84521347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2019-12-28/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658173/; classtype:trojan-activity;sid:84521273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000640/2022-04-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658159/; classtype:trojan-activity;sid:84521259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000721/2021-10-21/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658106/; classtype:trojan-activity;sid:84521206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2023-12-25/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658091/; classtype:trojan-activity;sid:84521191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2024-04-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658087/; classtype:trojan-activity;sid:84521187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3658061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000596/2021-08-28/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_05; reference:url, urlhaus.abuse.ch/url/3658061/; classtype:trojan-activity;sid:84521161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656729/; classtype:trojan-activity;sid:84519829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656727/; classtype:trojan-activity;sid:84519827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656726/; classtype:trojan-activity;sid:84519826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"47.104.96.89"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656725/; classtype:trojan-activity;sid:84519825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"92.150.82.148"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656720/; classtype:trojan-activity;sid:84519820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656717/; classtype:trojan-activity;sid:84519817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656718/; classtype:trojan-activity;sid:84519818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656708/; classtype:trojan-activity;sid:84519808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656709/; classtype:trojan-activity;sid:84519809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656710/; classtype:trojan-activity;sid:84519810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656707/; classtype:trojan-activity;sid:84519807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656704/; classtype:trojan-activity;sid:84519804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656701/; classtype:trojan-activity;sid:84519801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656696/; classtype:trojan-activity;sid:84519796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656693/; classtype:trojan-activity;sid:84519793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"217.115.212.126"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656692/; classtype:trojan-activity;sid:84519792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656677/; classtype:trojan-activity;sid:84519777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"68.224.70.241"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656671/; classtype:trojan-activity;sid:84519771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656672/; classtype:trojan-activity;sid:84519772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"180.76.153.78"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656666/; classtype:trojan-activity;sid:84519766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656667/; classtype:trojan-activity;sid:84519767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"92.150.82.148"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656662/; classtype:trojan-activity;sid:84519762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656663/; classtype:trojan-activity;sid:84519763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656661/; classtype:trojan-activity;sid:84519761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656658/; classtype:trojan-activity;sid:84519758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656654/; classtype:trojan-activity;sid:84519754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656648/; classtype:trojan-activity;sid:84519748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"94.226.135.252"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656646/; classtype:trojan-activity;sid:84519746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656638/; classtype:trojan-activity;sid:84519738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656639/; classtype:trojan-activity;sid:84519739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656634/; classtype:trojan-activity;sid:84519734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656635/; classtype:trojan-activity;sid:84519735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"68.224.70.241"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656636/; classtype:trojan-activity;sid:84519736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656632/; classtype:trojan-activity;sid:84519732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656630/; classtype:trojan-activity;sid:84519730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656627/; classtype:trojan-activity;sid:84519727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656621/; classtype:trojan-activity;sid:84519721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656611/; classtype:trojan-activity;sid:84519711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656608/; classtype:trojan-activity;sid:84519708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656609/; classtype:trojan-activity;sid:84519709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.206.139.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656601/; classtype:trojan-activity;sid:84519701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"90.8.145.102"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656602/; classtype:trojan-activity;sid:84519702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656592/; classtype:trojan-activity;sid:84519692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"180.148.33.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656594/; classtype:trojan-activity;sid:84519694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.8.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656581/; classtype:trojan-activity;sid:84519681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"179.214.0.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656577/; classtype:trojan-activity;sid:84519677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.130.209.104"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656574/; classtype:trojan-activity;sid:84519674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656569/; classtype:trojan-activity;sid:84519669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"188.118.38.161"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656566/; classtype:trojan-activity;sid:84519666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656552/; classtype:trojan-activity;sid:84519652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.240.211.121"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656555/; classtype:trojan-activity;sid:84519655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656503/; classtype:trojan-activity;sid:84519603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656456/; classtype:trojan-activity;sid:84519556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656398/; classtype:trojan-activity;sid:84519498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"45.118.32.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656154/; classtype:trojan-activity;sid:84519254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656061/; classtype:trojan-activity;sid:84519161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-26/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656060/; classtype:trojan-activity;sid:84519160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656059/; classtype:trojan-activity;sid:84519159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656056/; classtype:trojan-activity;sid:84519156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656057/; classtype:trojan-activity;sid:84519157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-05-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656054/; classtype:trojan-activity;sid:84519154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656051/; classtype:trojan-activity;sid:84519151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656050/; classtype:trojan-activity;sid:84519150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656047/; classtype:trojan-activity;sid:84519147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656037/; classtype:trojan-activity;sid:84519137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656038/; classtype:trojan-activity;sid:84519138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656030/; classtype:trojan-activity;sid:84519130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656021/; classtype:trojan-activity;sid:84519121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656019/; classtype:trojan-activity;sid:84519119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3656007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3656007/; classtype:trojan-activity;sid:84519107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655981/; classtype:trojan-activity;sid:84519081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655977/; classtype:trojan-activity;sid:84519077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-12-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655975/; classtype:trojan-activity;sid:84519075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"185.43.45.171"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655973/; classtype:trojan-activity;sid:84519073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655969/; classtype:trojan-activity;sid:84519069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655908/; classtype:trojan-activity;sid:84519008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655903/; classtype:trojan-activity;sid:84519003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655896/; classtype:trojan-activity;sid:84518996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655887/; classtype:trojan-activity;sid:84518987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-05-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655880/; classtype:trojan-activity;sid:84518980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"70.95.233.160"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655875/; classtype:trojan-activity;sid:84518975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-06-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655867/; classtype:trojan-activity;sid:84518967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655860/; classtype:trojan-activity;sid:84518960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655851/; classtype:trojan-activity;sid:84518951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655844/; classtype:trojan-activity;sid:84518944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-07-14/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655845/; classtype:trojan-activity;sid:84518945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655839/; classtype:trojan-activity;sid:84518939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655837/; classtype:trojan-activity;sid:84518937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655834/; classtype:trojan-activity;sid:84518934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655829/; classtype:trojan-activity;sid:84518929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-01-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655824/; classtype:trojan-activity;sid:84518924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655806/; classtype:trojan-activity;sid:84518906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-01-31/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655803/; classtype:trojan-activity;sid:84518903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655801/; classtype:trojan-activity;sid:84518901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2023-06-22/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655799/; classtype:trojan-activity;sid:84518899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-14/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655797/; classtype:trojan-activity;sid:84518897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655792/; classtype:trojan-activity;sid:84518892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-06-02/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655787/; classtype:trojan-activity;sid:84518887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655784/; classtype:trojan-activity;sid:84518884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655783/; classtype:trojan-activity;sid:84518883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655781/; classtype:trojan-activity;sid:84518881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655775/; classtype:trojan-activity;sid:84518875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655774/; classtype:trojan-activity;sid:84518874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655768/; classtype:trojan-activity;sid:84518868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655766/; classtype:trojan-activity;sid:84518866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655761/; classtype:trojan-activity;sid:84518861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655757/; classtype:trojan-activity;sid:84518857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655754/; classtype:trojan-activity;sid:84518854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655753/; classtype:trojan-activity;sid:84518853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655751/; classtype:trojan-activity;sid:84518851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655748/; classtype:trojan-activity;sid:84518848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-06-22/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655743/; classtype:trojan-activity;sid:84518843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655745/; classtype:trojan-activity;sid:84518845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655731/; classtype:trojan-activity;sid:84518831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655730/; classtype:trojan-activity;sid:84518830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655718/; classtype:trojan-activity;sid:84518818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655717/; classtype:trojan-activity;sid:84518817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655714/; classtype:trojan-activity;sid:84518814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655699/; classtype:trojan-activity;sid:84518799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655701/; classtype:trojan-activity;sid:84518801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"92.150.82.148"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655703/; classtype:trojan-activity;sid:84518803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655697/; classtype:trojan-activity;sid:84518797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655665/; classtype:trojan-activity;sid:84518765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655654/; classtype:trojan-activity;sid:84518754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655649/; classtype:trojan-activity;sid:84518749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-12-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655646/; classtype:trojan-activity;sid:84518746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655631/; classtype:trojan-activity;sid:84518731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655593/; classtype:trojan-activity;sid:84518693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655594/; classtype:trojan-activity;sid:84518694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655590/; classtype:trojan-activity;sid:84518690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-11-29/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655586/; classtype:trojan-activity;sid:84518686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655572/; classtype:trojan-activity;sid:84518672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655556/; classtype:trojan-activity;sid:84518656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655557/; classtype:trojan-activity;sid:84518657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655559/; classtype:trojan-activity;sid:84518659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655553/; classtype:trojan-activity;sid:84518653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655535/; classtype:trojan-activity;sid:84518635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-10-22/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655510/; classtype:trojan-activity;sid:84518610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655507/; classtype:trojan-activity;sid:84518607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-08-05/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655503/; classtype:trojan-activity;sid:84518603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655501/; classtype:trojan-activity;sid:84518601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655495/; classtype:trojan-activity;sid:84518595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655493/; classtype:trojan-activity;sid:84518593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655476/; classtype:trojan-activity;sid:84518576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655474/; classtype:trojan-activity;sid:84518574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-09-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655471/; classtype:trojan-activity;sid:84518571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655469/; classtype:trojan-activity;sid:84518569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655466/; classtype:trojan-activity;sid:84518566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655462/; classtype:trojan-activity;sid:84518562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655461/; classtype:trojan-activity;sid:84518561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655458/; classtype:trojan-activity;sid:84518558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655447/; classtype:trojan-activity;sid:84518547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655440/; classtype:trojan-activity;sid:84518540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-02-24/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655442/; classtype:trojan-activity;sid:84518542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655430/; classtype:trojan-activity;sid:84518530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-12/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655421/; classtype:trojan-activity;sid:84518521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655420/; classtype:trojan-activity;sid:84518520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-07/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655413/; classtype:trojan-activity;sid:84518513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655411/; classtype:trojan-activity;sid:84518511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655408/; classtype:trojan-activity;sid:84518508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655403/; classtype:trojan-activity;sid:84518503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655398/; classtype:trojan-activity;sid:84518498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655383/; classtype:trojan-activity;sid:84518483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655379/; classtype:trojan-activity;sid:84518479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655378/; classtype:trojan-activity;sid:84518478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655373/; classtype:trojan-activity;sid:84518473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655368/; classtype:trojan-activity;sid:84518468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655362/; classtype:trojan-activity;sid:84518462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655353/; classtype:trojan-activity;sid:84518453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655339/; classtype:trojan-activity;sid:84518439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655335/; classtype:trojan-activity;sid:84518435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655331/; classtype:trojan-activity;sid:84518431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655329/; classtype:trojan-activity;sid:84518429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655322/; classtype:trojan-activity;sid:84518422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655323/; classtype:trojan-activity;sid:84518423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655317/; classtype:trojan-activity;sid:84518417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-03-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655314/; classtype:trojan-activity;sid:84518414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655306/; classtype:trojan-activity;sid:84518406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655295/; classtype:trojan-activity;sid:84518395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655293/; classtype:trojan-activity;sid:84518393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655291/; classtype:trojan-activity;sid:84518391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655286/; classtype:trojan-activity;sid:84518386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655280/; classtype:trojan-activity;sid:84518380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"138.36.2.110"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655279/; classtype:trojan-activity;sid:84518379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655272/; classtype:trojan-activity;sid:84518372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655259/; classtype:trojan-activity;sid:84518359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655257/; classtype:trojan-activity;sid:84518357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655253/; classtype:trojan-activity;sid:84518353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655244/; classtype:trojan-activity;sid:84518344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/sp/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655245/; classtype:trojan-activity;sid:84518345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655230/; classtype:trojan-activity;sid:84518330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655228/; classtype:trojan-activity;sid:84518328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655220/; classtype:trojan-activity;sid:84518320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655207/; classtype:trojan-activity;sid:84518307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655200/; classtype:trojan-activity;sid:84518300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655191/; classtype:trojan-activity;sid:84518291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655187/; classtype:trojan-activity;sid:84518287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655179/; classtype:trojan-activity;sid:84518279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655170/; classtype:trojan-activity;sid:84518270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655160/; classtype:trojan-activity;sid:84518260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655143/; classtype:trojan-activity;sid:84518243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655126/; classtype:trojan-activity;sid:84518226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655115/; classtype:trojan-activity;sid:84518215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655109/; classtype:trojan-activity;sid:84518209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655099/; classtype:trojan-activity;sid:84518199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655089/; classtype:trojan-activity;sid:84518189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655090/; classtype:trojan-activity;sid:84518190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-03-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655088/; classtype:trojan-activity;sid:84518188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2025-01-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655085/; classtype:trojan-activity;sid:84518185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655084/; classtype:trojan-activity;sid:84518184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655081/; classtype:trojan-activity;sid:84518181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655073/; classtype:trojan-activity;sid:84518173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655072/; classtype:trojan-activity;sid:84518172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655070/; classtype:trojan-activity;sid:84518170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655064/; classtype:trojan-activity;sid:84518164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655061/; classtype:trojan-activity;sid:84518161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655054/; classtype:trojan-activity;sid:84518154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655052/; classtype:trojan-activity;sid:84518152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655044/; classtype:trojan-activity;sid:84518144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655037/; classtype:trojan-activity;sid:84518137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655038/; classtype:trojan-activity;sid:84518138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655034/; classtype:trojan-activity;sid:84518134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655025/; classtype:trojan-activity;sid:84518125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655021/; classtype:trojan-activity;sid:84518121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655016/; classtype:trojan-activity;sid:84518116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655010/; classtype:trojan-activity;sid:84518110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655008/; classtype:trojan-activity;sid:84518108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3655004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3655004/; classtype:trojan-activity;sid:84518104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654999/; classtype:trojan-activity;sid:84518099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654991/; classtype:trojan-activity;sid:84518091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654985/; classtype:trojan-activity;sid:84518085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654981/; classtype:trojan-activity;sid:84518081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654973/; classtype:trojan-activity;sid:84518073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654970/; classtype:trojan-activity;sid:84518070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654967/; classtype:trojan-activity;sid:84518067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654966/; classtype:trojan-activity;sid:84518066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654962/; classtype:trojan-activity;sid:84518062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654957/; classtype:trojan-activity;sid:84518057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654946/; classtype:trojan-activity;sid:84518046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654942/; classtype:trojan-activity;sid:84518042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-07-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654940/; classtype:trojan-activity;sid:84518040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654936/; classtype:trojan-activity;sid:84518036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"68.148.10.182"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654935/; classtype:trojan-activity;sid:84518035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654928/; classtype:trojan-activity;sid:84518028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654927/; classtype:trojan-activity;sid:84518027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654922/; classtype:trojan-activity;sid:84518022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654923/; classtype:trojan-activity;sid:84518023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"70.95.233.160"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654917/; classtype:trojan-activity;sid:84518017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654904/; classtype:trojan-activity;sid:84518004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654898/; classtype:trojan-activity;sid:84517998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654894/; classtype:trojan-activity;sid:84517994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654880/; classtype:trojan-activity;sid:84517980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654874/; classtype:trojan-activity;sid:84517974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654859/; classtype:trojan-activity;sid:84517959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654860/; classtype:trojan-activity;sid:84517960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654857/; classtype:trojan-activity;sid:84517957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654853/; classtype:trojan-activity;sid:84517953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654829/; classtype:trojan-activity;sid:84517929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-02-04/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654814/; classtype:trojan-activity;sid:84517914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654811/; classtype:trojan-activity;sid:84517911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654806/; classtype:trojan-activity;sid:84517906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654804/; classtype:trojan-activity;sid:84517904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654803/; classtype:trojan-activity;sid:84517903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654799/; classtype:trojan-activity;sid:84517899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654796/; classtype:trojan-activity;sid:84517896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654793/; classtype:trojan-activity;sid:84517893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654781/; classtype:trojan-activity;sid:84517881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654769/; classtype:trojan-activity;sid:84517869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654748/; classtype:trojan-activity;sid:84517848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654747/; classtype:trojan-activity;sid:84517847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654740/; classtype:trojan-activity;sid:84517840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654735/; classtype:trojan-activity;sid:84517835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654732/; classtype:trojan-activity;sid:84517832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654727/; classtype:trojan-activity;sid:84517827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654721/; classtype:trojan-activity;sid:84517821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654719/; classtype:trojan-activity;sid:84517819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654714/; classtype:trojan-activity;sid:84517814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654709/; classtype:trojan-activity;sid:84517809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654708/; classtype:trojan-activity;sid:84517808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654695/; classtype:trojan-activity;sid:84517795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654682/; classtype:trojan-activity;sid:84517782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654677/; classtype:trojan-activity;sid:84517777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654678/; classtype:trojan-activity;sid:84517778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654673/; classtype:trojan-activity;sid:84517773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654674/; classtype:trojan-activity;sid:84517774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654672/; classtype:trojan-activity;sid:84517772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654668/; classtype:trojan-activity;sid:84517768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654665/; classtype:trojan-activity;sid:84517765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654661/; classtype:trojan-activity;sid:84517761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654655/; classtype:trojan-activity;sid:84517755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654651/; classtype:trojan-activity;sid:84517751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654647/; classtype:trojan-activity;sid:84517747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-11-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654643/; classtype:trojan-activity;sid:84517743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654641/; classtype:trojan-activity;sid:84517741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654634/; classtype:trojan-activity;sid:84517734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654622/; classtype:trojan-activity;sid:84517722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654610/; classtype:trojan-activity;sid:84517710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654600/; classtype:trojan-activity;sid:84517700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654589/; classtype:trojan-activity;sid:84517689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654546/; classtype:trojan-activity;sid:84517646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654541/; classtype:trojan-activity;sid:84517641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654542/; classtype:trojan-activity;sid:84517642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654537/; classtype:trojan-activity;sid:84517637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654533/; classtype:trojan-activity;sid:84517633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654531/; classtype:trojan-activity;sid:84517631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654526/; classtype:trojan-activity;sid:84517626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-11-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654522/; classtype:trojan-activity;sid:84517622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654513/; classtype:trojan-activity;sid:84517613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-15/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654514/; classtype:trojan-activity;sid:84517614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-07-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654509/; classtype:trojan-activity;sid:84517609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654508/; classtype:trojan-activity;sid:84517608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654507/; classtype:trojan-activity;sid:84517607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654504/; classtype:trojan-activity;sid:84517604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654499/; classtype:trojan-activity;sid:84517599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654501/; classtype:trojan-activity;sid:84517601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654495/; classtype:trojan-activity;sid:84517595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654478/; classtype:trojan-activity;sid:84517578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654477/; classtype:trojan-activity;sid:84517577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"157.10.63.251"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654474/; classtype:trojan-activity;sid:84517574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654451/; classtype:trojan-activity;sid:84517551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654445/; classtype:trojan-activity;sid:84517545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654428/; classtype:trojan-activity;sid:84517528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654392/; classtype:trojan-activity;sid:84517492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654390/; classtype:trojan-activity;sid:84517490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654391/; classtype:trojan-activity;sid:84517491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654385/; classtype:trojan-activity;sid:84517485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"75.42.36.186"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654380/; classtype:trojan-activity;sid:84517480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654378/; classtype:trojan-activity;sid:84517478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-06-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654372/; classtype:trojan-activity;sid:84517472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654356/; classtype:trojan-activity;sid:84517456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654347/; classtype:trojan-activity;sid:84517447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654342/; classtype:trojan-activity;sid:84517442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654339/; classtype:trojan-activity;sid:84517439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654336/; classtype:trojan-activity;sid:84517436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654337/; classtype:trojan-activity;sid:84517437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654334/; classtype:trojan-activity;sid:84517434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654333/; classtype:trojan-activity;sid:84517433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654331/; classtype:trojan-activity;sid:84517431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654326/; classtype:trojan-activity;sid:84517426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654320/; classtype:trojan-activity;sid:84517420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654308/; classtype:trojan-activity;sid:84517408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654292/; classtype:trojan-activity;sid:84517392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654288/; classtype:trojan-activity;sid:84517388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654285/; classtype:trojan-activity;sid:84517385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654283/; classtype:trojan-activity;sid:84517383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654276/; classtype:trojan-activity;sid:84517376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654273/; classtype:trojan-activity;sid:84517373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654270/; classtype:trojan-activity;sid:84517370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654268/; classtype:trojan-activity;sid:84517368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654266/; classtype:trojan-activity;sid:84517366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654253/; classtype:trojan-activity;sid:84517353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654247/; classtype:trojan-activity;sid:84517347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"70.95.233.160"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654243/; classtype:trojan-activity;sid:84517343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654239/; classtype:trojan-activity;sid:84517339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654234/; classtype:trojan-activity;sid:84517334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654233/; classtype:trojan-activity;sid:84517333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-04-07/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654216/; classtype:trojan-activity;sid:84517316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654208/; classtype:trojan-activity;sid:84517308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654205/; classtype:trojan-activity;sid:84517305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654203/; classtype:trojan-activity;sid:84517303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654204/; classtype:trojan-activity;sid:84517304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654195/; classtype:trojan-activity;sid:84517295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654192/; classtype:trojan-activity;sid:84517292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-10-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654187/; classtype:trojan-activity;sid:84517287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654173/; classtype:trojan-activity;sid:84517273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654177/; classtype:trojan-activity;sid:84517277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-06-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654163/; classtype:trojan-activity;sid:84517263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"37.34.230.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654161/; classtype:trojan-activity;sid:84517261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"76.154.249.207"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654149/; classtype:trojan-activity;sid:84517249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654125/; classtype:trojan-activity;sid:84517225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654122/; classtype:trojan-activity;sid:84517222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654123/; classtype:trojan-activity;sid:84517223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654119/; classtype:trojan-activity;sid:84517219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654117/; classtype:trojan-activity;sid:84517217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654113/; classtype:trojan-activity;sid:84517213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654098/; classtype:trojan-activity;sid:84517198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654088/; classtype:trojan-activity;sid:84517188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654077/; classtype:trojan-activity;sid:84517177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654076/; classtype:trojan-activity;sid:84517176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654074/; classtype:trojan-activity;sid:84517174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654065/; classtype:trojan-activity;sid:84517165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654054/; classtype:trojan-activity;sid:84517154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654044/; classtype:trojan-activity;sid:84517144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654038/; classtype:trojan-activity;sid:84517138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654034/; classtype:trojan-activity;sid:84517134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654033/; classtype:trojan-activity;sid:84517133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"70.95.233.160"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654032/; classtype:trojan-activity;sid:84517132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654024/; classtype:trojan-activity;sid:84517124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654023/; classtype:trojan-activity;sid:84517123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654022/; classtype:trojan-activity;sid:84517122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654019/; classtype:trojan-activity;sid:84517119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654018/; classtype:trojan-activity;sid:84517118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654009/; classtype:trojan-activity;sid:84517109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-08-17/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654005/; classtype:trojan-activity;sid:84517105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654003/; classtype:trojan-activity;sid:84517103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3654000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3654000/; classtype:trojan-activity;sid:84517100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653992/; classtype:trojan-activity;sid:84517092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653985/; classtype:trojan-activity;sid:84517085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653977/; classtype:trojan-activity;sid:84517077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653972/; classtype:trojan-activity;sid:84517072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653964/; classtype:trojan-activity;sid:84517064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653960/; classtype:trojan-activity;sid:84517060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653941/; classtype:trojan-activity;sid:84517041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653943/; classtype:trojan-activity;sid:84517043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653939/; classtype:trojan-activity;sid:84517039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653917/; classtype:trojan-activity;sid:84517017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653918/; classtype:trojan-activity;sid:84517018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653916/; classtype:trojan-activity;sid:84517016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653912/; classtype:trojan-activity;sid:84517012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"93.55.251.246"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653910/; classtype:trojan-activity;sid:84517010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653900/; classtype:trojan-activity;sid:84517000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653892/; classtype:trojan-activity;sid:84516992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"203.192.211.119"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653893/; classtype:trojan-activity;sid:84516993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653885/; classtype:trojan-activity;sid:84516985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"45.118.32.122"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653878/; classtype:trojan-activity;sid:84516978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653875/; classtype:trojan-activity;sid:84516975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"178.198.246.24"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653871/; classtype:trojan-activity;sid:84516971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653867/; classtype:trojan-activity;sid:84516967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653864/; classtype:trojan-activity;sid:84516964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653861/; classtype:trojan-activity;sid:84516961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653858/; classtype:trojan-activity;sid:84516958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"76.136.85.221"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653853/; classtype:trojan-activity;sid:84516953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653852/; classtype:trojan-activity;sid:84516952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653848/; classtype:trojan-activity;sid:84516948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653849/; classtype:trojan-activity;sid:84516949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653847/; classtype:trojan-activity;sid:84516947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-06-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653841/; classtype:trojan-activity;sid:84516941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653840/; classtype:trojan-activity;sid:84516940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-10/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653839/; classtype:trojan-activity;sid:84516939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653836/; classtype:trojan-activity;sid:84516936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653831/; classtype:trojan-activity;sid:84516931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653828/; classtype:trojan-activity;sid:84516928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653826/; classtype:trojan-activity;sid:84516926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653824/; classtype:trojan-activity;sid:84516924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653823/; classtype:trojan-activity;sid:84516923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653818/; classtype:trojan-activity;sid:84516918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653819/; classtype:trojan-activity;sid:84516919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653813/; classtype:trojan-activity;sid:84516913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653806/; classtype:trojan-activity;sid:84516906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653799/; classtype:trojan-activity;sid:84516899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653792/; classtype:trojan-activity;sid:84516892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-04-01/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653790/; classtype:trojan-activity;sid:84516890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653785/; classtype:trojan-activity;sid:84516885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653783/; classtype:trojan-activity;sid:84516883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-11/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653782/; classtype:trojan-activity;sid:84516882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"49.205.173.192"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653781/; classtype:trojan-activity;sid:84516881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653772/; classtype:trojan-activity;sid:84516872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653770/; classtype:trojan-activity;sid:84516870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653761/; classtype:trojan-activity;sid:84516861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"212.27.26.206"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653756/; classtype:trojan-activity;sid:84516856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"168.121.168.84"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653755/; classtype:trojan-activity;sid:84516855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653751/; classtype:trojan-activity;sid:84516851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653748/; classtype:trojan-activity;sid:84516848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653745/; classtype:trojan-activity;sid:84516845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"186.235.86.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653743/; classtype:trojan-activity;sid:84516843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-06-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653737/; classtype:trojan-activity;sid:84516837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653734/; classtype:trojan-activity;sid:84516834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653732/; classtype:trojan-activity;sid:84516832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653728/; classtype:trojan-activity;sid:84516828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653722/; classtype:trojan-activity;sid:84516822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"32.219.189.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653717/; classtype:trojan-activity;sid:84516817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-02-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653704/; classtype:trojan-activity;sid:84516804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"73.51.224.25"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653703/; classtype:trojan-activity;sid:84516803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653702/; classtype:trojan-activity;sid:84516802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"67.10.149.213"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653701/; classtype:trojan-activity;sid:84516801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-03-01/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653696/; classtype:trojan-activity;sid:84516796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653695/; classtype:trojan-activity;sid:84516795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653693/; classtype:trojan-activity;sid:84516793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653690/; classtype:trojan-activity;sid:84516790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653691/; classtype:trojan-activity;sid:84516791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653685/; classtype:trojan-activity;sid:84516785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653683/; classtype:trojan-activity;sid:84516783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653681/; classtype:trojan-activity;sid:84516781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653675/; classtype:trojan-activity;sid:84516775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2023-11-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653671/; classtype:trojan-activity;sid:84516771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653669/; classtype:trojan-activity;sid:84516769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-03-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653665/; classtype:trojan-activity;sid:84516765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653666/; classtype:trojan-activity;sid:84516766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653662/; classtype:trojan-activity;sid:84516762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653661/; classtype:trojan-activity;sid:84516761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653655/; classtype:trojan-activity;sid:84516755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653649/; classtype:trojan-activity;sid:84516749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653647/; classtype:trojan-activity;sid:84516747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"49.204.232.47"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653640/; classtype:trojan-activity;sid:84516740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653636/; classtype:trojan-activity;sid:84516736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653633/; classtype:trojan-activity;sid:84516733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653634/; classtype:trojan-activity;sid:84516734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"188.82.127.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653627/; classtype:trojan-activity;sid:84516727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653620/; classtype:trojan-activity;sid:84516720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653621/; classtype:trojan-activity;sid:84516721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"94.203.254.14"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653611/; classtype:trojan-activity;sid:84516711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653606/; classtype:trojan-activity;sid:84516706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"80.11.25.16"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653607/; classtype:trojan-activity;sid:84516707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653605/; classtype:trojan-activity;sid:84516705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653602/; classtype:trojan-activity;sid:84516702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653599/; classtype:trojan-activity;sid:84516699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653598/; classtype:trojan-activity;sid:84516698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-02-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653595/; classtype:trojan-activity;sid:84516695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-12-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653593/; classtype:trojan-activity;sid:84516693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-04-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653586/; classtype:trojan-activity;sid:84516686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653585/; classtype:trojan-activity;sid:84516685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653577/; classtype:trojan-activity;sid:84516677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-08-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653550/; classtype:trojan-activity;sid:84516650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653546/; classtype:trojan-activity;sid:84516646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653537/; classtype:trojan-activity;sid:84516637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653525/; classtype:trojan-activity;sid:84516625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653518/; classtype:trojan-activity;sid:84516618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-05/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653500/; classtype:trojan-activity;sid:84516600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653494/; classtype:trojan-activity;sid:84516594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653492/; classtype:trojan-activity;sid:84516592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-01-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653489/; classtype:trojan-activity;sid:84516589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653487/; classtype:trojan-activity;sid:84516587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653485/; classtype:trojan-activity;sid:84516585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653479/; classtype:trojan-activity;sid:84516579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653466/; classtype:trojan-activity;sid:84516566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-04-05/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653464/; classtype:trojan-activity;sid:84516564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653440/; classtype:trojan-activity;sid:84516540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653408/; classtype:trojan-activity;sid:84516508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653384/; classtype:trojan-activity;sid:84516484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653370/; classtype:trojan-activity;sid:84516470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653363/; classtype:trojan-activity;sid:84516463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653352/; classtype:trojan-activity;sid:84516452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-08-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653333/; classtype:trojan-activity;sid:84516433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-19/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653310/; classtype:trojan-activity;sid:84516410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653311/; classtype:trojan-activity;sid:84516411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653303/; classtype:trojan-activity;sid:84516403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-10-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653304/; classtype:trojan-activity;sid:84516404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653297/; classtype:trojan-activity;sid:84516397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653293/; classtype:trojan-activity;sid:84516393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653290/; classtype:trojan-activity;sid:84516390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-07-06/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653289/; classtype:trojan-activity;sid:84516389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653288/; classtype:trojan-activity;sid:84516388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653281/; classtype:trojan-activity;sid:84516381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-09-03/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653279/; classtype:trojan-activity;sid:84516379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653271/; classtype:trojan-activity;sid:84516371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653264/; classtype:trojan-activity;sid:84516364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653250/; classtype:trojan-activity;sid:84516350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2023-11-23/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653244/; classtype:trojan-activity;sid:84516344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653243/; classtype:trojan-activity;sid:84516343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653238/; classtype:trojan-activity;sid:84516338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653234/; classtype:trojan-activity;sid:84516334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653208/; classtype:trojan-activity;sid:84516308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653205/; classtype:trojan-activity;sid:84516305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653204/; classtype:trojan-activity;sid:84516304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653183/; classtype:trojan-activity;sid:84516283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653179/; classtype:trojan-activity;sid:84516279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653178/; classtype:trojan-activity;sid:84516278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-11-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653176/; classtype:trojan-activity;sid:84516276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653177/; classtype:trojan-activity;sid:84516277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653173/; classtype:trojan-activity;sid:84516273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653171/; classtype:trojan-activity;sid:84516271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-02-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653163/; classtype:trojan-activity;sid:84516263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653166/; classtype:trojan-activity;sid:84516266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-10/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653159/; classtype:trojan-activity;sid:84516259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653161/; classtype:trojan-activity;sid:84516261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653156/; classtype:trojan-activity;sid:84516256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-10-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653155/; classtype:trojan-activity;sid:84516255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653152/; classtype:trojan-activity;sid:84516252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-01-19/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653151/; classtype:trojan-activity;sid:84516251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-10-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653148/; classtype:trojan-activity;sid:84516248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653140/; classtype:trojan-activity;sid:84516240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653137/; classtype:trojan-activity;sid:84516237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653132/; classtype:trojan-activity;sid:84516232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653121/; classtype:trojan-activity;sid:84516221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653114/; classtype:trojan-activity;sid:84516214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653111/; classtype:trojan-activity;sid:84516211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653107/; classtype:trojan-activity;sid:84516207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653104/; classtype:trojan-activity;sid:84516204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653094/; classtype:trojan-activity;sid:84516194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653079/; classtype:trojan-activity;sid:84516179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653073/; classtype:trojan-activity;sid:84516173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653066/; classtype:trojan-activity;sid:84516166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-10-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653056/; classtype:trojan-activity;sid:84516156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653054/; classtype:trojan-activity;sid:84516154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-11-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653051/; classtype:trojan-activity;sid:84516151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-11-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653047/; classtype:trojan-activity;sid:84516147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-05-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653049/; classtype:trojan-activity;sid:84516149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-11-12/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653042/; classtype:trojan-activity;sid:84516142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653038/; classtype:trojan-activity;sid:84516138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653025/; classtype:trojan-activity;sid:84516125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-03-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653016/; classtype:trojan-activity;sid:84516116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653021/; classtype:trojan-activity;sid:84516121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3653011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-02-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3653011/; classtype:trojan-activity;sid:84516111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652994/; classtype:trojan-activity;sid:84516094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652989/; classtype:trojan-activity;sid:84516089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652985/; classtype:trojan-activity;sid:84516085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652980/; classtype:trojan-activity;sid:84516080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652976/; classtype:trojan-activity;sid:84516076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-01-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652970/; classtype:trojan-activity;sid:84516070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-29/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652962/; classtype:trojan-activity;sid:84516062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652960/; classtype:trojan-activity;sid:84516060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-26/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652953/; classtype:trojan-activity;sid:84516053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652940/; classtype:trojan-activity;sid:84516040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652935/; classtype:trojan-activity;sid:84516035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652932/; classtype:trojan-activity;sid:84516032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652933/; classtype:trojan-activity;sid:84516033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652926/; classtype:trojan-activity;sid:84516026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652921/; classtype:trojan-activity;sid:84516021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652920/; classtype:trojan-activity;sid:84516020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652895/; classtype:trojan-activity;sid:84515995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652869/; classtype:trojan-activity;sid:84515969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652865/; classtype:trojan-activity;sid:84515965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652851/; classtype:trojan-activity;sid:84515951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652843/; classtype:trojan-activity;sid:84515943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652837/; classtype:trojan-activity;sid:84515937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652820/; classtype:trojan-activity;sid:84515920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652821/; classtype:trojan-activity;sid:84515921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652789/; classtype:trojan-activity;sid:84515889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652777/; classtype:trojan-activity;sid:84515877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-01-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652725/; classtype:trojan-activity;sid:84515825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652719/; classtype:trojan-activity;sid:84515819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652720/; classtype:trojan-activity;sid:84515820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652721/; classtype:trojan-activity;sid:84515821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652716/; classtype:trojan-activity;sid:84515816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652717/; classtype:trojan-activity;sid:84515817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652705/; classtype:trojan-activity;sid:84515805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652707/; classtype:trojan-activity;sid:84515807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-09-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652702/; classtype:trojan-activity;sid:84515802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652692/; classtype:trojan-activity;sid:84515792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652675/; classtype:trojan-activity;sid:84515775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652645/; classtype:trojan-activity;sid:84515745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-05-13/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652637/; classtype:trojan-activity;sid:84515737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-03-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652640/; classtype:trojan-activity;sid:84515740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652636/; classtype:trojan-activity;sid:84515736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652629/; classtype:trojan-activity;sid:84515729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652618/; classtype:trojan-activity;sid:84515718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652617/; classtype:trojan-activity;sid:84515717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652593/; classtype:trojan-activity;sid:84515693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-30/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652591/; classtype:trojan-activity;sid:84515691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652578/; classtype:trojan-activity;sid:84515678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652573/; classtype:trojan-activity;sid:84515673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652564/; classtype:trojan-activity;sid:84515664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-11-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652485/; classtype:trojan-activity;sid:84515585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652484/; classtype:trojan-activity;sid:84515584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/es/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652482/; classtype:trojan-activity;sid:84515582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652481/; classtype:trojan-activity;sid:84515581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652480/; classtype:trojan-activity;sid:84515580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652478/; classtype:trojan-activity;sid:84515578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-02-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652476/; classtype:trojan-activity;sid:84515576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-07-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652474/; classtype:trojan-activity;sid:84515574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652473/; classtype:trojan-activity;sid:84515573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-09-26/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652472/; classtype:trojan-activity;sid:84515572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652471/; classtype:trojan-activity;sid:84515571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652470/; classtype:trojan-activity;sid:84515570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-05-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652467/; classtype:trojan-activity;sid:84515567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-05-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652468/; classtype:trojan-activity;sid:84515568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652469/; classtype:trojan-activity;sid:84515569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-04-03/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652465/; classtype:trojan-activity;sid:84515565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652463/; classtype:trojan-activity;sid:84515563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652462/; classtype:trojan-activity;sid:84515562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652461/; classtype:trojan-activity;sid:84515561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652460/; classtype:trojan-activity;sid:84515560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652457/; classtype:trojan-activity;sid:84515557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-09-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652456/; classtype:trojan-activity;sid:84515556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652455/; classtype:trojan-activity;sid:84515555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-03-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652454/; classtype:trojan-activity;sid:84515554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652453/; classtype:trojan-activity;sid:84515553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-01-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652451/; classtype:trojan-activity;sid:84515551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652452/; classtype:trojan-activity;sid:84515552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652449/; classtype:trojan-activity;sid:84515549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652445/; classtype:trojan-activity;sid:84515545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652446/; classtype:trojan-activity;sid:84515546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652447/; classtype:trojan-activity;sid:84515547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652448/; classtype:trojan-activity;sid:84515548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-07-08/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652442/; classtype:trojan-activity;sid:84515542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652444/; classtype:trojan-activity;sid:84515544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652441/; classtype:trojan-activity;sid:84515541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-01-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652439/; classtype:trojan-activity;sid:84515539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652437)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652437/; classtype:trojan-activity;sid:84515537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652438/; classtype:trojan-activity;sid:84515538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652436/; classtype:trojan-activity;sid:84515536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652435/; classtype:trojan-activity;sid:84515535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652433/; classtype:trojan-activity;sid:84515533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652432/; classtype:trojan-activity;sid:84515532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652431/; classtype:trojan-activity;sid:84515531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652430/; classtype:trojan-activity;sid:84515530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652429)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652429/; classtype:trojan-activity;sid:84515529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-10-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652428/; classtype:trojan-activity;sid:84515528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-09-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652426/; classtype:trojan-activity;sid:84515526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-02-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652425/; classtype:trojan-activity;sid:84515525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652424/; classtype:trojan-activity;sid:84515524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-04-26/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652421/; classtype:trojan-activity;sid:84515521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652419/; classtype:trojan-activity;sid:84515519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-03-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652420/; classtype:trojan-activity;sid:84515520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652417/; classtype:trojan-activity;sid:84515517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652418/; classtype:trojan-activity;sid:84515518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652415/; classtype:trojan-activity;sid:84515515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-12-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652416/; classtype:trojan-activity;sid:84515516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652414/; classtype:trojan-activity;sid:84515514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652413/; classtype:trojan-activity;sid:84515513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652412/; classtype:trojan-activity;sid:84515512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652411/; classtype:trojan-activity;sid:84515511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652408/; classtype:trojan-activity;sid:84515508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652404/; classtype:trojan-activity;sid:84515504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652407/; classtype:trojan-activity;sid:84515507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652402)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652402/; classtype:trojan-activity;sid:84515502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652403/; classtype:trojan-activity;sid:84515503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652401/; classtype:trojan-activity;sid:84515501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652400/; classtype:trojan-activity;sid:84515500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652397/; classtype:trojan-activity;sid:84515497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652398/; classtype:trojan-activity;sid:84515498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652395/; classtype:trojan-activity;sid:84515495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-01-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652391/; classtype:trojan-activity;sid:84515491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652392/; classtype:trojan-activity;sid:84515492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652390/; classtype:trojan-activity;sid:84515490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652389/; classtype:trojan-activity;sid:84515489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652387/; classtype:trojan-activity;sid:84515487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-11-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652384/; classtype:trojan-activity;sid:84515484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652383/; classtype:trojan-activity;sid:84515483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-09-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652380/; classtype:trojan-activity;sid:84515480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652382/; classtype:trojan-activity;sid:84515482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652378/; classtype:trojan-activity;sid:84515478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652376/; classtype:trojan-activity;sid:84515476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652375/; classtype:trojan-activity;sid:84515475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652373/; classtype:trojan-activity;sid:84515473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-05-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652372/; classtype:trojan-activity;sid:84515472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652368/; classtype:trojan-activity;sid:84515468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-02-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652367/; classtype:trojan-activity;sid:84515467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652366/; classtype:trojan-activity;sid:84515466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652364/; classtype:trojan-activity;sid:84515464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-10-13/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652360/; classtype:trojan-activity;sid:84515460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652359/; classtype:trojan-activity;sid:84515459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652357/; classtype:trojan-activity;sid:84515457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652356/; classtype:trojan-activity;sid:84515456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652353/; classtype:trojan-activity;sid:84515453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652349/; classtype:trojan-activity;sid:84515449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652351/; classtype:trojan-activity;sid:84515451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652352/; classtype:trojan-activity;sid:84515452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652347/; classtype:trojan-activity;sid:84515447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652348/; classtype:trojan-activity;sid:84515448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652346/; classtype:trojan-activity;sid:84515446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-10-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652342/; classtype:trojan-activity;sid:84515442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652343/; classtype:trojan-activity;sid:84515443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652344/; classtype:trojan-activity;sid:84515444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652345/; classtype:trojan-activity;sid:84515445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652340/; classtype:trojan-activity;sid:84515440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652336/; classtype:trojan-activity;sid:84515436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652337/; classtype:trojan-activity;sid:84515437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652339/; classtype:trojan-activity;sid:84515439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652335/; classtype:trojan-activity;sid:84515435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-12-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652331/; classtype:trojan-activity;sid:84515431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652326/; classtype:trojan-activity;sid:84515426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652327/; classtype:trojan-activity;sid:84515427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652328/; classtype:trojan-activity;sid:84515428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652329/; classtype:trojan-activity;sid:84515429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-11-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652330/; classtype:trojan-activity;sid:84515430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652325/; classtype:trojan-activity;sid:84515425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-09-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652324/; classtype:trojan-activity;sid:84515424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652323/; classtype:trojan-activity;sid:84515423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652322/; classtype:trojan-activity;sid:84515422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-03-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652321/; classtype:trojan-activity;sid:84515421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-09/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652318/; classtype:trojan-activity;sid:84515418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652319/; classtype:trojan-activity;sid:84515419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652317/; classtype:trojan-activity;sid:84515417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652316/; classtype:trojan-activity;sid:84515416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-31/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652314/; classtype:trojan-activity;sid:84515414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652312/; classtype:trojan-activity;sid:84515412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-06-04/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652313/; classtype:trojan-activity;sid:84515413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-01-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652310/; classtype:trojan-activity;sid:84515410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652309/; classtype:trojan-activity;sid:84515409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652305/; classtype:trojan-activity;sid:84515405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652306/; classtype:trojan-activity;sid:84515406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652304/; classtype:trojan-activity;sid:84515404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652303/; classtype:trojan-activity;sid:84515403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652300/; classtype:trojan-activity;sid:84515400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-28/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652301/; classtype:trojan-activity;sid:84515401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652302/; classtype:trojan-activity;sid:84515402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652298/; classtype:trojan-activity;sid:84515398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652296)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-04-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652296/; classtype:trojan-activity;sid:84515396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652294/; classtype:trojan-activity;sid:84515394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652295/; classtype:trojan-activity;sid:84515395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-01-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652292/; classtype:trojan-activity;sid:84515392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-08-25/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652291/; classtype:trojan-activity;sid:84515391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652290/; classtype:trojan-activity;sid:84515390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-25/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652288/; classtype:trojan-activity;sid:84515388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652287/; classtype:trojan-activity;sid:84515387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652286/; classtype:trojan-activity;sid:84515386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652285/; classtype:trojan-activity;sid:84515385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-11-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652284/; classtype:trojan-activity;sid:84515384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652283/; classtype:trojan-activity;sid:84515383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-12-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652280/; classtype:trojan-activity;sid:84515380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-07-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652281/; classtype:trojan-activity;sid:84515381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-01-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652279/; classtype:trojan-activity;sid:84515379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652277/; classtype:trojan-activity;sid:84515377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652272)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652272/; classtype:trojan-activity;sid:84515372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652270/; classtype:trojan-activity;sid:84515370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652265/; classtype:trojan-activity;sid:84515365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652264/; classtype:trojan-activity;sid:84515364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652263/; classtype:trojan-activity;sid:84515363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652261/; classtype:trojan-activity;sid:84515361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652259/; classtype:trojan-activity;sid:84515359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652260/; classtype:trojan-activity;sid:84515360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652257/; classtype:trojan-activity;sid:84515357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652256/; classtype:trojan-activity;sid:84515356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652255/; classtype:trojan-activity;sid:84515355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-11-25/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652250/; classtype:trojan-activity;sid:84515350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652247/; classtype:trojan-activity;sid:84515347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652248/; classtype:trojan-activity;sid:84515348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652249/; classtype:trojan-activity;sid:84515349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-12-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652246/; classtype:trojan-activity;sid:84515346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652241/; classtype:trojan-activity;sid:84515341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652242/; classtype:trojan-activity;sid:84515342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-10/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652239/; classtype:trojan-activity;sid:84515339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652240/; classtype:trojan-activity;sid:84515340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-07-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652236/; classtype:trojan-activity;sid:84515336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652235/; classtype:trojan-activity;sid:84515335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-03-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652234/; classtype:trojan-activity;sid:84515334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652232/; classtype:trojan-activity;sid:84515332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-01-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652231/; classtype:trojan-activity;sid:84515331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-06-25/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652225/; classtype:trojan-activity;sid:84515325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652223/; classtype:trojan-activity;sid:84515323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652221/; classtype:trojan-activity;sid:84515321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652222/; classtype:trojan-activity;sid:84515322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652220)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652220/; classtype:trojan-activity;sid:84515320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652218/; classtype:trojan-activity;sid:84515318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652217/; classtype:trojan-activity;sid:84515317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652216/; classtype:trojan-activity;sid:84515316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652214/; classtype:trojan-activity;sid:84515314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652213/; classtype:trojan-activity;sid:84515313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652211/; classtype:trojan-activity;sid:84515311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652210/; classtype:trojan-activity;sid:84515310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652209/; classtype:trojan-activity;sid:84515309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-03-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652206/; classtype:trojan-activity;sid:84515306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652207/; classtype:trojan-activity;sid:84515307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652205/; classtype:trojan-activity;sid:84515305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652204/; classtype:trojan-activity;sid:84515304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652201/; classtype:trojan-activity;sid:84515301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652200/; classtype:trojan-activity;sid:84515300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652197/; classtype:trojan-activity;sid:84515297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652194/; classtype:trojan-activity;sid:84515294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652192/; classtype:trojan-activity;sid:84515292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652188/; classtype:trojan-activity;sid:84515288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652189/; classtype:trojan-activity;sid:84515289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-28/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652190/; classtype:trojan-activity;sid:84515290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652191/; classtype:trojan-activity;sid:84515291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652185/; classtype:trojan-activity;sid:84515285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652184/; classtype:trojan-activity;sid:84515284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652183/; classtype:trojan-activity;sid:84515283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652181/; classtype:trojan-activity;sid:84515281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652180/; classtype:trojan-activity;sid:84515280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652179/; classtype:trojan-activity;sid:84515279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652176/; classtype:trojan-activity;sid:84515276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652177/; classtype:trojan-activity;sid:84515277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652178/; classtype:trojan-activity;sid:84515278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652175/; classtype:trojan-activity;sid:84515275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652174/; classtype:trojan-activity;sid:84515274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652173/; classtype:trojan-activity;sid:84515273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652171/; classtype:trojan-activity;sid:84515271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652169/; classtype:trojan-activity;sid:84515269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652167/; classtype:trojan-activity;sid:84515267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652166/; classtype:trojan-activity;sid:84515266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652165/; classtype:trojan-activity;sid:84515265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652164/; classtype:trojan-activity;sid:84515264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652163/; classtype:trojan-activity;sid:84515263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-24/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652162/; classtype:trojan-activity;sid:84515262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652160/; classtype:trojan-activity;sid:84515260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652157/; classtype:trojan-activity;sid:84515257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652158/; classtype:trojan-activity;sid:84515258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652156/; classtype:trojan-activity;sid:84515256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652154/; classtype:trojan-activity;sid:84515254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652152/; classtype:trojan-activity;sid:84515252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652153/; classtype:trojan-activity;sid:84515253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-06-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652150/; classtype:trojan-activity;sid:84515250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652147/; classtype:trojan-activity;sid:84515247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652149/; classtype:trojan-activity;sid:84515249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652144/; classtype:trojan-activity;sid:84515244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-10-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652143/; classtype:trojan-activity;sid:84515243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652140/; classtype:trojan-activity;sid:84515240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652137/; classtype:trojan-activity;sid:84515237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652135/; classtype:trojan-activity;sid:84515235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652132/; classtype:trojan-activity;sid:84515232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652133/; classtype:trojan-activity;sid:84515233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652134/; classtype:trojan-activity;sid:84515234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652128/; classtype:trojan-activity;sid:84515228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652129/; classtype:trojan-activity;sid:84515229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-04-19/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652130/; classtype:trojan-activity;sid:84515230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652131/; classtype:trojan-activity;sid:84515231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652122/; classtype:trojan-activity;sid:84515222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652124/; classtype:trojan-activity;sid:84515224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652120/; classtype:trojan-activity;sid:84515220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652119/; classtype:trojan-activity;sid:84515219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652112/; classtype:trojan-activity;sid:84515212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-05-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652113/; classtype:trojan-activity;sid:84515213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652114/; classtype:trojan-activity;sid:84515214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652115/; classtype:trojan-activity;sid:84515215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652116/; classtype:trojan-activity;sid:84515216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652118/; classtype:trojan-activity;sid:84515218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652109/; classtype:trojan-activity;sid:84515209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652107/; classtype:trojan-activity;sid:84515207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652105/; classtype:trojan-activity;sid:84515205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652106/; classtype:trojan-activity;sid:84515206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652102/; classtype:trojan-activity;sid:84515202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-04-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652103/; classtype:trojan-activity;sid:84515203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652104/; classtype:trojan-activity;sid:84515204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-10-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652099/; classtype:trojan-activity;sid:84515199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652100/; classtype:trojan-activity;sid:84515200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652098/; classtype:trojan-activity;sid:84515198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652095/; classtype:trojan-activity;sid:84515195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-13/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652091/; classtype:trojan-activity;sid:84515191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652092/; classtype:trojan-activity;sid:84515192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-08-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652090/; classtype:trojan-activity;sid:84515190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-01-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652084/; classtype:trojan-activity;sid:84515184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-05-24/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652086/; classtype:trojan-activity;sid:84515186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-12-27/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652088/; classtype:trojan-activity;sid:84515188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-02-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652089/; classtype:trojan-activity;sid:84515189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652081/; classtype:trojan-activity;sid:84515181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652082/; classtype:trojan-activity;sid:84515182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652078/; classtype:trojan-activity;sid:84515178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2022-03-17/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652079/; classtype:trojan-activity;sid:84515179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-04-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652075/; classtype:trojan-activity;sid:84515175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652076/; classtype:trojan-activity;sid:84515176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652077/; classtype:trojan-activity;sid:84515177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652070/; classtype:trojan-activity;sid:84515170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652071/; classtype:trojan-activity;sid:84515171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-11-23/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652067/; classtype:trojan-activity;sid:84515167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652068/; classtype:trojan-activity;sid:84515168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652060/; classtype:trojan-activity;sid:84515160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-10-24/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652061/; classtype:trojan-activity;sid:84515161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-27/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652063/; classtype:trojan-activity;sid:84515163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652064/; classtype:trojan-activity;sid:84515164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-11-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652065/; classtype:trojan-activity;sid:84515165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652066/; classtype:trojan-activity;sid:84515166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652057/; classtype:trojan-activity;sid:84515157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652058/; classtype:trojan-activity;sid:84515158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-03-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652053/; classtype:trojan-activity;sid:84515153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652054/; classtype:trojan-activity;sid:84515154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-08-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652048/; classtype:trojan-activity;sid:84515148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652049/; classtype:trojan-activity;sid:84515149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652051/; classtype:trojan-activity;sid:84515151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-02-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652045/; classtype:trojan-activity;sid:84515145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652042/; classtype:trojan-activity;sid:84515142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652043/; classtype:trojan-activity;sid:84515143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-15/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652041/; classtype:trojan-activity;sid:84515141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652039/; classtype:trojan-activity;sid:84515139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-12-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652036/; classtype:trojan-activity;sid:84515136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-05-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652037/; classtype:trojan-activity;sid:84515137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-01-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652038/; classtype:trojan-activity;sid:84515138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-12-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652034/; classtype:trojan-activity;sid:84515134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652025/; classtype:trojan-activity;sid:84515125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652026/; classtype:trojan-activity;sid:84515126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652027/; classtype:trojan-activity;sid:84515127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652028/; classtype:trojan-activity;sid:84515128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652022/; classtype:trojan-activity;sid:84515122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652021/; classtype:trojan-activity;sid:84515121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652016/; classtype:trojan-activity;sid:84515116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652017/; classtype:trojan-activity;sid:84515117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-06-14/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652018/; classtype:trojan-activity;sid:84515118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652019/; classtype:trojan-activity;sid:84515119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652020/; classtype:trojan-activity;sid:84515120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-18/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652012/; classtype:trojan-activity;sid:84515112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652013/; classtype:trojan-activity;sid:84515113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652007/; classtype:trojan-activity;sid:84515107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652008/; classtype:trojan-activity;sid:84515108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652009/; classtype:trojan-activity;sid:84515109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652005/; classtype:trojan-activity;sid:84515105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-03-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652006/; classtype:trojan-activity;sid:84515106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652003/; classtype:trojan-activity;sid:84515103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652002/; classtype:trojan-activity;sid:84515102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3652000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3652000/; classtype:trojan-activity;sid:84515100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651998/; classtype:trojan-activity;sid:84515098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651999/; classtype:trojan-activity;sid:84515099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651994/; classtype:trojan-activity;sid:84515094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651995/; classtype:trojan-activity;sid:84515095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651996/; classtype:trojan-activity;sid:84515096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-07-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651997/; classtype:trojan-activity;sid:84515097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651991/; classtype:trojan-activity;sid:84515091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651989/; classtype:trojan-activity;sid:84515089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651990/; classtype:trojan-activity;sid:84515090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-02-11/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651981/; classtype:trojan-activity;sid:84515081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-07-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651983/; classtype:trojan-activity;sid:84515083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-03-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651985/; classtype:trojan-activity;sid:84515085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-08-17/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651986/; classtype:trojan-activity;sid:84515086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651978/; classtype:trojan-activity;sid:84515078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-12-12/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651980/; classtype:trojan-activity;sid:84515080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2023-03-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651969/; classtype:trojan-activity;sid:84515069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651970/; classtype:trojan-activity;sid:84515070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-07-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651971/; classtype:trojan-activity;sid:84515071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-02-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651972/; classtype:trojan-activity;sid:84515072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-08-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651975/; classtype:trojan-activity;sid:84515075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651976/; classtype:trojan-activity;sid:84515076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-03-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651977/; classtype:trojan-activity;sid:84515077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-09-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651968/; classtype:trojan-activity;sid:84515068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651965/; classtype:trojan-activity;sid:84515065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651966/; classtype:trojan-activity;sid:84515066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651963/; classtype:trojan-activity;sid:84515063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-09-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651964/; classtype:trojan-activity;sid:84515064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651959/; classtype:trojan-activity;sid:84515059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651960/; classtype:trojan-activity;sid:84515060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651961/; classtype:trojan-activity;sid:84515061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651962/; classtype:trojan-activity;sid:84515062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651957/; classtype:trojan-activity;sid:84515057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651955/; classtype:trojan-activity;sid:84515055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651954/; classtype:trojan-activity;sid:84515054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651952/; classtype:trojan-activity;sid:84515052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651951/; classtype:trojan-activity;sid:84515051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651949/; classtype:trojan-activity;sid:84515049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-04-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651950/; classtype:trojan-activity;sid:84515050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651944/; classtype:trojan-activity;sid:84515044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/9929/11032020101348/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651946/; classtype:trojan-activity;sid:84515046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651948/; classtype:trojan-activity;sid:84515048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651943/; classtype:trojan-activity;sid:84515043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651937/; classtype:trojan-activity;sid:84515037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651938/; classtype:trojan-activity;sid:84515038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651941/; classtype:trojan-activity;sid:84515041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651933/; classtype:trojan-activity;sid:84515033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-10-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651934/; classtype:trojan-activity;sid:84515034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651935/; classtype:trojan-activity;sid:84515035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-01-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651936/; classtype:trojan-activity;sid:84515036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651932/; classtype:trojan-activity;sid:84515032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pe/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651930/; classtype:trojan-activity;sid:84515030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651928/; classtype:trojan-activity;sid:84515028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651929/; classtype:trojan-activity;sid:84515029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651927/; classtype:trojan-activity;sid:84515027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651921/; classtype:trojan-activity;sid:84515021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651922/; classtype:trojan-activity;sid:84515022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651923/; classtype:trojan-activity;sid:84515023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651924/; classtype:trojan-activity;sid:84515024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651925/; classtype:trojan-activity;sid:84515025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-26/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651915/; classtype:trojan-activity;sid:84515015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-05-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651916/; classtype:trojan-activity;sid:84515016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651917/; classtype:trojan-activity;sid:84515017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651913/; classtype:trojan-activity;sid:84515013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651914/; classtype:trojan-activity;sid:84515014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-12-02/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651909/; classtype:trojan-activity;sid:84515009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651907/; classtype:trojan-activity;sid:84515007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651901/; classtype:trojan-activity;sid:84515001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-11-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651902/; classtype:trojan-activity;sid:84515002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651903/; classtype:trojan-activity;sid:84515003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651899/; classtype:trojan-activity;sid:84514999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651900/; classtype:trojan-activity;sid:84515000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-09-08/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651896/; classtype:trojan-activity;sid:84514996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651897/; classtype:trojan-activity;sid:84514997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651898/; classtype:trojan-activity;sid:84514998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651894/; classtype:trojan-activity;sid:84514994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651895/; classtype:trojan-activity;sid:84514995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160618/td00000000000000159843/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651892/; classtype:trojan-activity;sid:84514992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651890/; classtype:trojan-activity;sid:84514990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651891/; classtype:trojan-activity;sid:84514991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651887/; classtype:trojan-activity;sid:84514987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651888/; classtype:trojan-activity;sid:84514988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651889/; classtype:trojan-activity;sid:84514989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651884/; classtype:trojan-activity;sid:84514984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-07-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651885/; classtype:trojan-activity;sid:84514985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651881/; classtype:trojan-activity;sid:84514981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651882/; classtype:trojan-activity;sid:84514982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-02-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651878/; classtype:trojan-activity;sid:84514978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-11-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651879/; classtype:trojan-activity;sid:84514979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651874/; classtype:trojan-activity;sid:84514974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651875/; classtype:trojan-activity;sid:84514975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651876/; classtype:trojan-activity;sid:84514976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651868/; classtype:trojan-activity;sid:84514968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651869/; classtype:trojan-activity;sid:84514969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-04-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651870/; classtype:trojan-activity;sid:84514970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651872/; classtype:trojan-activity;sid:84514972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-12-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651866/; classtype:trojan-activity;sid:84514966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651865/; classtype:trojan-activity;sid:84514965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651861/; classtype:trojan-activity;sid:84514961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651862/; classtype:trojan-activity;sid:84514962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-17/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651863/; classtype:trojan-activity;sid:84514963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651864/; classtype:trojan-activity;sid:84514964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651859/; classtype:trojan-activity;sid:84514959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-08/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651857/; classtype:trojan-activity;sid:84514957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-22/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651854/; classtype:trojan-activity;sid:84514954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651853/; classtype:trojan-activity;sid:84514953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651849/; classtype:trojan-activity;sid:84514949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651850/; classtype:trojan-activity;sid:84514950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-31/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651848/; classtype:trojan-activity;sid:84514948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651847/; classtype:trojan-activity;sid:84514947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651846/; classtype:trojan-activity;sid:84514946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651844/; classtype:trojan-activity;sid:84514944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651836/; classtype:trojan-activity;sid:84514936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651837/; classtype:trojan-activity;sid:84514937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651838/; classtype:trojan-activity;sid:84514938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651839/; classtype:trojan-activity;sid:84514939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651840/; classtype:trojan-activity;sid:84514940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651841/; classtype:trojan-activity;sid:84514941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651834/; classtype:trojan-activity;sid:84514934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-04-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651835/; classtype:trojan-activity;sid:84514935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-07/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651832/; classtype:trojan-activity;sid:84514932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-11-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651827/; classtype:trojan-activity;sid:84514927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651822/; classtype:trojan-activity;sid:84514922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651823/; classtype:trojan-activity;sid:84514923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-03-11/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651825/; classtype:trojan-activity;sid:84514925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-05-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651826/; classtype:trojan-activity;sid:84514926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-05-27/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651820/; classtype:trojan-activity;sid:84514920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/es/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651821/; classtype:trojan-activity;sid:84514921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651819/; classtype:trojan-activity;sid:84514919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651813/; classtype:trojan-activity;sid:84514913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651816/; classtype:trojan-activity;sid:84514916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-02-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651817/; classtype:trojan-activity;sid:84514917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651818/; classtype:trojan-activity;sid:84514918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651810/; classtype:trojan-activity;sid:84514910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651811/; classtype:trojan-activity;sid:84514911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-10-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651812/; classtype:trojan-activity;sid:84514912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-29/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651808/; classtype:trojan-activity;sid:84514908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-07-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651806/; classtype:trojan-activity;sid:84514906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-10-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651807/; classtype:trojan-activity;sid:84514907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-06-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651802/; classtype:trojan-activity;sid:84514902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-06-18/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651803/; classtype:trojan-activity;sid:84514903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-03/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651805/; classtype:trojan-activity;sid:84514905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651801/; classtype:trojan-activity;sid:84514901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651796/; classtype:trojan-activity;sid:84514896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-02-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651797/; classtype:trojan-activity;sid:84514897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651790/; classtype:trojan-activity;sid:84514890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-08-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651792/; classtype:trojan-activity;sid:84514892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168897/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651789/; classtype:trojan-activity;sid:84514889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/sp/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651787/; classtype:trojan-activity;sid:84514887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651783/; classtype:trojan-activity;sid:84514883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651785/; classtype:trojan-activity;sid:84514885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-31/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651786/; classtype:trojan-activity;sid:84514886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pa/normal/produ%c3%a7%c3%a3o/info.zip"; depth:81; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651777/; classtype:trojan-activity;sid:84514877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-06-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651778/; classtype:trojan-activity;sid:84514878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651780/; classtype:trojan-activity;sid:84514880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651774/; classtype:trojan-activity;sid:84514874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-11-22/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651775/; classtype:trojan-activity;sid:84514875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-19/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651776/; classtype:trojan-activity;sid:84514876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651770/; classtype:trojan-activity;sid:84514870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651771/; classtype:trojan-activity;sid:84514871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651772/; classtype:trojan-activity;sid:84514872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651773/; classtype:trojan-activity;sid:84514873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-11-11/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651768/; classtype:trojan-activity;sid:84514868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651769/; classtype:trojan-activity;sid:84514869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651766/; classtype:trojan-activity;sid:84514866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-03-15/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651763/; classtype:trojan-activity;sid:84514863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-11-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651764/; classtype:trojan-activity;sid:84514864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651765/; classtype:trojan-activity;sid:84514865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651760/; classtype:trojan-activity;sid:84514860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-04-01/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651761/; classtype:trojan-activity;sid:84514861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651762/; classtype:trojan-activity;sid:84514862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-10-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651755/; classtype:trojan-activity;sid:84514855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/sp/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651758/; classtype:trojan-activity;sid:84514858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651759/; classtype:trojan-activity;sid:84514859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-09-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651753/; classtype:trojan-activity;sid:84514853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-09-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651754/; classtype:trojan-activity;sid:84514854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651752/; classtype:trojan-activity;sid:84514852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/info.zip"; depth:59; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651750/; classtype:trojan-activity;sid:84514850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651741/; classtype:trojan-activity;sid:84514841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651742/; classtype:trojan-activity;sid:84514842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651744/; classtype:trojan-activity;sid:84514844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651745/; classtype:trojan-activity;sid:84514845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-01-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651746/; classtype:trojan-activity;sid:84514846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651747/; classtype:trojan-activity;sid:84514847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-01-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651740/; classtype:trojan-activity;sid:84514840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651734/; classtype:trojan-activity;sid:84514834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651735/; classtype:trojan-activity;sid:84514835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-08-28/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651736/; classtype:trojan-activity;sid:84514836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/info.zip"; depth:76; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651738/; classtype:trojan-activity;sid:84514838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651739/; classtype:trojan-activity;sid:84514839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651730/; classtype:trojan-activity;sid:84514830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651731/; classtype:trojan-activity;sid:84514831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651732/; classtype:trojan-activity;sid:84514832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-02-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651729/; classtype:trojan-activity;sid:84514829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-27/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651728/; classtype:trojan-activity;sid:84514828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-12-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651726/; classtype:trojan-activity;sid:84514826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-01-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651727/; classtype:trojan-activity;sid:84514827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-12-23/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651725/; classtype:trojan-activity;sid:84514825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-08-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651721/; classtype:trojan-activity;sid:84514821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651722/; classtype:trojan-activity;sid:84514822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-04-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651723/; classtype:trojan-activity;sid:84514823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-08/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651724/; classtype:trojan-activity;sid:84514824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651717/; classtype:trojan-activity;sid:84514817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-01/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651715/; classtype:trojan-activity;sid:84514815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651713/; classtype:trojan-activity;sid:84514813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-11-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651714/; classtype:trojan-activity;sid:84514814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651710/; classtype:trojan-activity;sid:84514810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651711/; classtype:trojan-activity;sid:84514811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-20/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651709/; classtype:trojan-activity;sid:84514809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651707/; classtype:trojan-activity;sid:84514807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651705/; classtype:trojan-activity;sid:84514805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-18/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651706/; classtype:trojan-activity;sid:84514806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-06-27/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651699/; classtype:trojan-activity;sid:84514799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-04-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651701/; classtype:trojan-activity;sid:84514801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/pb/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651702/; classtype:trojan-activity;sid:84514802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651703/; classtype:trojan-activity;sid:84514803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651696/; classtype:trojan-activity;sid:84514796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651694/; classtype:trojan-activity;sid:84514794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651691/; classtype:trojan-activity;sid:84514791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-17/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651692/; classtype:trojan-activity;sid:84514792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651687/; classtype:trojan-activity;sid:84514787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651688/; classtype:trojan-activity;sid:84514788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-25/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651690/; classtype:trojan-activity;sid:84514790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651682/; classtype:trojan-activity;sid:84514782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-04-23/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651683/; classtype:trojan-activity;sid:84514783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651681/; classtype:trojan-activity;sid:84514781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651679/; classtype:trojan-activity;sid:84514779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-03-14/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651678/; classtype:trojan-activity;sid:84514778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-04-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651675/; classtype:trojan-activity;sid:84514775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651676/; classtype:trojan-activity;sid:84514776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-01-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651677/; classtype:trojan-activity;sid:84514777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-03-22/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651668/; classtype:trojan-activity;sid:84514768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/conting%c3%aancia/info.zip"; depth:73; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651669/; classtype:trojan-activity;sid:84514769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-02-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651670/; classtype:trojan-activity;sid:84514770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651671/; classtype:trojan-activity;sid:84514771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651667/; classtype:trojan-activity;sid:84514767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651663/; classtype:trojan-activity;sid:84514763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651655/; classtype:trojan-activity;sid:84514755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651657/; classtype:trojan-activity;sid:84514757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-28/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651659/; classtype:trojan-activity;sid:84514759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-05-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651650/; classtype:trojan-activity;sid:84514750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-06-24/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651651/; classtype:trojan-activity;sid:84514751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-09/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651652/; classtype:trojan-activity;sid:84514752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-05-10/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651653/; classtype:trojan-activity;sid:84514753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-02-11/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651646/; classtype:trojan-activity;sid:84514746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651648/; classtype:trojan-activity;sid:84514748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-04-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651649/; classtype:trojan-activity;sid:84514749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/info.zip"; depth:59; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651639/; classtype:trojan-activity;sid:84514739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-29/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651640/; classtype:trojan-activity;sid:84514740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-02/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651641/; classtype:trojan-activity;sid:84514741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651642/; classtype:trojan-activity;sid:84514742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-05-17/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651643/; classtype:trojan-activity;sid:84514743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-05-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651644/; classtype:trojan-activity;sid:84514744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651634/; classtype:trojan-activity;sid:84514734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2025-05-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651636/; classtype:trojan-activity;sid:84514736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/info.zip"; depth:59; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651637/; classtype:trojan-activity;sid:84514737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651638/; classtype:trojan-activity;sid:84514738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-02-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651631/; classtype:trojan-activity;sid:84514731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-04-05/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651625/; classtype:trojan-activity;sid:84514725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-14/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651627/; classtype:trojan-activity;sid:84514727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651620/; classtype:trojan-activity;sid:84514720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-21/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651621/; classtype:trojan-activity;sid:84514721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-08-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651619/; classtype:trojan-activity;sid:84514719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651617/; classtype:trojan-activity;sid:84514717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651614/; classtype:trojan-activity;sid:84514714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-03-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651613/; classtype:trojan-activity;sid:84514713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-03-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651611/; classtype:trojan-activity;sid:84514711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-08-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651608/; classtype:trojan-activity;sid:84514708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651604/; classtype:trojan-activity;sid:84514704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-11-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651601/; classtype:trojan-activity;sid:84514701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-04-14/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651602/; classtype:trojan-activity;sid:84514702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-11-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651591/; classtype:trojan-activity;sid:84514691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-08/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651592/; classtype:trojan-activity;sid:84514692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2021-07-07/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651593/; classtype:trojan-activity;sid:84514693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-10-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651594/; classtype:trojan-activity;sid:84514694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-13/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651595/; classtype:trojan-activity;sid:84514695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-02-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651597/; classtype:trojan-activity;sid:84514697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-08-06/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651588/; classtype:trojan-activity;sid:84514688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/ma/conting%c3%aancia/produ%c3%a7%c3%a3o/info.zip"; depth:92; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651589/; classtype:trojan-activity;sid:84514689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-23/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651590/; classtype:trojan-activity;sid:84514690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-03-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651583/; classtype:trojan-activity;sid:84514683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-05-22/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651586/; classtype:trojan-activity;sid:84514686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-01-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651582/; classtype:trojan-activity;sid:84514682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000677/consulta%20geral/2025-04-26/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651580/; classtype:trojan-activity;sid:84514680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000405/consulta%20geral/2025-02-09/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651581/; classtype:trojan-activity;sid:84514681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-04-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651579/; classtype:trojan-activity;sid:84514679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-12/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651577/; classtype:trojan-activity;sid:84514677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-09-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651578/; classtype:trojan-activity;sid:84514678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-05/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651574/; classtype:trojan-activity;sid:84514674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-10/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651575/; classtype:trojan-activity;sid:84514675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651570/; classtype:trojan-activity;sid:84514670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-03-06/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651571/; classtype:trojan-activity;sid:84514671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-04-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651568/; classtype:trojan-activity;sid:84514668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-05-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651565/; classtype:trojan-activity;sid:84514665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-14/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651564/; classtype:trojan-activity;sid:84514664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-05-30/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651562/; classtype:trojan-activity;sid:84514662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-23/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651563/; classtype:trojan-activity;sid:84514663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-15/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651561/; classtype:trojan-activity;sid:84514661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2023-10-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651558/; classtype:trojan-activity;sid:84514658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-02-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651559/; classtype:trojan-activity;sid:84514659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-15/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651553/; classtype:trojan-activity;sid:84514653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-16/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651554/; classtype:trojan-activity;sid:84514654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-01-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651557/; classtype:trojan-activity;sid:84514657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-02-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651548/; classtype:trojan-activity;sid:84514648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-03-04/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651549/; classtype:trojan-activity;sid:84514649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170596/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651550/; classtype:trojan-activity;sid:84514650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651551/; classtype:trojan-activity;sid:84514651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-04-02/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651546/; classtype:trojan-activity;sid:84514646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000162/consulta%20geral/2025-04-24/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651539/; classtype:trojan-activity;sid:84514639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-01-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651544/; classtype:trojan-activity;sid:84514644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000324/consulta%20geral/2025-02-16/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651533/; classtype:trojan-activity;sid:84514633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651534/; classtype:trojan-activity;sid:84514634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2023-07-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651535/; classtype:trojan-activity;sid:84514635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-12-05/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651530/; classtype:trojan-activity;sid:84514630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-24/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651531/; classtype:trojan-activity;sid:84514631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651529/; classtype:trojan-activity;sid:84514629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/02589791000596/consulta%20geral/2025-04-18/info.zip"; depth:87; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651527/; classtype:trojan-activity;sid:84514627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-02-09/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651525/; classtype:trojan-activity;sid:84514625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-01-26/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651521/; classtype:trojan-activity;sid:84514621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-11-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651522/; classtype:trojan-activity;sid:84514622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-11-12/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651523/; classtype:trojan-activity;sid:84514623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-05-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651520/; classtype:trojan-activity;sid:84514620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-01-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651516/; classtype:trojan-activity;sid:84514616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-06-01/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651517/; classtype:trojan-activity;sid:84514617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2025-04-09/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651518/; classtype:trojan-activity;sid:84514618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-04-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651515/; classtype:trojan-activity;sid:84514615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-08-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651512/; classtype:trojan-activity;sid:84514612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2023-11-27/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651513/; classtype:trojan-activity;sid:84514613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-02-22/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651514/; classtype:trojan-activity;sid:84514614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-09-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651511/; classtype:trojan-activity;sid:84514611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2020-09-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651509/; classtype:trojan-activity;sid:84514609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-15/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651510/; classtype:trojan-activity;sid:84514610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-01-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651506/; classtype:trojan-activity;sid:84514606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-05-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651504/; classtype:trojan-activity;sid:84514604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2022-03-14/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651505/; classtype:trojan-activity;sid:84514605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2024-12-16/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651502/; classtype:trojan-activity;sid:84514602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651494/; classtype:trojan-activity;sid:84514594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651476/; classtype:trojan-activity;sid:84514576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"82.67.39.194"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_04; reference:url, urlhaus.abuse.ch/url/3651475/; classtype:trojan-activity;sid:84514575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/info.zip"; depth:18; endswith; nocase; http.host; content:"47.104.31.7"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651304/; classtype:trojan-activity;sid:84514404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.59.134.98"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651202/; classtype:trojan-activity;sid:84514302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566431/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651195/; classtype:trojan-activity;sid:84514295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000225745/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651183/; classtype:trojan-activity;sid:84514283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585574/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651168/; classtype:trojan-activity;sid:84514268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567168/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651169/; classtype:trojan-activity;sid:84514269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171472/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651167/; classtype:trojan-activity;sid:84514267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170010/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651165/; classtype:trojan-activity;sid:84514265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-08-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651160/; classtype:trojan-activity;sid:84514260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165772/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651151/; classtype:trojan-activity;sid:84514251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-20/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651149/; classtype:trojan-activity;sid:84514249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170922/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651139/; classtype:trojan-activity;sid:84514239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603094/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651135/; classtype:trojan-activity;sid:84514235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171064/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651136/; classtype:trojan-activity;sid:84514236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603095/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651125/; classtype:trojan-activity;sid:84514225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-12-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651099/; classtype:trojan-activity;sid:84514199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.56.227.40"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651097/; classtype:trojan-activity;sid:84514197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171016/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651095/; classtype:trojan-activity;sid:84514195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-07-06/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651092/; classtype:trojan-activity;sid:84514192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000253230/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651090/; classtype:trojan-activity;sid:84514190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171252/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651088/; classtype:trojan-activity;sid:84514188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"132.247.103.239"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651084/; classtype:trojan-activity;sid:84514184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000189793/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651078/; classtype:trojan-activity;sid:84514178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"77.172.14.72"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651076/; classtype:trojan-activity;sid:84514176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-04-30/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651077/; classtype:trojan-activity;sid:84514177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.36.80.114"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651075/; classtype:trojan-activity;sid:84514175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604320/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651071/; classtype:trojan-activity;sid:84514171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2024-05-31/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651061/; classtype:trojan-activity;sid:84514161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-12-30/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651056/; classtype:trojan-activity;sid:84514156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2021-01-13/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651037/; classtype:trojan-activity;sid:84514137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/mdf-e/info.zip"; depth:22; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651020/; classtype:trojan-activity;sid:84514120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000186186/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651016/; classtype:trojan-activity;sid:84514116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164262/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651012/; classtype:trojan-activity;sid:84514112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169167/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651015/; classtype:trojan-activity;sid:84514115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000683762/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651011/; classtype:trojan-activity;sid:84514111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3651006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168339/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3651006/; classtype:trojan-activity;sid:84514106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168881/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650998/; classtype:trojan-activity;sid:84514098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000626337/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650993/; classtype:trojan-activity;sid:84514093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"193.248.186.21"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650994/; classtype:trojan-activity;sid:84514094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000565438/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650986/; classtype:trojan-activity;sid:84514086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000619269/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650968/; classtype:trojan-activity;sid:84514068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169465/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650963/; classtype:trojan-activity;sid:84514063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160983/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650959/; classtype:trojan-activity;sid:84514059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165004/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650955/; classtype:trojan-activity;sid:84514055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600294/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650943/; classtype:trojan-activity;sid:84514043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169469/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650939/; classtype:trojan-activity;sid:84514039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167445/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650934/; classtype:trojan-activity;sid:84514034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000608221/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650928/; classtype:trojan-activity;sid:84514028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168559/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650924/; classtype:trojan-activity;sid:84514024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000767154/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650915/; classtype:trojan-activity;sid:84514015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169966/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650912/; classtype:trojan-activity;sid:84514012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625892/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650902/; classtype:trojan-activity;sid:84514002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/app_error/info.zip"; depth:26; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650900/; classtype:trojan-activity;sid:84514000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160599/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650887/; classtype:trojan-activity;sid:84513987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166747/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650884/; classtype:trojan-activity;sid:84513984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171986/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650886/; classtype:trojan-activity;sid:84513986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000555504/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650880/; classtype:trojan-activity;sid:84513980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000765366/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650881/; classtype:trojan-activity;sid:84513981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604319/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650870/; classtype:trojan-activity;sid:84513970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171330/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650868/; classtype:trojan-activity;sid:84513968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"122.170.103.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650861/; classtype:trojan-activity;sid:84513961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-13/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650859/; classtype:trojan-activity;sid:84513959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000621738/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650856/; classtype:trojan-activity;sid:84513956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165010/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650855/; classtype:trojan-activity;sid:84513955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168303/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650850/; classtype:trojan-activity;sid:84513950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2021-04-01/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650828/; classtype:trojan-activity;sid:84513928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-05/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650824/; classtype:trojan-activity;sid:84513924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000391039/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650820/; classtype:trojan-activity;sid:84513920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"82.67.39.194"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650817/; classtype:trojan-activity;sid:84513917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000574637/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650818/; classtype:trojan-activity;sid:84513918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650811/; classtype:trojan-activity;sid:84513911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650810/; classtype:trojan-activity;sid:84513910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/normal/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650806/; classtype:trojan-activity;sid:84513906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000601712/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650791/; classtype:trojan-activity;sid:84513891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-25/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650781/; classtype:trojan-activity;sid:84513881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164804/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650779/; classtype:trojan-activity;sid:84513879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165246/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650768/; classtype:trojan-activity;sid:84513868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000631756/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650748/; classtype:trojan-activity;sid:84513848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167557/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650744/; classtype:trojan-activity;sid:84513844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000607873/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650729/; classtype:trojan-activity;sid:84513829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166887/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650726/; classtype:trojan-activity;sid:84513826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162883/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650720/; classtype:trojan-activity;sid:84513820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000680913/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650719/; classtype:trojan-activity;sid:84513819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625326/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650718/; classtype:trojan-activity;sid:84513818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167443/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650712/; classtype:trojan-activity;sid:84513812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"67.177.204.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650711/; classtype:trojan-activity;sid:84513811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566429/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650703/; classtype:trojan-activity;sid:84513803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-01-14/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650701/; classtype:trojan-activity;sid:84513801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166105/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650693/; classtype:trojan-activity;sid:84513793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171466/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650690/; classtype:trojan-activity;sid:84513790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164836/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650689/; classtype:trojan-activity;sid:84513789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2021-10-24/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650686/; classtype:trojan-activity;sid:84513786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"176.35.55.164"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650687/; classtype:trojan-activity;sid:84513787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165072/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650683/; classtype:trojan-activity;sid:84513783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000457040/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650678/; classtype:trojan-activity;sid:84513778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.8.164.18"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650679/; classtype:trojan-activity;sid:84513779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000218874/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650676/; classtype:trojan-activity;sid:84513776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171556/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650667/; classtype:trojan-activity;sid:84513767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000224647/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650664/; classtype:trojan-activity;sid:84513764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165656/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650665/; classtype:trojan-activity;sid:84513765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603149/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650655/; classtype:trojan-activity;sid:84513755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-03-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650650/; classtype:trojan-activity;sid:84513750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-12-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650652/; classtype:trojan-activity;sid:84513752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171224/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650649/; classtype:trojan-activity;sid:84513749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650633/; classtype:trojan-activity;sid:84513733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-05-04/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650631/; classtype:trojan-activity;sid:84513731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171296/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650622/; classtype:trojan-activity;sid:84513722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"88.28.218.163"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650616/; classtype:trojan-activity;sid:84513716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/info.zip"; depth:65; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650611/; classtype:trojan-activity;sid:84513711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604318/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650609/; classtype:trojan-activity;sid:84513709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000677/2024-06-19/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650600/; classtype:trojan-activity;sid:84513700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650598/; classtype:trojan-activity;sid:84513698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000426238/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650595/; classtype:trojan-activity;sid:84513695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-01-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650591/; classtype:trojan-activity;sid:84513691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"156.200.99.139"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650588/; classtype:trojan-activity;sid:84513688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172470/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650585/; classtype:trojan-activity;sid:84513685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168287/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650586/; classtype:trojan-activity;sid:84513686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585436/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650575/; classtype:trojan-activity;sid:84513675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171288/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650573/; classtype:trojan-activity;sid:84513673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"14.224.205.246"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650570/; classtype:trojan-activity;sid:84513670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000213545/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650569/; classtype:trojan-activity;sid:84513669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167437/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650561/; classtype:trojan-activity;sid:84513661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"116.72.16.185"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650559/; classtype:trojan-activity;sid:84513659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000606633/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650554/; classtype:trojan-activity;sid:84513654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167071/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650551/; classtype:trojan-activity;sid:84513651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-06-03/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650550/; classtype:trojan-activity;sid:84513650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172576/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650549/; classtype:trojan-activity;sid:84513649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/info.zip"; depth:32; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650541/; classtype:trojan-activity;sid:84513641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2024-10-23/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650535/; classtype:trojan-activity;sid:84513635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171304/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650529/; classtype:trojan-activity;sid:84513629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-11-04/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650520/; classtype:trojan-activity;sid:84513620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164808/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650508/; classtype:trojan-activity;sid:84513608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-06-03/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650503/; classtype:trojan-activity;sid:84513603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170482/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650504/; classtype:trojan-activity;sid:84513604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165644/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650506/; classtype:trojan-activity;sid:84513606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000562134/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650494/; classtype:trojan-activity;sid:84513594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000680914/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650498/; classtype:trojan-activity;sid:84513598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169171/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650499/; classtype:trojan-activity;sid:84513599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"72.132.64.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650492/; classtype:trojan-activity;sid:84513592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-11-28/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650491/; classtype:trojan-activity;sid:84513591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165020/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650482/; classtype:trojan-activity;sid:84513582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650483/; classtype:trojan-activity;sid:84513583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171284/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650480/; classtype:trojan-activity;sid:84513580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604651/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650472/; classtype:trojan-activity;sid:84513572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166079/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650465/; classtype:trojan-activity;sid:84513565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-06-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650461/; classtype:trojan-activity;sid:84513561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000601171/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650457/; classtype:trojan-activity;sid:84513557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566428/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650443/; classtype:trojan-activity;sid:84513543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"185.8.233.160"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650442/; classtype:trojan-activity;sid:84513542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170516/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650439/; classtype:trojan-activity;sid:84513539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000163666/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650431/; classtype:trojan-activity;sid:84513531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000601753/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650430/; classtype:trojan-activity;sid:84513530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000629919/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650423/; classtype:trojan-activity;sid:84513523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650413/; classtype:trojan-activity;sid:84513513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-10-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650397/; classtype:trojan-activity;sid:84513497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000555505/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650390/; classtype:trojan-activity;sid:84513490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2021-05-19/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650388/; classtype:trojan-activity;sid:84513488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171312/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650381/; classtype:trojan-activity;sid:84513481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000546234/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650371/; classtype:trojan-activity;sid:84513471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000586306/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650362/; classtype:trojan-activity;sid:84513462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"71.198.110.126"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650351/; classtype:trojan-activity;sid:84513451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160995/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650348/; classtype:trojan-activity;sid:84513448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-11-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650347/; classtype:trojan-activity;sid:84513447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"93.43.53.67"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650343/; classtype:trojan-activity;sid:84513443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168278/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650337/; classtype:trojan-activity;sid:84513437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170774/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650338/; classtype:trojan-activity;sid:84513438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000633210/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650340/; classtype:trojan-activity;sid:84513440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000224648/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650331/; classtype:trojan-activity;sid:84513431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165504/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650332/; classtype:trojan-activity;sid:84513432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604442/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650325/; classtype:trojan-activity;sid:84513425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"5.89.102.77"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650307/; classtype:trojan-activity;sid:84513407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"109.193.105.79"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650299/; classtype:trojan-activity;sid:84513399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166309/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650300/; classtype:trojan-activity;sid:84513400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650276)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553612/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650276/; classtype:trojan-activity;sid:84513376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169947/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650270/; classtype:trojan-activity;sid:84513370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165200/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650271/; classtype:trojan-activity;sid:84513371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/mdf-e/01/consulta%20n%c3%a3o%20encerrado/info.zip"; depth:57; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650269/; classtype:trojan-activity;sid:84513369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650263/; classtype:trojan-activity;sid:84513363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/eventos/2021-02-16/info.zip"; depth:58; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650259/; classtype:trojan-activity;sid:84513359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168295/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650258/; classtype:trojan-activity;sid:84513358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585560/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650253/; classtype:trojan-activity;sid:84513353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604650/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650244/; classtype:trojan-activity;sid:84513344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604662/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650243/; classtype:trojan-activity;sid:84513343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168293/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650222/; classtype:trojan-activity;sid:84513322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162637/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650215/; classtype:trojan-activity;sid:84513315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600441/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650214/; classtype:trojan-activity;sid:84513314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000584368/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650213/; classtype:trojan-activity;sid:84513313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165935/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650201/; classtype:trojan-activity;sid:84513301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-11-28/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650196/; classtype:trojan-activity;sid:84513296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"103.209.67.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650193/; classtype:trojan-activity;sid:84513293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000179593/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650191/; classtype:trojan-activity;sid:84513291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2019-12-27/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650181/; classtype:trojan-activity;sid:84513281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2024-06-03/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650178/; classtype:trojan-activity;sid:84513278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000222522/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650170/; classtype:trojan-activity;sid:84513270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166869/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650162/; classtype:trojan-activity;sid:84513262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566150/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650160/; classtype:trojan-activity;sid:84513260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000546495/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650161/; classtype:trojan-activity;sid:84513261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-12-22/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650138/; classtype:trojan-activity;sid:84513238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170520/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650130/; classtype:trojan-activity;sid:84513230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2021-10-19/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650129/; classtype:trojan-activity;sid:84513229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171256/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650127/; classtype:trojan-activity;sid:84513227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172428/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650123/; classtype:trojan-activity;sid:84513223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553463/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650122/; classtype:trojan-activity;sid:84513222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165900/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650118/; classtype:trojan-activity;sid:84513218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566395/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650112/; classtype:trojan-activity;sid:84513212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171314/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650107/; classtype:trojan-activity;sid:84513207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171298/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650093/; classtype:trojan-activity;sid:84513193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168275/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650092/; classtype:trojan-activity;sid:84513192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-11-24/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650082/; classtype:trojan-activity;sid:84513182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166259/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650079/; classtype:trojan-activity;sid:84513179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165824/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650078/; classtype:trojan-activity;sid:84513178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/info.zip"; depth:16; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650071/; classtype:trojan-activity;sid:84513171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600293/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650067/; classtype:trojan-activity;sid:84513167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"70.95.233.160"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650061/; classtype:trojan-activity;sid:84513161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-08-25/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650056/; classtype:trojan-activity;sid:84513156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567145/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650051/; classtype:trojan-activity;sid:84513151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2022-05-04/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650047/; classtype:trojan-activity;sid:84513147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"111.235.143.155"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650044/; classtype:trojan-activity;sid:84513144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2021-08-19/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650038/; classtype:trojan-activity;sid:84513138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169473/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650028/; classtype:trojan-activity;sid:84513128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171454/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650026/; classtype:trojan-activity;sid:84513126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170532/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650023/; classtype:trojan-activity;sid:84513123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3650004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000543689/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3650004/; classtype:trojan-activity;sid:84513104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000546233/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649996/; classtype:trojan-activity;sid:84513096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000173466/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649995/; classtype:trojan-activity;sid:84513095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585575/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649992/; classtype:trojan-activity;sid:84513092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2020-10-19/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649985/; classtype:trojan-activity;sid:84513085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171194/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649986/; classtype:trojan-activity;sid:84513086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172163/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649987/; classtype:trojan-activity;sid:84513087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"160.202.15.212"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649984/; classtype:trojan-activity;sid:84513084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000586961/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649980/; classtype:trojan-activity;sid:84513080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649981)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000609592/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649981/; classtype:trojan-activity;sid:84513081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"27.72.159.162"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649975/; classtype:trojan-activity;sid:84513075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"107.128.101.219"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649968/; classtype:trojan-activity;sid:84513068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-02-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649961/; classtype:trojan-activity;sid:84513061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172788/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649959/; classtype:trojan-activity;sid:84513059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000552709/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649952/; classtype:trojan-activity;sid:84513052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000683761/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649943/; classtype:trojan-activity;sid:84513043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567164/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649932/; classtype:trojan-activity;sid:84513032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171888/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649930/; classtype:trojan-activity;sid:84513030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165116/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649931/; classtype:trojan-activity;sid:84513031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000264645/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649919/; classtype:trojan-activity;sid:84513019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2022-08-19/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649914/; classtype:trojan-activity;sid:84513014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171458/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649910/; classtype:trojan-activity;sid:84513010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000617432/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649900/; classtype:trojan-activity;sid:84513000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-08-06/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649897/; classtype:trojan-activity;sid:84512997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-04-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649899/; classtype:trojan-activity;sid:84512999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624762/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649896/; classtype:trojan-activity;sid:84512996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000265247/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649895/; classtype:trojan-activity;sid:84512995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165014/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649888/; classtype:trojan-activity;sid:84512988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165090/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649885/; classtype:trojan-activity;sid:84512985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168749/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649886/; classtype:trojan-activity;sid:84512986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167339/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649881/; classtype:trojan-activity;sid:84512981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000212326/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649878/; classtype:trojan-activity;sid:84512978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603747/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649874/; classtype:trojan-activity;sid:84512974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000746890/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649870/; classtype:trojan-activity;sid:84512970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"75.42.36.186"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649865/; classtype:trojan-activity;sid:84512965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164253/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649864/; classtype:trojan-activity;sid:84512964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000426237/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649863/; classtype:trojan-activity;sid:84512963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649858/; classtype:trojan-activity;sid:84512958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-04-02/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649848/; classtype:trojan-activity;sid:84512948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-03-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649840/; classtype:trojan-activity;sid:84512940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"70.190.199.152"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649837/; classtype:trojan-activity;sid:84512937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171742/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649833/; classtype:trojan-activity;sid:84512933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171248/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649821/; classtype:trojan-activity;sid:84512921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172568/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649790/; classtype:trojan-activity;sid:84512890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2021-07-20/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649788/; classtype:trojan-activity;sid:84512888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000226537/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649783/; classtype:trojan-activity;sid:84512883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2022-02-16/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649780/; classtype:trojan-activity;sid:84512880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166135/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649771/; classtype:trojan-activity;sid:84512871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000583935/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649762/; classtype:trojan-activity;sid:84512862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171246/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649761/; classtype:trojan-activity;sid:84512861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165999/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649751/; classtype:trojan-activity;sid:84512851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2024-07-06/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649738/; classtype:trojan-activity;sid:84512838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000557542/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649730/; classtype:trojan-activity;sid:84512830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167115/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649731/; classtype:trojan-activity;sid:84512831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649707/; classtype:trojan-activity;sid:84512807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171474/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649701/; classtype:trojan-activity;sid:84512801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"222.252.31.94"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649682/; classtype:trojan-activity;sid:84512782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171468/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649677/; classtype:trojan-activity;sid:84512777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000230418/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649673/; classtype:trojan-activity;sid:84512773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166739/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649674/; classtype:trojan-activity;sid:84512774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-21/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649672/; classtype:trojan-activity;sid:84512772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000552326/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649669/; classtype:trojan-activity;sid:84512769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-04-29/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649656/; classtype:trojan-activity;sid:84512756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169927/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649655/; classtype:trojan-activity;sid:84512755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172094/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649643/; classtype:trojan-activity;sid:84512743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162506/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649635/; classtype:trojan-activity;sid:84512735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171302/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649622/; classtype:trojan-activity;sid:84512722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166801/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649626/; classtype:trojan-activity;sid:84512726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160981/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649613/; classtype:trojan-activity;sid:84512713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000551812/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649607/; classtype:trojan-activity;sid:84512707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2023-03-10/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649590/; classtype:trojan-activity;sid:84512690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168299/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649576/; classtype:trojan-activity;sid:84512676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167451/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649577/; classtype:trojan-activity;sid:84512677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160619/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649573/; classtype:trojan-activity;sid:84512673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171294/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649574/; classtype:trojan-activity;sid:84512674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171316/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649572/; classtype:trojan-activity;sid:84512672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2020-08-27/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649570/; classtype:trojan-activity;sid:84512670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000223168/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649567/; classtype:trojan-activity;sid:84512667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168281/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649556/; classtype:trojan-activity;sid:84512656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167601/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649551/; classtype:trojan-activity;sid:84512651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2024-06-06/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649552/; classtype:trojan-activity;sid:84512652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600310/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649544/; classtype:trojan-activity;sid:84512644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166323/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649533/; classtype:trojan-activity;sid:84512633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649532)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000732234/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649532/; classtype:trojan-activity;sid:84512632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000223167/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649528/; classtype:trojan-activity;sid:84512628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000584370/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649521/; classtype:trojan-activity;sid:84512621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000583934/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649517/; classtype:trojan-activity;sid:84512617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165844/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649514/; classtype:trojan-activity;sid:84512614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165184/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649503/; classtype:trojan-activity;sid:84512603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/df/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649498/; classtype:trojan-activity;sid:84512598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164122/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649468/; classtype:trojan-activity;sid:84512568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567165/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649459/; classtype:trojan-activity;sid:84512559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171854/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649455/; classtype:trojan-activity;sid:84512555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604321/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649440/; classtype:trojan-activity;sid:84512540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160615/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649424/; classtype:trojan-activity;sid:84512524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171250/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649418/; classtype:trojan-activity;sid:84512518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165250/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649416/; classtype:trojan-activity;sid:84512516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171286/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649414/; classtype:trojan-activity;sid:84512514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169527/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649411/; classtype:trojan-activity;sid:84512511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171402/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649406/; classtype:trojan-activity;sid:84512506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/02589791000758/2021-05-08/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649397/; classtype:trojan-activity;sid:84512497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-08-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649395/; classtype:trojan-activity;sid:84512495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171478/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649392/; classtype:trojan-activity;sid:84512492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168553/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649389/; classtype:trojan-activity;sid:84512489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2024-08-22/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649391/; classtype:trojan-activity;sid:84512491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171462/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649387/; classtype:trojan-activity;sid:84512487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2023-12-12/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649385/; classtype:trojan-activity;sid:84512485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000606635/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649379/; classtype:trojan-activity;sid:84512479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000238203/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649377/; classtype:trojan-activity;sid:84512477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2019-12-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649375/; classtype:trojan-activity;sid:84512475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171242/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649372/; classtype:trojan-activity;sid:84512472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/info.zip"; depth:21; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649370/; classtype:trojan-activity;sid:84512470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171464/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649365/; classtype:trojan-activity;sid:84512465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-07-30/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649366/; classtype:trojan-activity;sid:84512466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171332/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649360/; classtype:trojan-activity;sid:84512460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166237/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649357/; classtype:trojan-activity;sid:84512457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165850/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649354/; classtype:trojan-activity;sid:84512454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000213544/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649353/; classtype:trojan-activity;sid:84512453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000265246/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649346/; classtype:trojan-activity;sid:84512446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-06-13/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649338/; classtype:trojan-activity;sid:84512438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649335)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000587212/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649335/; classtype:trojan-activity;sid:84512435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649332)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172165/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649332/; classtype:trojan-activity;sid:84512432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165794/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649329/; classtype:trojan-activity;sid:84512429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000173022/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649326/; classtype:trojan-activity;sid:84512426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/ct-e/distribui%c3%a7%c3%a3o/info.zip"; depth:44; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649321/; classtype:trojan-activity;sid:84512421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000677/2023-11-20/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649323/; classtype:trojan-activity;sid:84512423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566420/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649310/; classtype:trojan-activity;sid:84512410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567141/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649309/; classtype:trojan-activity;sid:84512409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000215215/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649306/; classtype:trojan-activity;sid:84512406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000562903/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649303/; classtype:trojan-activity;sid:84512403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000567162/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649295/; classtype:trojan-activity;sid:84512395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168063/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649278/; classtype:trojan-activity;sid:84512378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000558592/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649250/; classtype:trojan-activity;sid:84512350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-21/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649243/; classtype:trojan-activity;sid:84512343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600544/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649193/; classtype:trojan-activity;sid:84512293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165480/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649189/; classtype:trojan-activity;sid:84512289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000162652/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649173/; classtype:trojan-activity;sid:84512273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166657/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649158/; classtype:trojan-activity;sid:84512258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625429/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649149/; classtype:trojan-activity;sid:84512249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000600309/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649145/; classtype:trojan-activity;sid:84512245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2021-11-14/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649137/; classtype:trojan-activity;sid:84512237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/9929/info.zip"; depth:28; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649135/; classtype:trojan-activity;sid:84512235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171244/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649130/; classtype:trojan-activity;sid:84512230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/info.zip"; depth:52; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649128/; classtype:trojan-activity;sid:84512228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168297/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649124/; classtype:trojan-activity;sid:84512224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-07-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649120/; classtype:trojan-activity;sid:84512220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000551813/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649110/; classtype:trojan-activity;sid:84512210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/consulta/2019-03-13/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649111/; classtype:trojan-activity;sid:84512211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000224583/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649108/; classtype:trojan-activity;sid:84512208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000170506/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649099/; classtype:trojan-activity;sid:84512199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-01/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649092/; classtype:trojan-activity;sid:84512192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/2022-03-09/info.zip"; depth:91; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649089/; classtype:trojan-activity;sid:84512189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000591279/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649084/; classtype:trojan-activity;sid:84512184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165248/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649080/; classtype:trojan-activity;sid:84512180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000225746/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649078/; classtype:trojan-activity;sid:84512178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-10-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649068/; classtype:trojan-activity;sid:84512168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166183/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649061/; classtype:trojan-activity;sid:84512161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-05-07/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649062/; classtype:trojan-activity;sid:84512162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000616852/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649055/; classtype:trojan-activity;sid:84512155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-05/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649056/; classtype:trojan-activity;sid:84512156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/inutiliza%c3%a7%c3%a3o/2020-01-27/info.zip"; depth:53; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649050/; classtype:trojan-activity;sid:84512150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-18/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649043/; classtype:trojan-activity;sid:84512143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160612/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649034/; classtype:trojan-activity;sid:84512134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2020-12-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649035/; classtype:trojan-activity;sid:84512135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791000910/info.zip"; depth:80; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649037/; classtype:trojan-activity;sid:84512137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171306/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649027/; classtype:trojan-activity;sid:84512127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160718/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649028/; classtype:trojan-activity;sid:84512128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604673/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649029/; classtype:trojan-activity;sid:84512129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164236/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649021/; classtype:trojan-activity;sid:84512121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171640/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649012/; classtype:trojan-activity;sid:84512112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3649003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000586305/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3649003/; classtype:trojan-activity;sid:84512103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta/18296147000306/2024-08-07/info.zip"; depth:74; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648998/; classtype:trojan-activity;sid:84512098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166851/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648995/; classtype:trojan-activity;sid:84512095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/02589791001053/info.zip"; depth:80; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648997/; classtype:trojan-activity;sid:84512097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553613/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648988/; classtype:trojan-activity;sid:84512088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172670/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648972/; classtype:trojan-activity;sid:84512072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000164510/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648973/; classtype:trojan-activity;sid:84512073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-09-16/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648964/; classtype:trojan-activity;sid:84512064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-05-02/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648960/; classtype:trojan-activity;sid:84512060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171308/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648957/; classtype:trojan-activity;sid:84512057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000556238/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648956/; classtype:trojan-activity;sid:84512056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160742/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648952/; classtype:trojan-activity;sid:84512052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000629918/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648941/; classtype:trojan-activity;sid:84512041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/manifesta%c3%a7%c3%a3o/consulta%20nsu%20faltante/18296147000306/info.zip"; depth:80; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648942/; classtype:trojan-activity;sid:84512042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/disponibilidade%20de%20servi%c3%a7o/es/info.zip"; depth:55; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648943/; classtype:trojan-activity;sid:84512043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566149/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648936/; classtype:trojan-activity;sid:84512036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168121/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648933/; classtype:trojan-activity;sid:84512033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165244/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648926/; classtype:trojan-activity;sid:84512026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-07/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648930/; classtype:trojan-activity;sid:84512030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-03-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648931/; classtype:trojan-activity;sid:84512031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000201084/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648912/; classtype:trojan-activity;sid:84512012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-09-27/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648904/; classtype:trojan-activity;sid:84512004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167509/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648891/; classtype:trojan-activity;sid:84511991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171476/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648889/; classtype:trojan-activity;sid:84511989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168551/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648884/; classtype:trojan-activity;sid:84511984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165820/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648885/; classtype:trojan-activity;sid:84511985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000603104/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648886/; classtype:trojan-activity;sid:84511986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166085/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648872/; classtype:trojan-activity;sid:84511972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171292/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648877/; classtype:trojan-activity;sid:84511977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165486/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648868/; classtype:trojan-activity;sid:84511968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000169013/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648858/; classtype:trojan-activity;sid:84511958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160982/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648854/; classtype:trojan-activity;sid:84511954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000165826/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648849/; classtype:trojan-activity;sid:84511949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000591547/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648832/; classtype:trojan-activity;sid:84511932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000621599/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648824/; classtype:trojan-activity;sid:84511924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171450/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648825/; classtype:trojan-activity;sid:84511925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000166307/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648819/; classtype:trojan-activity;sid:84511919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-09-11/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648820/; classtype:trojan-activity;sid:84511920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171228/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648811/; classtype:trojan-activity;sid:84511911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171470/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648805/; classtype:trojan-activity;sid:84511905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172170/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648802/; classtype:trojan-activity;sid:84511902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000595439/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648798/; classtype:trojan-activity;sid:84511898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000625549/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648788/; classtype:trojan-activity;sid:84511888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2020-01-03/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648785/; classtype:trojan-activity;sid:84511885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168291/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648781/; classtype:trojan-activity;sid:84511881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171318/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648771/; classtype:trojan-activity;sid:84511871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-07-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648765/; classtype:trojan-activity;sid:84511865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/recep%c3%a7%c3%a3o/2019-05-08/info.zip"; depth:49; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648759/; classtype:trojan-activity;sid:84511859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000602408/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648758/; classtype:trojan-activity;sid:84511858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000553198/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648755/; classtype:trojan-activity;sid:84511855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172872/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648750/; classtype:trojan-activity;sid:84511850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160984/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648746/; classtype:trojan-activity;sid:84511846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-05-22/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648736/; classtype:trojan-activity;sid:84511836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585561/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648722/; classtype:trojan-activity;sid:84511822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-06-04/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648712/; classtype:trojan-activity;sid:84511812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172746/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648710/; classtype:trojan-activity;sid:84511810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2024-11-12/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648707/; classtype:trojan-activity;sid:84511807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-05-09/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648706/; classtype:trojan-activity;sid:84511806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171310/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648700/; classtype:trojan-activity;sid:84511800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000172292/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648698/; classtype:trojan-activity;sid:84511798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000542542/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648693/; classtype:trojan-activity;sid:84511793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000160618/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648692/; classtype:trojan-activity;sid:84511792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624761/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648689/; classtype:trojan-activity;sid:84511789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/carta%20de%20corre%c3%a7%c3%a3o/2025-01-06/info.zip"; depth:62; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648690/; classtype:trojan-activity;sid:84511790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000168329/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648686/; classtype:trojan-activity;sid:84511786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000167041/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648682/; classtype:trojan-activity;sid:84511782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624984/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648670/; classtype:trojan-activity;sid:84511770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000566430/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648672/; classtype:trojan-activity;sid:84511772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604501/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648669/; classtype:trojan-activity;sid:84511769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171438/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648655/; classtype:trojan-activity;sid:84511755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000230417/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648657/; classtype:trojan-activity;sid:84511757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000604491/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648637/; classtype:trojan-activity;sid:84511737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000585614/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648630/; classtype:trojan-activity;sid:84511730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/mdf-e/01/info.zip"; depth:25; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648623/; classtype:trojan-activity;sid:84511723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2022-05-10/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648606/; classtype:trojan-activity;sid:84511706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/01/cancelamento/2019-03-26/info.zip"; depth:43; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648600/; classtype:trojan-activity;sid:84511700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171240/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648590/; classtype:trojan-activity;sid:84511690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000624763/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648558/; classtype:trojan-activity;sid:84511658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/td00000000000000171726/info.zip"; depth:39; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648562/; classtype:trojan-activity;sid:84511662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20pictures/info.zip"; depth:142; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648527/; classtype:trojan-activity;sid:84511627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20received%20files/vinod982038189896/info.zip"; depth:168; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648357/; classtype:trojan-activity;sid:84511457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/transchart/unused%20desktop%20shortcuts/info.zip"; depth:161; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648354/; classtype:trojan-activity;sid:84511454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3648112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20received%20files/vinod982038189896/history/info.zip"; depth:176; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3648112/; classtype:trojan-activity;sid:84511212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/raj%20sir/info.zip"; depth:138; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647826/; classtype:trojan-activity;sid:84510926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/transchart/info.zip"; depth:132; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647813/; classtype:trojan-activity;sid:84510913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.220.234.5"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647513/; classtype:trojan-activity;sid:84510613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3647457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recipes/staging/a-89fb7017-7780-4b72-950d-c2db1146a34a.exe"; depth:59; endswith; nocase; http.host; content:"best10cdn.blob.core.windows.net"; depth:31; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3647457/; classtype:trojan-activity;sid:84510557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/optimized_msi.png"; depth:25; endswith; nocase; http.host; content:"mobshah.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646426/; classtype:trojan-activity;sid:84509526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano/image.jpg|3f|12711343"; depth:52; endswith; nocase; http.host; content:"ybgctdtbzvgpdxjivafy.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646414/; classtype:trojan-activity;sid:84509514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano_duso/image.jpg"; depth:45; endswith; nocase; http.host; content:"frygzjyhtiunvhvnacif.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646420/; classtype:trojan-activity;sid:84509520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3646403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/hold/image.jpg|3f|12711343h"; depth:53; endswith; nocase; http.host; content:"ihmmkvkaiwnilneauhfn.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_10_03; reference:url, urlhaus.abuse.ch/url/3646403/; classtype:trojan-activity;sid:84509503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/photo.scr"; depth:41; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645969/; classtype:trojan-activity;sid:84509069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/photo.scr"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645971/; classtype:trojan-activity;sid:84509071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645968/; classtype:trojan-activity;sid:84509068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/video.scr"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645967/; classtype:trojan-activity;sid:84509067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645966/; classtype:trojan-activity;sid:84509066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645963/; classtype:trojan-activity;sid:84509063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/photo.lnk"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645964/; classtype:trojan-activity;sid:84509064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/av.lnk"; depth:72; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645965/; classtype:trojan-activity;sid:84509065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/av.scr"; depth:38; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645961/; classtype:trojan-activity;sid:84509061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/video.scr"; depth:41; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645960/; classtype:trojan-activity;sid:84509060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/av.lnk"; depth:38; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645957/; classtype:trojan-activity;sid:84509057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.lnk"; depth:10; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645958/; classtype:trojan-activity;sid:84509058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645959/; classtype:trojan-activity;sid:84509059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/usb-%d0%bd%d0%b0%d0%ba%d0%be%d0%bf%d0%b8%d1%82%d0%b5%d0%bb%d1%8c/video.lnk"; depth:75; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645955/; classtype:trojan-activity;sid:84509055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d0%9f%d0%b8%d0%bb%d0%be%d1%82/photo.lnk"; depth:41; endswith; nocase; http.host; content:"def163.keenetic.pro"; depth:19; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645956/; classtype:trojan-activity;sid:84509056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"www.intelligradeeducation.vicentecisnerospub.com"; depth:48; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645950/; classtype:trojan-activity;sid:84509050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20pictures/neha%20imagecopy/info.zip"; depth:159; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645889/; classtype:trojan-activity;sid:84508989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"66.185.26.66"; depth:12; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645874/; classtype:trojan-activity;sid:84508974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/wallpaper/info.zip"; depth:138; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645854/; classtype:trojan-activity;sid:84508954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20music/info.zip"; depth:139; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645847/; classtype:trojan-activity;sid:84508947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20scans/info.zip"; depth:139; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645832/; classtype:trojan-activity;sid:84508932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/my%20received%20files/info.zip"; depth:150; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645827/; classtype:trojan-activity;sid:84508927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/various%20files/info.zip"; depth:137; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645760/; classtype:trojan-activity;sid:84508860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/charter%20party/info.zip"; depth:144; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645751/; classtype:trojan-activity;sid:84508851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/bhushan/info.zip"; depth:129; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645677/; classtype:trojan-activity;sid:84508777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/windows/powershell/info.zip"; depth:38; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645600/; classtype:trojan-activity;sid:84508700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/info.zip"; depth:113; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645569/; classtype:trojan-activity;sid:84508669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/deepak/my%20docs/info.zip"; depth:59; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645516/; classtype:trojan-activity;sid:84508616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/desktop/tai%20ping%20shan-phaethon-cp/info.zip"; depth:105; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645322/; classtype:trojan-activity;sid:84508422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/cp%20transchart/info.zip"; depth:121; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645234/; classtype:trojan-activity;sid:84508334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3645139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/my%20documents/info.zip"; depth:128; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3645139/; classtype:trojan-activity;sid:84508239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3644784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/10-6-13/desktop/info.zip"; depth:121; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3644784/; classtype:trojan-activity;sid:84507884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3644339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/aryacorp%20delhi/anshul/anshul%20archieve/10.6.2013/jain%20sir%20data%20desktop/info.zip"; depth:105; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3644339/; classtype:trojan-activity;sid:84507439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/microsoft.sql.server.2012.enterprise.edition.with.service.pack.1-kopie/info.zip"; depth:84; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642788/; classtype:trojan-activity;sid:84505888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/key/info.zip"; depth:24; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642779/; classtype:trojan-activity;sid:84505879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/incis/info.zip"; depth:15; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642775/; classtype:trojan-activity;sid:84505875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/incis/key/inipaytest/info.zip"; depth:30; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642717/; classtype:trojan-activity;sid:84505817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe/info.zip"; depth:21; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642700/; classtype:trojan-activity;sid:84505800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/windows/info.zip"; depth:27; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642692/; classtype:trojan-activity;sid:84505792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/incis/key/info.zip"; depth:19; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642677/; classtype:trojan-activity;sid:84505777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/log/info.zip"; depth:24; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642643/; classtype:trojan-activity;sid:84505743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe/ammicafefile/info.zip"; depth:34; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642634/; classtype:trojan-activity;sid:84505734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe2/info.zip"; depth:22; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642484/; classtype:trojan-activity;sid:84505584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"121.184.128.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642438/; classtype:trojan-activity;sid:84505538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02/info.zip"; depth:12; endswith; nocase; http.host; content:"121.184.128.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642422/; classtype:trojan-activity;sid:84505522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe2/ammicafe2file/info.zip"; depth:36; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642417/; classtype:trojan-activity;sid:84505517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slnammicafe2/ammicafe2file/ammicafe2setup/info.zip"; depth:51; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642406/; classtype:trojan-activity;sid:84505506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/html/info.zip"; depth:18; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642382/; classtype:trojan-activity;sid:84505482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/sql%20server%202014/info.zip"; depth:33; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642346/; classtype:trojan-activity;sid:84505446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/info.zip"; depth:16; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642349/; classtype:trojan-activity;sid:84505449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01/info.zip"; depth:12; endswith; nocase; http.host; content:"121.184.128.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642324/; classtype:trojan-activity;sid:84505424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploads/uploads/info.zip"; depth:25; endswith; nocase; http.host; content:"103.20.213.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642297/; classtype:trojan-activity;sid:84505397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/key/inipaytest/info.zip"; depth:35; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642294/; classtype:trojan-activity;sid:84505394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inicis_dll/info.zip"; depth:20; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642245/; classtype:trojan-activity;sid:84505345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3642246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/info.zip"; depth:13; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3642246/; classtype:trojan-activity;sid:84505346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3639311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=15_5vja6ls72gnqbjqkrme1i7bmit0fe4"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_10_02; reference:url, urlhaus.abuse.ch/url/3639311/; classtype:trojan-activity;sid:84502411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/26072024113244/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637188/; classtype:trojan-activity;sid:84500288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/19092024115007/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637186/; classtype:trojan-activity;sid:84500286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24072024081607/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637187/; classtype:trojan-activity;sid:84500287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12062024095414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637185/; classtype:trojan-activity;sid:84500285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27082024072850/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637184/; classtype:trojan-activity;sid:84500284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/12082024064105/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637183/; classtype:trojan-activity;sid:84500283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/16082024070308/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637182/; classtype:trojan-activity;sid:84500282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/13092024072525/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637181/; classtype:trojan-activity;sid:84500281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/23072024115252/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637180/; classtype:trojan-activity;sid:84500280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21072024112418/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637179/; classtype:trojan-activity;sid:84500279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/16082024104510/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637178/; classtype:trojan-activity;sid:84500278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22082024110540/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637177/; classtype:trojan-activity;sid:84500277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/04092024104005/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637176/; classtype:trojan-activity;sid:84500276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8343/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637175/; classtype:trojan-activity;sid:84500275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15082024173844/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637174/; classtype:trojan-activity;sid:84500274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26072024180426/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637173/; classtype:trojan-activity;sid:84500273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/03072024101008/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637172/; classtype:trojan-activity;sid:84500272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13082024112350/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637171/; classtype:trojan-activity;sid:84500271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26072024074431/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637170/; classtype:trojan-activity;sid:84500270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01092024171022/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637168/; classtype:trojan-activity;sid:84500268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/11072024080039/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637169/; classtype:trojan-activity;sid:84500269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12092024113946/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637167/; classtype:trojan-activity;sid:84500267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08092024115637/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637166/; classtype:trojan-activity;sid:84500266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15092024104931/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637165/; classtype:trojan-activity;sid:84500265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/12072024075828/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637164/; classtype:trojan-activity;sid:84500264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11092024115504/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637163/; classtype:trojan-activity;sid:84500263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21082024115532/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637160/; classtype:trojan-activity;sid:84500260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8465/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637162/; classtype:trojan-activity;sid:84500262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/25062024073012/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637159/; classtype:trojan-activity;sid:84500259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/29072024110431/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637158/; classtype:trojan-activity;sid:84500258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/15072024124718/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637153/; classtype:trojan-activity;sid:84500253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09082024185433/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637154/; classtype:trojan-activity;sid:84500254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09072024110245/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637155/; classtype:trojan-activity;sid:84500255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/09092024072321/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637149/; classtype:trojan-activity;sid:84500249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/24092024073908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637151/; classtype:trojan-activity;sid:84500251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/19062024071831/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637147/; classtype:trojan-activity;sid:84500247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21092024114951/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637148/; classtype:trojan-activity;sid:84500248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/30062024113348/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637145/; classtype:trojan-activity;sid:84500245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/04092024113047/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637146/; classtype:trojan-activity;sid:84500246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/04092024120154/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637144/; classtype:trojan-activity;sid:84500244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01082024110241/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637143/; classtype:trojan-activity;sid:84500243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14072024110540/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637141/; classtype:trojan-activity;sid:84500241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/19062024103023/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637138/; classtype:trojan-activity;sid:84500238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/06092024072348/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637139/; classtype:trojan-activity;sid:84500239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/29072024070625/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637140/; classtype:trojan-activity;sid:84500240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18072024112759/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637137/; classtype:trojan-activity;sid:84500237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11072024155154/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637136/; classtype:trojan-activity;sid:84500236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18082024113426/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637135/; classtype:trojan-activity;sid:84500235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07092024113602/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637133/; classtype:trojan-activity;sid:84500233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28082024163408/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637134/; classtype:trojan-activity;sid:84500234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10082024110351/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637130/; classtype:trojan-activity;sid:84500230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12092024181446/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637131/; classtype:trojan-activity;sid:84500231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/26082024115142/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637129/; classtype:trojan-activity;sid:84500229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/09092024091444/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637128/; classtype:trojan-activity;sid:84500228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23082024071038/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637127/; classtype:trojan-activity;sid:84500227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17062024181518/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637122/; classtype:trojan-activity;sid:84500222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05082024120940/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637123/; classtype:trojan-activity;sid:84500223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24072024112235/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637124/; classtype:trojan-activity;sid:84500224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09082024122457/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637120/; classtype:trojan-activity;sid:84500220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09092024112532/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637117/; classtype:trojan-activity;sid:84500217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24062024072602/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637118/; classtype:trojan-activity;sid:84500218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/12092024070406/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637119/; classtype:trojan-activity;sid:84500219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24072024143513/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637115/; classtype:trojan-activity;sid:84500215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/21082024081755/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637116/; classtype:trojan-activity;sid:84500216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13082024120234/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637114/; classtype:trojan-activity;sid:84500214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19072024123916/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637113/; classtype:trojan-activity;sid:84500213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/15072024080426/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637111/; classtype:trojan-activity;sid:84500211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/22092024115602/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637112/; classtype:trojan-activity;sid:84500212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05082024125302/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637109/; classtype:trojan-activity;sid:84500209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16072024114842/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637107/; classtype:trojan-activity;sid:84500207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/16092024115114/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637108/; classtype:trojan-activity;sid:84500208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/31072024070936/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637105/; classtype:trojan-activity;sid:84500205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17092024104334/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637106/; classtype:trojan-activity;sid:84500206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/01082024072447/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637104/; classtype:trojan-activity;sid:84500204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05082024065930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637103/; classtype:trojan-activity;sid:84500203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/01082024133101/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637101/; classtype:trojan-activity;sid:84500201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02082024083649/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637099/; classtype:trojan-activity;sid:84500199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/19072024071620/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637098/; classtype:trojan-activity;sid:84500198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03072024102505/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637092/; classtype:trojan-activity;sid:84500192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/03092024131015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637093/; classtype:trojan-activity;sid:84500193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/04092024072725/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637091/; classtype:trojan-activity;sid:84500191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20062024112748/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637089/; classtype:trojan-activity;sid:84500189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17072024103622/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637087/; classtype:trojan-activity;sid:84500187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/16082024121016/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637088/; classtype:trojan-activity;sid:84500188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24092024103551/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637085/; classtype:trojan-activity;sid:84500185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/15072024080017/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637086/; classtype:trojan-activity;sid:84500186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21082024081535/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637082/; classtype:trojan-activity;sid:84500182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/26072024111342/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637083/; classtype:trojan-activity;sid:84500183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11062024125904/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637084/; classtype:trojan-activity;sid:84500184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/tek/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637081/; classtype:trojan-activity;sid:84500181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/11092024075310/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637080/; classtype:trojan-activity;sid:84500180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/24072024121144/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637076/; classtype:trojan-activity;sid:84500176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/badmail/info.zip"; depth:24; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637077/; classtype:trojan-activity;sid:84500177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/06082024080109/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637078/; classtype:trojan-activity;sid:84500178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/12072024072413/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637079/; classtype:trojan-activity;sid:84500179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/08082024071151/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637073/; classtype:trojan-activity;sid:84500173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01092024084736/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637069/; classtype:trojan-activity;sid:84500169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/08082024072046/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637067/; classtype:trojan-activity;sid:84500167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08072024110224/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637068/; classtype:trojan-activity;sid:84500168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02092024075924/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637065/; classtype:trojan-activity;sid:84500165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/30082024115734/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637064/; classtype:trojan-activity;sid:84500164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27082024173545/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637063/; classtype:trojan-activity;sid:84500163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24082024112958/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637056/; classtype:trojan-activity;sid:84500156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/05092024073851/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637058/; classtype:trojan-activity;sid:84500158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07082024181015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637054/; classtype:trojan-activity;sid:84500154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/09082024151247/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637053/; classtype:trojan-activity;sid:84500153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05072024135901/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637052/; classtype:trojan-activity;sid:84500152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/04072024073930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637050/; classtype:trojan-activity;sid:84500150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27072024111013/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637051/; classtype:trojan-activity;sid:84500151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28092024110908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637047/; classtype:trojan-activity;sid:84500147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/17062024124213/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637048/; classtype:trojan-activity;sid:84500148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637046)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/06082024071203/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637046/; classtype:trojan-activity;sid:84500146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11092024163133/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637044/; classtype:trojan-activity;sid:84500144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8336/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637037/; classtype:trojan-activity;sid:84500137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26062024074615/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637038/; classtype:trojan-activity;sid:84500138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/02072024072748/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637040/; classtype:trojan-activity;sid:84500140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17092024073317/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637041/; classtype:trojan-activity;sid:84500141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25072024124018/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637036/; classtype:trojan-activity;sid:84500136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/27092024120719/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637034/; classtype:trojan-activity;sid:84500134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29062024115106/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637032/; classtype:trojan-activity;sid:84500132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/02092024121943/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637030/; classtype:trojan-activity;sid:84500130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06092024173040/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637029/; classtype:trojan-activity;sid:84500129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/17072024080628/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637026/; classtype:trojan-activity;sid:84500126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13082024144908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637027/; classtype:trojan-activity;sid:84500127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11092024161738/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637024/; classtype:trojan-activity;sid:84500124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/25062024074726/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637021/; classtype:trojan-activity;sid:84500121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/02102024124124/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637022/; classtype:trojan-activity;sid:84500122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/01082024124212/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637023/; classtype:trojan-activity;sid:84500123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/29072024170139/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637020/; classtype:trojan-activity;sid:84500120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12082024111719/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637017/; classtype:trojan-activity;sid:84500117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/13062024073315/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637019/; classtype:trojan-activity;sid:84500119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26092024073319/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637011/; classtype:trojan-activity;sid:84500111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/03072024075801/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637012/; classtype:trojan-activity;sid:84500112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/13092024065731/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637013/; classtype:trojan-activity;sid:84500113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/02092024155414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637014/; classtype:trojan-activity;sid:84500114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/29062024131718/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637007/; classtype:trojan-activity;sid:84500107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27062024115812/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637009/; classtype:trojan-activity;sid:84500109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07072024113310/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637010/; classtype:trojan-activity;sid:84500110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/26082024175225/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637005/; classtype:trojan-activity;sid:84500105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06092024112226/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637002/; classtype:trojan-activity;sid:84500102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3637004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15092024163914/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3637004/; classtype:trojan-activity;sid:84500104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12082024111034/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636999/; classtype:trojan-activity;sid:84500099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15062024120757/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636997/; classtype:trojan-activity;sid:84500097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/07082024074934/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636996/; classtype:trojan-activity;sid:84500096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/drop/info.zip"; depth:21; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636993/; classtype:trojan-activity;sid:84500093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11092024172104/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636994/; classtype:trojan-activity;sid:84500094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23072024072015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636995/; classtype:trojan-activity;sid:84500095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18082024174028/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636992/; classtype:trojan-activity;sid:84500092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/10072024072615/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636991/; classtype:trojan-activity;sid:84500091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03102024140347/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636990/; classtype:trojan-activity;sid:84500090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/29072024094428/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636987/; classtype:trojan-activity;sid:84500087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08082024114220/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636988/; classtype:trojan-activity;sid:84500088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/08082024072411/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636985/; classtype:trojan-activity;sid:84500085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11092024072722/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636982/; classtype:trojan-activity;sid:84500082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/17062024075813/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636978/; classtype:trojan-activity;sid:84500078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26072024071101/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636979/; classtype:trojan-activity;sid:84500079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/18092024104929/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636980/; classtype:trojan-activity;sid:84500080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27082024111920/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636967/; classtype:trojan-activity;sid:84500067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25072024121015/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636968/; classtype:trojan-activity;sid:84500068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/21082024175843/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636969/; classtype:trojan-activity;sid:84500069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16062024115815/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636972/; classtype:trojan-activity;sid:84500072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13092024164829/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636973/; classtype:trojan-activity;sid:84500073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/02092024071944/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636965/; classtype:trojan-activity;sid:84500065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01092024103900/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636966/; classtype:trojan-activity;sid:84500066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636964)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23072024130857/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636964/; classtype:trojan-activity;sid:84500064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/06092024071949/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636963/; classtype:trojan-activity;sid:84500063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17062024111134/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636957/; classtype:trojan-activity;sid:84500057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12082024174415/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636958/; classtype:trojan-activity;sid:84500058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/03092024120537/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636960/; classtype:trojan-activity;sid:84500060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/01072024102122/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636961/; classtype:trojan-activity;sid:84500061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27072024112004/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636962/; classtype:trojan-activity;sid:84500062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/09072024071533/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636956/; classtype:trojan-activity;sid:84500056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22082024070804/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636955/; classtype:trojan-activity;sid:84500055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/8325/info.zip"; depth:28; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636953/; classtype:trojan-activity;sid:84500053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17072024080732/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636948/; classtype:trojan-activity;sid:84500048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28082024111159/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636950/; classtype:trojan-activity;sid:84500050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28072024115238/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636951/; classtype:trojan-activity;sid:84500051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/07082024070516/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636947/; classtype:trojan-activity;sid:84500047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07092024175546/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636946/; classtype:trojan-activity;sid:84500046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25072024103203/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636945/; classtype:trojan-activity;sid:84500045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/31082024165207/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636942/; classtype:trojan-activity;sid:84500042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11062024093514/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636943/; classtype:trojan-activity;sid:84500043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/06092024114755/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636944/; classtype:trojan-activity;sid:84500044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27092024123259/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636940/; classtype:trojan-activity;sid:84500040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23092024073238/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636941/; classtype:trojan-activity;sid:84500041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13072024115848/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636935/; classtype:trojan-activity;sid:84500035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24072024071414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636934/; classtype:trojan-activity;sid:84500034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16092024105926/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636933/; classtype:trojan-activity;sid:84500033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28082024174605/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636932/; classtype:trojan-activity;sid:84500032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02102024072353/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636928/; classtype:trojan-activity;sid:84500028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08092024174750/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636929/; classtype:trojan-activity;sid:84500029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8325/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636930/; classtype:trojan-activity;sid:84500030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8336/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636925/; classtype:trojan-activity;sid:84500025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/19062024070824/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636926/; classtype:trojan-activity;sid:84500026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/22082024121329/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636920/; classtype:trojan-activity;sid:84500020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26062024155216/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636921/; classtype:trojan-activity;sid:84500021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/24092024120511/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636922/; classtype:trojan-activity;sid:84500022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16062024180613/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636923/; classtype:trojan-activity;sid:84500023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07072024165922/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636919/; classtype:trojan-activity;sid:84500019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13092024114239/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636918/; classtype:trojan-activity;sid:84500018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/20082024112036/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636917/; classtype:trojan-activity;sid:84500017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8318/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636916/; classtype:trojan-activity;sid:84500016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/31082024110606/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636913/; classtype:trojan-activity;sid:84500013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636914)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11062024112609/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636914/; classtype:trojan-activity;sid:84500014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/02072024115435/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636910/; classtype:trojan-activity;sid:84500010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/14062024123830/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636906/; classtype:trojan-activity;sid:84500006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17062024180043/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636908/; classtype:trojan-activity;sid:84500008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28072024115112/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636905/; classtype:trojan-activity;sid:84500005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21082024090731/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636904/; classtype:trojan-activity;sid:84500004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23092024113222/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636902/; classtype:trojan-activity;sid:84500002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11092024134516/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636899/; classtype:trojan-activity;sid:84499999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8334/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636897/; classtype:trojan-activity;sid:84499997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/18072024151745/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636895/; classtype:trojan-activity;sid:84499995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19072024124237/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636893/; classtype:trojan-activity;sid:84499993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/08072024075903/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636883/; classtype:trojan-activity;sid:84499983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8325/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636884/; classtype:trojan-activity;sid:84499984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15062024114520/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636885/; classtype:trojan-activity;sid:84499985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13092024153227/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636886/; classtype:trojan-activity;sid:84499986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/14082024075957/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636887/; classtype:trojan-activity;sid:84499987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26082024070716/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636888/; classtype:trojan-activity;sid:84499988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/21062024072959/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636890/; classtype:trojan-activity;sid:84499990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/8325/13062024155232/info.zip"; depth:43; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636882/; classtype:trojan-activity;sid:84499982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23082024111126/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636881/; classtype:trojan-activity;sid:84499981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/04072024125301/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636880/; classtype:trojan-activity;sid:84499980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/30072024114118/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636872/; classtype:trojan-activity;sid:84499972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17062024072104/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636874/; classtype:trojan-activity;sid:84499974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12082024120632/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636869/; classtype:trojan-activity;sid:84499969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11072024071932/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636864/; classtype:trojan-activity;sid:84499964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11072024143228/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636865/; classtype:trojan-activity;sid:84499965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/27092024124432/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636866/; classtype:trojan-activity;sid:84499966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23082024175244/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636867/; classtype:trojan-activity;sid:84499967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/13062024070655/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636868/; classtype:trojan-activity;sid:84499968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/25092024120601/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636859/; classtype:trojan-activity;sid:84499959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/08092024115123/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636860/; classtype:trojan-activity;sid:84499960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05072024071033/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636855/; classtype:trojan-activity;sid:84499955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/01082024101244/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636857/; classtype:trojan-activity;sid:84499957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03072024091538/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636850/; classtype:trojan-activity;sid:84499950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/05082024114357/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636851/; classtype:trojan-activity;sid:84499951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/10092024070313/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636852/; classtype:trojan-activity;sid:84499952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/23092024123854/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636853/; classtype:trojan-activity;sid:84499953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/22082024112941/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636854/; classtype:trojan-activity;sid:84499954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/08072024113918/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636849/; classtype:trojan-activity;sid:84499949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8326/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636847/; classtype:trojan-activity;sid:84499947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11072024110808/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636843/; classtype:trojan-activity;sid:84499943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06072024112721/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636845/; classtype:trojan-activity;sid:84499945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8326/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636846/; classtype:trojan-activity;sid:84499946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16072024120102/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636840/; classtype:trojan-activity;sid:84499940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636842)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07102024115226/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636842/; classtype:trojan-activity;sid:84499942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22072024134639/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636835/; classtype:trojan-activity;sid:84499935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11092024104834/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636834/; classtype:trojan-activity;sid:84499934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/10072024073020/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636827/; classtype:trojan-activity;sid:84499927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/13082024065051/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636828/; classtype:trojan-activity;sid:84499928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23092024074730/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636829/; classtype:trojan-activity;sid:84499929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05072024143423/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636831/; classtype:trojan-activity;sid:84499931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/01072024073548/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636832/; classtype:trojan-activity;sid:84499932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/16092024075132/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636825/; classtype:trojan-activity;sid:84499925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/28062024112249/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636824/; classtype:trojan-activity;sid:84499924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/18072024080738/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636823/; classtype:trojan-activity;sid:84499923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/06102024112545/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636816/; classtype:trojan-activity;sid:84499916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/02072024073145/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636818/; classtype:trojan-activity;sid:84499918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/21062024070935/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636819/; classtype:trojan-activity;sid:84499919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/06082024120113/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636820/; classtype:trojan-activity;sid:84499920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27062024081736/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636821/; classtype:trojan-activity;sid:84499921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/29082024071803/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636822/; classtype:trojan-activity;sid:84499922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03092024152101/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636813/; classtype:trojan-activity;sid:84499913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22072024130114/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636806/; classtype:trojan-activity;sid:84499906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16072024114959/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636807/; classtype:trojan-activity;sid:84499907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/20082024121600/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636809/; classtype:trojan-activity;sid:84499909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/28082024070417/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636803/; classtype:trojan-activity;sid:84499903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26072024143113/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636804/; classtype:trojan-activity;sid:84499904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23082024175356/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636802/; classtype:trojan-activity;sid:84499902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/27082024070328/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636799/; classtype:trojan-activity;sid:84499899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/8050/info.zip"; depth:31; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636798/; classtype:trojan-activity;sid:84499898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/18062024071837/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636795/; classtype:trojan-activity;sid:84499895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/18072024120409/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636796/; classtype:trojan-activity;sid:84499896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/30082024111343/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636797/; classtype:trojan-activity;sid:84499897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/21082024112544/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636794/; classtype:trojan-activity;sid:84499894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/19072024111357/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636791/; classtype:trojan-activity;sid:84499891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/11062024175200/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636784/; classtype:trojan-activity;sid:84499884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/30072024115935/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636785/; classtype:trojan-activity;sid:84499885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/02092024114819/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636786/; classtype:trojan-activity;sid:84499886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/30072024070959/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636788/; classtype:trojan-activity;sid:84499888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/05092024120909/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636789/; classtype:trojan-activity;sid:84499889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/05072024112530/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636790/; classtype:trojan-activity;sid:84499890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10092024114316/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636782/; classtype:trojan-activity;sid:84499882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15082024113136/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636781/; classtype:trojan-activity;sid:84499881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/04072024170824/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636779/; classtype:trojan-activity;sid:84499879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/23072024135746/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636780/; classtype:trojan-activity;sid:84499880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07102024115515/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636777/; classtype:trojan-activity;sid:84499877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/12072024115926/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636778/; classtype:trojan-activity;sid:84499878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/05082024082013/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636775/; classtype:trojan-activity;sid:84499875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10072024110114/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636776/; classtype:trojan-activity;sid:84499876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/17072024071919/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636773/; classtype:trojan-activity;sid:84499873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/19082024070444/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636771/; classtype:trojan-activity;sid:84499871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20082024104419/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636772/; classtype:trojan-activity;sid:84499872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/06082024070754/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636770/; classtype:trojan-activity;sid:84499870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12092024074514/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636769/; classtype:trojan-activity;sid:84499869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/23072024073428/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636768/; classtype:trojan-activity;sid:84499868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16082024110029/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636767/; classtype:trojan-activity;sid:84499867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/30072024075615/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636766/; classtype:trojan-activity;sid:84499866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24082024173603/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636764/; classtype:trojan-activity;sid:84499864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/27092024072930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636763/; classtype:trojan-activity;sid:84499863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/14092024070825/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636761/; classtype:trojan-activity;sid:84499861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10082024105405/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636762/; classtype:trojan-activity;sid:84499862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/31072024120304/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636760/; classtype:trojan-activity;sid:84499860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/16082024171045/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636759/; classtype:trojan-activity;sid:84499859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19062024083204/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636757/; classtype:trojan-activity;sid:84499857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/17062024175202/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636758/; classtype:trojan-activity;sid:84499858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/09082024071028/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636754/; classtype:trojan-activity;sid:84499854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/bkp/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636753/; classtype:trojan-activity;sid:84499853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11062024074638/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636752/; classtype:trojan-activity;sid:84499852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8318/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636751/; classtype:trojan-activity;sid:84499851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17082024111540/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636749/; classtype:trojan-activity;sid:84499849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11062024125639/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636746/; classtype:trojan-activity;sid:84499846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/26062024072316/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636745/; classtype:trojan-activity;sid:84499845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/03092024065611/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636743/; classtype:trojan-activity;sid:84499843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/20082024074454/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636742/; classtype:trojan-activity;sid:84499842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14062024182506/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636741/; classtype:trojan-activity;sid:84499841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/28062024162227/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636740/; classtype:trojan-activity;sid:84499840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/25082024112344/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636739/; classtype:trojan-activity;sid:84499839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/05102024112225/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636736/; classtype:trojan-activity;sid:84499836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/22072024112228/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636737/; classtype:trojan-activity;sid:84499837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13092024123948/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636735/; classtype:trojan-activity;sid:84499835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636733/; classtype:trojan-activity;sid:84499833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/05092024111850/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636729/; classtype:trojan-activity;sid:84499829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/24072024112124/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636730/; classtype:trojan-activity;sid:84499830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/pickup/info.zip"; depth:23; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636731/; classtype:trojan-activity;sid:84499831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/30082024070843/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636727/; classtype:trojan-activity;sid:84499827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/15072024111306/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636723/; classtype:trojan-activity;sid:84499823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/24072024072622/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636724/; classtype:trojan-activity;sid:84499824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/23082024120742/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636726/; classtype:trojan-activity;sid:84499826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14092024162753/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636722/; classtype:trojan-activity;sid:84499822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/01102024075913/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636720/; classtype:trojan-activity;sid:84499820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/24092024074236/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636718/; classtype:trojan-activity;sid:84499818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/26092024073810/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636715/; classtype:trojan-activity;sid:84499815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/19062024073721/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636716/; classtype:trojan-activity;sid:84499816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/03102024114713/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636714/; classtype:trojan-activity;sid:84499814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/27062024134606/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636708/; classtype:trojan-activity;sid:84499808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/25092024074358/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636709/; classtype:trojan-activity;sid:84499809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636710/; classtype:trojan-activity;sid:84499810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/12092024065636/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636711/; classtype:trojan-activity;sid:84499811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/07082024113359/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636712/; classtype:trojan-activity;sid:84499812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/14082024102908/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636713/; classtype:trojan-activity;sid:84499813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/27062024074304/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636705/; classtype:trojan-activity;sid:84499805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20092024114457/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636706/; classtype:trojan-activity;sid:84499806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/idi/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636707/; classtype:trojan-activity;sid:84499807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11062024123414/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636704/; classtype:trojan-activity;sid:84499804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/12062024122748/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636698/; classtype:trojan-activity;sid:84499798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636699/; classtype:trojan-activity;sid:84499799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20082024172514/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636694/; classtype:trojan-activity;sid:84499794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/20082024070343/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636695/; classtype:trojan-activity;sid:84499795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/27092024125844/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636696/; classtype:trojan-activity;sid:84499796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/04102024114428/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636686/; classtype:trojan-activity;sid:84499786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17072024162506/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636687/; classtype:trojan-activity;sid:84499787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/17072024112121/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636688/; classtype:trojan-activity;sid:84499788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/13062024123930/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636689/; classtype:trojan-activity;sid:84499789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/20082024114833/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636690/; classtype:trojan-activity;sid:84499790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22072024071046/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636691/; classtype:trojan-activity;sid:84499791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/21082024074934/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636692/; classtype:trojan-activity;sid:84499792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/12072024073215/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636683/; classtype:trojan-activity;sid:84499783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/11082024113341/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636684/; classtype:trojan-activity;sid:84499784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/09092024080429/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636681/; classtype:trojan-activity;sid:84499781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8342/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636682/; classtype:trojan-activity;sid:84499782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/16092024071437/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636678/; classtype:trojan-activity;sid:84499778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11092024070152/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636679/; classtype:trojan-activity;sid:84499779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/19072024082257/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636676/; classtype:trojan-activity;sid:84499776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/02092024173539/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636666/; classtype:trojan-activity;sid:84499766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/14062024074014/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636667/; classtype:trojan-activity;sid:84499767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp/queue/info.zip"; depth:22; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636668/; classtype:trojan-activity;sid:84499768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13082024112311/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636669/; classtype:trojan-activity;sid:84499769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/23072024112852/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636670/; classtype:trojan-activity;sid:84499770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/13092024094613/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636671/; classtype:trojan-activity;sid:84499771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/10092024185923/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636675/; classtype:trojan-activity;sid:84499775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22072024130440/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636662/; classtype:trojan-activity;sid:84499762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8029/09092024181236/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636664/; classtype:trojan-activity;sid:84499764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/20082024150907/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636665/; classtype:trojan-activity;sid:84499765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/22082024114017/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636656/; classtype:trojan-activity;sid:84499756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/03072024154958/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636659/; classtype:trojan-activity;sid:84499759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/24062024075130/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636660/; classtype:trojan-activity;sid:84499760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/18072024070807/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636654/; classtype:trojan-activity;sid:84499754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.98.68"; depth:10; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636585/; classtype:trojan-activity;sid:84499685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-3/m2-100125/main/ud.png"; depth:27; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636195/; classtype:trojan-activity;sid:84499295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-3/9325-m1/main/ud.png"; depth:25; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636185/; classtype:trojan-activity;sid:84499285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mh1-m1/pd/main/mh1-pd-92725.png"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636155/; classtype:trojan-activity;sid:84499255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/6325-pudam/main/u-p.png"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636156/; classtype:trojan-activity;sid:84499256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/6325-mrw/f096dbcbef9efb4ac45d4b7171898fbc1a4d5d38/ud.png"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636151/; classtype:trojan-activity;sid:84499251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/u-mrw-1/feeddc44327a3d7f5328ebad35ebe132d0e18f92/ud.png"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636152/; classtype:trojan-activity;sid:84499252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/6325-pudam/66bcf33bad15036f44df9c2ca7808a5de38435a5/u-p.png"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636147/; classtype:trojan-activity;sid:84499247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3636141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/1/296b891ef5d15bc30620bcccb0660d36d3d0a0f9/ud.png"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_10_01; reference:url, urlhaus.abuse.ch/url/3636141/; classtype:trojan-activity;sid:84499241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3635840)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.197.122.35"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_30; reference:url, urlhaus.abuse.ch/url/3635840/; classtype:trojan-activity;sid:84498940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3635467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano/image.jpg"; depth:40; endswith; nocase; http.host; content:"ybgctdtbzvgpdxjivafy.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_30; reference:url, urlhaus.abuse.ch/url/3635467/; classtype:trojan-activity;sid:84498567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3635131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.194.248.230"; depth:15; isdataat:!1,relative; metadata:created_at 2025_09_29; reference:url, urlhaus.abuse.ch/url/3635131/; classtype:trojan-activity;sid:84498231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3634292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziobigiu84/site/raw/refs/heads/main/launcher.zip"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_29; reference:url, urlhaus.abuse.ch/url/3634292/; classtype:trojan-activity;sid:84497392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3633174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.112.126.123"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_27; reference:url, urlhaus.abuse.ch/url/3633174/; classtype:trojan-activity;sid:84496274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3632903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/bocavenue.exe"; depth:25; endswith; nocase; http.host; content:"versaclean.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2025_09_27; reference:url, urlhaus.abuse.ch/url/3632903/; classtype:trojan-activity;sid:84496003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3632299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ske1et2/telegrams-best-scrapper/raw/refs/heads/main/slouchy/telegrams-best-scrapper.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_26; reference:url, urlhaus.abuse.ch/url/3632299/; classtype:trojan-activity;sid:84495399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/installer.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631593/; classtype:trojan-activity;sid:84494693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/tlp.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631583/; classtype:trojan-activity;sid:84494683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/1210.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631575/; classtype:trojan-activity;sid:84494675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/lol.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631555/; classtype:trojan-activity;sid:84494655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/bsg.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_25; reference:url, urlhaus.abuse.ch/url/3631554/; classtype:trojan-activity;sid:84494654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3631233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.95.148.167"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_24; reference:url, urlhaus.abuse.ch/url/3631233/; classtype:trojan-activity;sid:84494333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3628584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.117.74"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_21; reference:url, urlhaus.abuse.ch/url/3628584/; classtype:trojan-activity;sid:84491684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3627935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"36.154.188.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_20; reference:url, urlhaus.abuse.ch/url/3627935/; classtype:trojan-activity;sid:84491035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3627210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"36.154.188.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_19; reference:url, urlhaus.abuse.ch/url/3627210/; classtype:trojan-activity;sid:84490310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3626596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_18; reference:url, urlhaus.abuse.ch/url/3626596/; classtype:trojan-activity;sid:84489696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3626595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drilldata/info.zip"; depth:19; endswith; nocase; http.host; content:"113.57.8.243"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_18; reference:url, urlhaus.abuse.ch/url/3626595/; classtype:trojan-activity;sid:84489695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3626300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.115.254.91"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_18; reference:url, urlhaus.abuse.ch/url/3626300/; classtype:trojan-activity;sid:84489400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3626275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"74.62.255.234"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_18; reference:url, urlhaus.abuse.ch/url/3626275/; classtype:trojan-activity;sid:84489375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkakkkaa/gdsssdggsg/releases/download/fsdfsd/lol1.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623408/; classtype:trojan-activity;sid:84486508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rasadhlp.dll"; depth:13; endswith; nocase; http.host; content:"118.25.68.152"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623131/; classtype:trojan-activity;sid:84486231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ziobigiu84/site/refs/heads/main/launcher.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623126/; classtype:trojan-activity;sid:84486226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/midkourtbbe/network/refs/heads/main/software.zip"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623123/; classtype:trojan-activity;sid:84486223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anno29/web/refs/heads/main/software.zip"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623122/; classtype:trojan-activity;sid:84486222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3623121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilpigna03/site/refs/heads/main/launcher.zip"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_09_13; reference:url, urlhaus.abuse.ch/url/3623121/; classtype:trojan-activity;sid:84486221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622759)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/hold/image.jpg"; depth:40; endswith; nocase; http.host; content:"ihmmkvkaiwnilneauhfn.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622759/; classtype:trojan-activity;sid:84485859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano_duso/image.jpg|3f|12711343p"; depth:58; endswith; nocase; http.host; content:"frygzjyhtiunvhvnacif.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622643/; classtype:trojan-activity;sid:84485743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/nano_duso/image.jpg|3f|12711343"; depth:57; endswith; nocase; http.host; content:"frygzjyhtiunvhvnacif.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622639/; classtype:trojan-activity;sid:84485739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/v1/object/public/hold/image.jpg|3f|12711343"; depth:52; endswith; nocase; http.host; content:"ihmmkvkaiwnilneauhfn.supabase.co"; depth:32; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622638/; classtype:trojan-activity;sid:84485738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"www.hcsnet.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622625/; classtype:trojan-activity;sid:84485725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_x86"; depth:10; endswith; nocase; http.host; content:"www.hcsnet.com.br"; depth:17; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622624/; classtype:trojan-activity;sid:84485724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shellcode.bin"; depth:14; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622545/; classtype:trojan-activity;sid:84485645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/er/45.bin"; depth:10; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622547/; classtype:trojan-activity;sid:84485647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/er/326.bin"; depth:11; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622548/; classtype:trojan-activity;sid:84485648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3622549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/er/46.bin"; depth:10; endswith; nocase; http.host; content:"39.105.223.127"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_12; reference:url, urlhaus.abuse.ch/url/3622549/; classtype:trojan-activity;sid:84485649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3621757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1xisuc6psmmj5jzq7jgoffba7avfhzga_"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_09_11; reference:url, urlhaus.abuse.ch/url/3621757/; classtype:trojan-activity;sid:84484857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3621753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1okqdyr_kghanl7h_i1mwmlmzfesw_gx0"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_09_11; reference:url, urlhaus.abuse.ch/url/3621753/; classtype:trojan-activity;sid:84484853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3620132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.81.156.125"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_08; reference:url, urlhaus.abuse.ch/url/3620132/; classtype:trojan-activity;sid:84483232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3619986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux_amd64"; depth:12; endswith; nocase; http.host; content:"hcsnet.com.br"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_08; reference:url, urlhaus.abuse.ch/url/3619986/; classtype:trojan-activity;sid:84483086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3619984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; endswith; nocase; http.host; content:"hcsnet.com.br"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_08; reference:url, urlhaus.abuse.ch/url/3619984/; classtype:trojan-activity;sid:84483084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.129.100.123"; depth:15; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617428/; classtype:trojan-activity;sid:84480528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/av.scr"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617201/; classtype:trojan-activity;sid:84480301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/video.scr"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617193/; classtype:trojan-activity;sid:84480293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/av.lnk"; depth:16; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617189/; classtype:trojan-activity;sid:84480289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3617190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/19000101/video.lnk"; depth:19; endswith; nocase; http.host; content:"111.59.254.165"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_04; reference:url, urlhaus.abuse.ch/url/3617190/; classtype:trojan-activity;sid:84480290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xdbcvdei"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615611/; classtype:trojan-activity;sid:84478711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/wickrme.exe"; depth:20; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615593/; classtype:trojan-activity;sid:84478693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/solana%203.0.exe"; depth:25; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615592/; classtype:trojan-activity;sid:84478692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/trackma.exe"; depth:20; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615590/; classtype:trojan-activity;sid:84478690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/kmahjongg.exe"; depth:22; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615591/; classtype:trojan-activity;sid:84478691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/ok_test_work.exe"; depth:25; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615589/; classtype:trojan-activity;sid:84478689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/w937gs27h.ps1"; depth:22; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615587/; classtype:trojan-activity;sid:84478687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/ledger%20live.exe"; depth:26; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_09_02; reference:url, urlhaus.abuse.ch/url/3615588/; classtype:trojan-activity;sid:84478688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3615306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"193.109.44.54"; depth:13; isdataat:!1,relative; metadata:created_at 2025_09_01; reference:url, urlhaus.abuse.ch/url/3615306/; classtype:trojan-activity;sid:84478406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowsupdate.exe"; depth:18; endswith; nocase; http.host; content:"129.152.20.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_31; reference:url, urlhaus.abuse.ch/url/3614697/; classtype:trojan-activity;sid:84477797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows.x64.silent.cpu.exe"; depth:27; endswith; nocase; http.host; content:"129.152.20.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_31; reference:url, urlhaus.abuse.ch/url/3614696/; classtype:trojan-activity;sid:84477796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d/mzjfndu3ndewnzjf/dvgihou177.bin"; depth:34; endswith; nocase; http.host; content:"od.lk"; depth:5; isdataat:!1,relative; metadata:created_at 2025_08_30; reference:url, urlhaus.abuse.ch/url/3614280/; classtype:trojan-activity;sid:84477380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3614199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/827-mh1-3t/827/main/t1.png"; depth:27; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_30; reference:url, urlhaus.abuse.ch/url/3614199/; classtype:trojan-activity;sid:84477299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3613683)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.126.1.30"; depth:11; isdataat:!1,relative; metadata:created_at 2025_08_29; reference:url, urlhaus.abuse.ch/url/3613683/; classtype:trojan-activity;sid:84476783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3613629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/pinaview.exe"; depth:23; endswith; nocase; http.host; content:"pinaview.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_29; reference:url, urlhaus.abuse.ch/url/3613629/; classtype:trojan-activity;sid:84476729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3613494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peterson643eu/projecttop/refs/heads/main/zjqppajn.exe"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_29; reference:url, urlhaus.abuse.ch/url/3613494/; classtype:trojan-activity;sid:84476594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3612734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client/better.exe"; depth:18; endswith; nocase; http.host; content:"api.ezilax.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_27; reference:url, urlhaus.abuse.ch/url/3612734/; classtype:trojan-activity;sid:84475834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3612593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.7.149.228"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_27; reference:url, urlhaus.abuse.ch/url/3612593/; classtype:trojan-activity;sid:84475693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tfsoft/xftd/v2/ctf/"; depth:20; endswith; nocase; http.host; content:"tengfeidn.cn"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610613/; classtype:trojan-activity;sid:84473713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/upgrade/jd"; depth:15; endswith; nocase; http.host; content:"rdm.91yunma.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610604/; classtype:trojan-activity;sid:84473704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/upgrade/qcoin"; depth:18; endswith; nocase; http.host; content:"rdm.91yunma.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610602/; classtype:trojan-activity;sid:84473702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/mely.exe"; depth:14; endswith; nocase; http.host; content:"areyouready.co.za"; depth:17; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610401/; classtype:trojan-activity;sid:84473501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/loic/raw/refs/heads/master/loic.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610381/; classtype:trojan-activity;sid:84473481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3610380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raizydaizy/steamcmd/raw/refs/heads/main/steamcmd.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_08_24; reference:url, urlhaus.abuse.ch/url/3610380/; classtype:trojan-activity;sid:84473480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3609741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.186.28.36"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_23; reference:url, urlhaus.abuse.ch/url/3609741/; classtype:trojan-activity;sid:84472841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3609409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2/task.js"; depth:10; endswith; nocase; http.host; content:"gestionycobranzas.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3609409/; classtype:trojan-activity;sid:84472509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3609150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"223.197.231.77"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3609150/; classtype:trojan-activity;sid:84472250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3609122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=sljurzjsslqcmdtxdolcw013.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3609122/; classtype:trojan-activity;sid:84472222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"119.45.105.211"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_22; reference:url, urlhaus.abuse.ch/url/3608773/; classtype:trojan-activity;sid:84471873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/22072024080730/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608522/; classtype:trojan-activity;sid:84471622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/17062024123023/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608521/; classtype:trojan-activity;sid:84471621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/14082024082341/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608520/; classtype:trojan-activity;sid:84471620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/09072024080408/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608519/; classtype:trojan-activity;sid:84471619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/11072024072520/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608518/; classtype:trojan-activity;sid:84471618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/10092024072747/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608511/; classtype:trojan-activity;sid:84471611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/23092024080311/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608513/; classtype:trojan-activity;sid:84471613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/02082024071413/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608506/; classtype:trojan-activity;sid:84471606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/23092024103542/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608503/; classtype:trojan-activity;sid:84471603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/15072024075523/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608500/; classtype:trojan-activity;sid:84471600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/13082024070204/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608487/; classtype:trojan-activity;sid:84471587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/14062024075221/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608488/; classtype:trojan-activity;sid:84471588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/12082024075637/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608491/; classtype:trojan-activity;sid:84471591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/16082024071234/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608492/; classtype:trojan-activity;sid:84471592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/13072024070443/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608493/; classtype:trojan-activity;sid:84471593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/18062024074945/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608496/; classtype:trojan-activity;sid:84471596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8051/22082024110801/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608497/; classtype:trojan-activity;sid:84471597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8461/info.zip"; depth:42; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608483/; classtype:trojan-activity;sid:84471583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/10092024080037/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608479/; classtype:trojan-activity;sid:84471579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/28082024112055/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608471/; classtype:trojan-activity;sid:84471571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11062024140819/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608474/; classtype:trojan-activity;sid:84471574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/6011/25072024071607/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608470/; classtype:trojan-activity;sid:84471570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8059/17082024070657/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608466/; classtype:trojan-activity;sid:84471566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/8050/11072024122345/info.zip"; depth:57; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608467/; classtype:trojan-activity;sid:84471567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3608082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.82.160"; depth:11; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3608082/; classtype:trojan-activity;sid:84471182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3607915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linpeas.sh"; depth:11; endswith; nocase; http.host; content:"34.70.102.215"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3607915/; classtype:trojan-activity;sid:84471015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3607894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=sncpakg7g9fwre65pslcw016.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_08_21; reference:url, urlhaus.abuse.ch/url/3607894/; classtype:trojan-activity;sid:84470994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1ovu/pon/refs/heads/main/rustmedebyg.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606770/; classtype:trojan-activity;sid:84469870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1ovu/pon/refs/heads/main/rustme.exe"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606767/; classtype:trojan-activity;sid:84469867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1ovu/pon/refs/heads/main/debugconfig.bat"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606766/; classtype:trojan-activity;sid:84469866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3606680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atu.lim"; depth:8; endswith; nocase; http.host; content:"electri.billregulator.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_08_19; reference:url, urlhaus.abuse.ch/url/3606680/; classtype:trojan-activity;sid:84469780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3605993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"150.187.25.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_18; reference:url, urlhaus.abuse.ch/url/3605993/; classtype:trojan-activity;sid:84469093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keepon.exe"; depth:11; endswith; nocase; http.host; content:"209.145.51.44"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_16; reference:url, urlhaus.abuse.ch/url/3604879/; classtype:trojan-activity;sid:84467979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networke.ps1"; depth:13; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2025_08_16; reference:url, urlhaus.abuse.ch/url/3604591/; classtype:trojan-activity;sid:84467691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.196.93"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_15; reference:url, urlhaus.abuse.ch/url/3604243/; classtype:trojan-activity;sid:84467343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"141.149.36.27"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_15; reference:url, urlhaus.abuse.ch/url/3604235/; classtype:trojan-activity;sid:84467335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3604233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"164.126.150.95"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_15; reference:url, urlhaus.abuse.ch/url/3604233/; classtype:trojan-activity;sid:84467333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3602487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scanubs9420625fpdf.7z"; depth:22; endswith; nocase; http.host; content:"access.skaparade.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_08_14; reference:url, urlhaus.abuse.ch/url/3602487/; classtype:trojan-activity;sid:84465587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3601445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"164.126.150.95"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_12; reference:url, urlhaus.abuse.ch/url/3601445/; classtype:trojan-activity;sid:84464545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3599816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.147.91.21"; depth:12; isdataat:!1,relative; metadata:created_at 2025_08_09; reference:url, urlhaus.abuse.ch/url/3599816/; classtype:trojan-activity;sid:84462916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3599810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"79.122.193.32"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_09; reference:url, urlhaus.abuse.ch/url/3599810/; classtype:trojan-activity;sid:84462910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3599101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.90.236.250"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_08; reference:url, urlhaus.abuse.ch/url/3599101/; classtype:trojan-activity;sid:84462201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3599106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.54.221.234"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_08; reference:url, urlhaus.abuse.ch/url/3599106/; classtype:trojan-activity;sid:84462206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3597645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_06; reference:url, urlhaus.abuse.ch/url/3597645/; classtype:trojan-activity;sid:84460745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3597379)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.exe"; depth:6; endswith; nocase; http.host; content:"117.72.183.111"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_06; reference:url, urlhaus.abuse.ch/url/3597379/; classtype:trojan-activity;sid:84460479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3597150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmyjungmin/img001.exe"; depth:22; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3597150/; classtype:trojan-activity;sid:84460250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3596562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3596562/; classtype:trojan-activity;sid:84459662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3596563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3596563/; classtype:trojan-activity;sid:84459663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3596564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.125.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_05; reference:url, urlhaus.abuse.ch/url/3596564/; classtype:trojan-activity;sid:84459664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3595203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.241.78.146"; depth:14; isdataat:!1,relative; metadata:created_at 2025_08_02; reference:url, urlhaus.abuse.ch/url/3595203/; classtype:trojan-activity;sid:84458303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3594962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.ssa/t1.png"; depth:12; endswith; nocase; http.host; content:"isiore.com.co"; depth:13; isdataat:!1,relative; metadata:created_at 2025_08_02; reference:url, urlhaus.abuse.ch/url/3594962/; classtype:trojan-activity;sid:84458062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3594942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r00tnik8/zianr35524869492586/raw/refs/heads/main/plugin3.plg"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_08_02; reference:url, urlhaus.abuse.ch/url/3594942/; classtype:trojan-activity;sid:84458042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3592552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"216.247.208.231"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_29; reference:url, urlhaus.abuse.ch/url/3592552/; classtype:trojan-activity;sid:84455652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3592078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"216.247.208.231"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_29; reference:url, urlhaus.abuse.ch/url/3592078/; classtype:trojan-activity;sid:84455178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3592038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/cache/data/aksesuarlar/patch-yama-arma/skid-row-500x500.jpg"; depth:66; endswith; nocase; http.host; content:"xshop.com.tr"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_29; reference:url, urlhaus.abuse.ch/url/3592038/; classtype:trojan-activity;sid:84455138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3591244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cat.sh"; depth:7; endswith; nocase; http.host; content:"23.95.247.31"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3591244/; classtype:trojan-activity;sid:84454344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amineamine284/edggqdsg/refs/heads/main/garo%20v1.dll"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590746/; classtype:trojan-activity;sid:84453846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/midkourtbbe/network/raw/refs/heads/main/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590550/; classtype:trojan-activity;sid:84453650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anno29/web/raw/refs/heads/main/software.zip"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590549/; classtype:trojan-activity;sid:84453649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notcat999/sys/raw/refs/heads/main/software.zip"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590548/; classtype:trojan-activity;sid:84453648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gethalal-007/request/raw/refs/heads/main/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590547/; classtype:trojan-activity;sid:84453647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3590546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nullarchive/request/raw/refs/heads/main/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_27; reference:url, urlhaus.abuse.ch/url/3590546/; classtype:trojan-activity;sid:84453646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3589467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amd64"; depth:6; endswith; nocase; http.host; content:"107.173.101.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_25; reference:url, urlhaus.abuse.ch/url/3589467/; classtype:trojan-activity;sid:84452567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3589312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.24.52.121"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_25; reference:url, urlhaus.abuse.ch/url/3589312/; classtype:trojan-activity;sid:84452412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3589307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.24.52.121"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_25; reference:url, urlhaus.abuse.ch/url/3589307/; classtype:trojan-activity;sid:84452407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3588886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=3hbukcrujg1pozf7wspre002.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_07_24; reference:url, urlhaus.abuse.ch/url/3588886/; classtype:trojan-activity;sid:84451986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3587585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sid2983/-1aa-valoranta/releases/download/d0wn10ad/valcheat.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_21; reference:url, urlhaus.abuse.ch/url/3587585/; classtype:trojan-activity;sid:84450685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3587551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//2025/07/19/15/683192372.png"; depth:29; endswith; nocase; http.host; content:"www2.0zz0.com"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_21; reference:url, urlhaus.abuse.ch/url/3587551/; classtype:trojan-activity;sid:84450651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3586167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.83.186.62"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_20; reference:url, urlhaus.abuse.ch/url/3586167/; classtype:trojan-activity;sid:84449267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3585162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.7.131.145"; depth:12; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3585162/; classtype:trojan-activity;sid:84448262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3585158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"221.152.81.125"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3585158/; classtype:trojan-activity;sid:84448258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3585053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/catalog/model/cummersmg.exe"; depth:28; endswith; nocase; http.host; content:"kavacanada.ca"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3585053/; classtype:trojan-activity;sid:84448153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3584719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"61.2.45.191"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_17; reference:url, urlhaus.abuse.ch/url/3584719/; classtype:trojan-activity;sid:84447819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3584281)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.204.227"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_16; reference:url, urlhaus.abuse.ch/url/3584281/; classtype:trojan-activity;sid:84447381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3583571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"177.70.102.228"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_15; reference:url, urlhaus.abuse.ch/url/3583571/; classtype:trojan-activity;sid:84446671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3583040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laurenxss/42429a19c72b875b93608f8cb0cab933/raw/"; depth:48; endswith; nocase; http.host; content:"gist.githubusercontent.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_07_14; reference:url, urlhaus.abuse.ch/url/3583040/; classtype:trojan-activity;sid:84446140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3582620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"61.2.45.172"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_13; reference:url, urlhaus.abuse.ch/url/3582620/; classtype:trojan-activity;sid:84445720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3582116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stb/retev.php|3f|bl=squbykf3ta5kbkp13hpre008.txt"; depth:49; endswith; nocase; http.host; content:"frozi.cc"; depth:8; isdataat:!1,relative; metadata:created_at 2025_07_12; reference:url, urlhaus.abuse.ch/url/3582116/; classtype:trojan-activity;sid:84445216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"61.2.45.141"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580902/; classtype:trojan-activity;sid:84444002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.191.106"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580896/; classtype:trojan-activity;sid:84443996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.240.70.185"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580881/; classtype:trojan-activity;sid:84443981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.153.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580884/; classtype:trojan-activity;sid:84443984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3580863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.96.233"; depth:11; isdataat:!1,relative; metadata:created_at 2025_07_11; reference:url, urlhaus.abuse.ch/url/3580863/; classtype:trojan-activity;sid:84443963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3579459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.jpg|3f|137113"; depth:19; endswith; nocase; http.host; content:"bafybeidvf6tytrspkd4wnvxzs23m3kjr6bfvgszbfwybmmcosl4rrhvuo4.ipfs.dweb.link"; depth:74; isdataat:!1,relative; metadata:created_at 2025_07_09; reference:url, urlhaus.abuse.ch/url/3579459/; classtype:trojan-activity;sid:84442559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3578386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invisiblebunny/records/main/bunny-mini/mini.shell.php"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_07; reference:url, urlhaus.abuse.ch/url/3578386/; classtype:trojan-activity;sid:84441486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3578385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ly4k/pwnkit/main/pwnkit"; depth:24; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_07; reference:url, urlhaus.abuse.ch/url/3578385/; classtype:trojan-activity;sid:84441485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.lnk"; depth:7; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577019/; classtype:trojan-activity;sid:84440119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/av.lnk"; depth:9; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577020/; classtype:trojan-activity;sid:84440120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3577009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/photo.scr"; depth:12; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3577009/; classtype:trojan-activity;sid:84440109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/av.scr"; depth:9; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576996/; classtype:trojan-activity;sid:84440096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/photo.scr"; depth:23; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576991/; classtype:trojan-activity;sid:84440091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/info.zip"; depth:22; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576992/; classtype:trojan-activity;sid:84440092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/av.scr"; depth:20; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576993/; classtype:trojan-activity;sid:84440093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.scr"; depth:10; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576994/; classtype:trojan-activity;sid:84440094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/av.lnk"; depth:20; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576995/; classtype:trojan-activity;sid:84440095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/av.scr"; depth:7; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576988/; classtype:trojan-activity;sid:84440088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/video.scr"; depth:23; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576989/; classtype:trojan-activity;sid:84440089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lost%2bfound/video.lnk"; depth:23; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576987/; classtype:trojan-activity;sid:84440087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/video.lnk"; depth:10; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576982/; classtype:trojan-activity;sid:84440082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/video.lnk"; depth:12; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576983/; classtype:trojan-activity;sid:84440083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/photo.lnk"; depth:12; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576984/; classtype:trojan-activity;sid:84440084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3576985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/info.zip"; depth:11; endswith; nocase; http.host; content:"116.133.72.10"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_05; reference:url, urlhaus.abuse.ch/url/3576985/; classtype:trojan-activity;sid:84440085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labubu99999/localoco8386/main/shaman.zip"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_07_04; reference:url, urlhaus.abuse.ch/url/3575355/; classtype:trojan-activity;sid:84438455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3575354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/labubu99999/localoco8386/raw/main/update0.bat"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_07_04; reference:url, urlhaus.abuse.ch/url/3575354/; classtype:trojan-activity;sid:84438454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3573965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"222.239.87.50"; depth:13; isdataat:!1,relative; metadata:created_at 2025_07_02; reference:url, urlhaus.abuse.ch/url/3573965/; classtype:trojan-activity;sid:84437065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3573963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"110.227.197.204"; depth:15; isdataat:!1,relative; metadata:created_at 2025_07_02; reference:url, urlhaus.abuse.ch/url/3573963/; classtype:trojan-activity;sid:84437063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3573084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chrome_134.exe"; depth:15; endswith; nocase; http.host; content:"lomejordesalamanca.es"; depth:21; isdataat:!1,relative; metadata:created_at 2025_07_01; reference:url, urlhaus.abuse.ch/url/3573084/; classtype:trojan-activity;sid:84436184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3572294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.142.68"; depth:14; isdataat:!1,relative; metadata:created_at 2025_07_01; reference:url, urlhaus.abuse.ch/url/3572294/; classtype:trojan-activity;sid:84435394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3571424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a3f.dof"; depth:8; endswith; nocase; http.host; content:"checkinetverifk.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_06_30; reference:url, urlhaus.abuse.ch/url/3571424/; classtype:trojan-activity;sid:84434524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3571262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.92.68.239"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_29; reference:url, urlhaus.abuse.ch/url/3571262/; classtype:trojan-activity;sid:84434362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3570158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.8.83.87"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_25; reference:url, urlhaus.abuse.ch/url/3570158/; classtype:trojan-activity;sid:84433258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.57.30.25"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_24; reference:url, urlhaus.abuse.ch/url/3569817/; classtype:trojan-activity;sid:84432917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.8.83.87"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_24; reference:url, urlhaus.abuse.ch/url/3569802/; classtype:trojan-activity;sid:84432902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.8.83.87"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_24; reference:url, urlhaus.abuse.ch/url/3569803/; classtype:trojan-activity;sid:84432903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3569088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/images/trapapo.ps1"; depth:31; endswith; nocase; http.host; content:"www.vuelaviajero.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_06_22; reference:url, urlhaus.abuse.ch/url/3569088/; classtype:trojan-activity;sid:84432188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aminer.gz"; depth:10; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_21; reference:url, urlhaus.abuse.ch/url/3568977/; classtype:trojan-activity;sid:84432077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install.tgz"; depth:12; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_21; reference:url, urlhaus.abuse.ch/url/3568976/; classtype:trojan-activity;sid:84432076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new_image.jpg"; depth:14; endswith; nocase; http.host; content:"talentrecruitments.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568238/; classtype:trojan-activity;sid:84431338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/new_image.jpg"; depth:17; endswith; nocase; http.host; content:"talentrecruitments.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568230/; classtype:trojan-activity;sid:84431330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/gv-cu/main/ud.png"; depth:26; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568176/; classtype:trojan-activity;sid:84431276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ud-prog/gv-cu/raw/main/ud.png"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_19; reference:url, urlhaus.abuse.ch/url/3568162/; classtype:trojan-activity;sid:84431262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3568006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xl.txt"; depth:7; endswith; nocase; http.host; content:"mundocarnes.cl"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3568006/; classtype:trojan-activity;sid:84431106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/info.zip"; depth:16; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565283/; classtype:trojan-activity;sid:84428383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svg/info.zip"; depth:13; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565284/; classtype:trojan-activity;sid:84428384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"5.149.184.170"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565285/; classtype:trojan-activity;sid:84428385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/jurisdict/dao/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565262/; classtype:trojan-activity;sid:84428362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/badmail/info.zip"; depth:36; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565260/; classtype:trojan-activity;sid:84428360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/1/info.zip"; depth:23; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565261/; classtype:trojan-activity;sid:84428361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/delcacheprodutoseg/1/info.zip"; depth:37; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565259/; classtype:trojan-activity;sid:84428359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/info.zip"; depth:28; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565258/; classtype:trojan-activity;sid:84428358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bkp/info.zip"; depth:13; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565256/; classtype:trojan-activity;sid:84428356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/relftp/info.zip"; depth:16; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565254/; classtype:trojan-activity;sid:84428354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/drop/info.zip"; depth:33; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565253/; classtype:trojan-activity;sid:84428353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/pickup/info.zip"; depth:35; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565249/; classtype:trojan-activity;sid:84428349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/info.zip"; depth:17; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565245/; classtype:trojan-activity;sid:84428345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/cons/info.zip"; depth:21; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565246/; classtype:trojan-activity;sid:84428346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/relftp/pdf/info.zip"; depth:20; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565243/; classtype:trojan-activity;sid:84428343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmpftp/extcons/1/info.zip"; depth:26; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565230/; classtype:trojan-activity;sid:84428330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idi/info.zip"; depth:13; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565236/; classtype:trojan-activity;sid:84428336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exeftp%20-%20copia/idi/info.zip"; depth:32; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565240/; classtype:trojan-activity;sid:84428340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdbftp/info.zip"; depth:16; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565241/; classtype:trojan-activity;sid:84428341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/cksy/info.zip"; depth:98; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565091/; classtype:trojan-activity;sid:84428191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/service/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565090/; classtype:trojan-activity;sid:84428190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565088/; classtype:trojan-activity;sid:84428188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565087)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/entity/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565087/; classtype:trojan-activity;sid:84428187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/info.zip"; depth:62; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565085/; classtype:trojan-activity;sid:84428185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565086/; classtype:trojan-activity;sid:84428186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565084/; classtype:trojan-activity;sid:84428184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/entity/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565083/; classtype:trojan-activity;sid:84428183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/nvrsetting/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565081/; classtype:trojan-activity;sid:84428181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/info.zip"; depth:57; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565080/; classtype:trojan-activity;sid:84428180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565079/; classtype:trojan-activity;sid:84428179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/log/info.zip"; depth:83; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565078/; classtype:trojan-activity;sid:84428178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565077/; classtype:trojan-activity;sid:84428177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/images/new/info.zip"; depth:48; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565075/; classtype:trojan-activity;sid:84428175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565074/; classtype:trojan-activity;sid:84428174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/service/impl/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565071/; classtype:trojan-activity;sid:84428171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/action/info.zip"; depth:76; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565070/; classtype:trojan-activity;sid:84428170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/vehiclereview/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565069/; classtype:trojan-activity;sid:84428169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/org/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565068/; classtype:trojan-activity;sid:84428168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/css1/info.zip"; depth:42; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565066/; classtype:trojan-activity;sid:84428166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/base/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565067/; classtype:trojan-activity;sid:84428167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/zbawss/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565065/; classtype:trojan-activity;sid:84428165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/nvrsetting/entity/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565064/; classtype:trojan-activity;sid:84428164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/dto/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565063/; classtype:trojan-activity;sid:84428163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/service/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565061/; classtype:trojan-activity;sid:84428161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/org/apache/info.zip"; depth:57; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565060/; classtype:trojan-activity;sid:84428160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/templete/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565059/; classtype:trojan-activity;sid:84428159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/photo/info.zip"; depth:36; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565057/; classtype:trojan-activity;sid:84428157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/service/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565058/; classtype:trojan-activity;sid:84428158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/entity/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565056/; classtype:trojan-activity;sid:84428156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565054/; classtype:trojan-activity;sid:84428154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/service/impl/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565049/; classtype:trojan-activity;sid:84428149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/hdk/localxml.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565050/; classtype:trojan-activity;sid:84428150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/info.zip"; depth:37; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565051/; classtype:trojan-activity;sid:84428151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/gbrwss/dto/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565048/; classtype:trojan-activity;sid:84428148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/action/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565044/; classtype:trojan-activity;sid:84428144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/entity/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565043/; classtype:trojan-activity;sid:84428143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/servacpt/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565040/; classtype:trojan-activity;sid:84428140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/temp/info.zip"; depth:22; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565035/; classtype:trojan-activity;sid:84428135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/sysparam/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565029/; classtype:trojan-activity;sid:84428129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/info.zip"; depth:38; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565024/; classtype:trojan-activity;sid:84428124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/client/info.zip"; depth:70; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565017/; classtype:trojan-activity;sid:84428117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/info.zip"; depth:31; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565018/; classtype:trojan-activity;sid:84428118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565016/; classtype:trojan-activity;sid:84428116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/dao/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565014/; classtype:trojan-activity;sid:84428114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/plugin/info.zip"; depth:37; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565009/; classtype:trojan-activity;sid:84428109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/dto/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565010/; classtype:trojan-activity;sid:84428110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565011/; classtype:trojan-activity;sid:84428111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3565004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3565004/; classtype:trojan-activity;sid:84428104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/dto/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564999/; classtype:trojan-activity;sid:84428099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/service/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564992/; classtype:trojan-activity;sid:84428092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/visitwss/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564990/; classtype:trojan-activity;sid:84428090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/pdawss/dto/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564985/; classtype:trojan-activity;sid:84428085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564984/; classtype:trojan-activity;sid:84428084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/exception/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564980/; classtype:trojan-activity;sid:84428080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564977/; classtype:trojan-activity;sid:84428077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/service/impl/info.zip"; depth:95; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564974/; classtype:trojan-activity;sid:84428074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/count/dao/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564972/; classtype:trojan-activity;sid:84428072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/hdk/localxml.zip"; depth:58; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564971/; classtype:trojan-activity;sid:84428071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/info.zip"; depth:17; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564969/; classtype:trojan-activity;sid:84428069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/jurisdict/service/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564968/; classtype:trojan-activity;sid:84428068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/rgsy/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564966/; classtype:trojan-activity;sid:84428066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/dao/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564965/; classtype:trojan-activity;sid:84428065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564960/; classtype:trojan-activity;sid:84428060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/system_web/info.zip"; depth:34; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564961/; classtype:trojan-activity;sid:84428061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564953/; classtype:trojan-activity;sid:84428053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/service/impl/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564948/; classtype:trojan-activity;sid:84428048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564949/; classtype:trojan-activity;sid:84428049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2345downloads/info.zip"; depth:23; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564944/; classtype:trojan-activity;sid:84428044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/lib/info.zip"; depth:46; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564937/; classtype:trojan-activity;sid:84428037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/info.zip"; depth:62; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564938/; classtype:trojan-activity;sid:84428038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/service/impl/info.zip"; depth:76; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564939/; classtype:trojan-activity;sid:84428039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/record/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564940/; classtype:trojan-activity;sid:84428040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/info.zip"; depth:69; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564935/; classtype:trojan-activity;sid:84428035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564936)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/jurisdict/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564936/; classtype:trojan-activity;sid:84428036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/mgr/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564931/; classtype:trojan-activity;sid:84428031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/nvrsetting/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564927/; classtype:trojan-activity;sid:84428027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/css1/_notes/info.zip"; depth:49; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564925/; classtype:trojan-activity;sid:84428025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/rgsy/system/info.zip"; depth:66; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564926/; classtype:trojan-activity;sid:84428026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564924/; classtype:trojan-activity;sid:84428024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/checksetting/web/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564908/; classtype:trojan-activity;sid:84428008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/info.zip"; depth:44; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564909/; classtype:trojan-activity;sid:84428009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/lib/info.zip"; depth:48; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564906/; classtype:trojan-activity;sid:84428006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/base/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564903/; classtype:trojan-activity;sid:84428003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/unusual/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564902/; classtype:trojan-activity;sid:84428002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564900/; classtype:trojan-activity;sid:84428000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/pub/info.zip"; depth:58; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564899/; classtype:trojan-activity;sid:84427999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/info.zip"; depth:61; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564898/; classtype:trojan-activity;sid:84427998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/systemset/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564896/; classtype:trojan-activity;sid:84427996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/viewwss/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564893/; classtype:trojan-activity;sid:84427993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/util/info.zip"; depth:68; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564894/; classtype:trojan-activity;sid:84427994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/vkl/ckts_pc/cksy/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564883/; classtype:trojan-activity;sid:84427983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/sysparam/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564881/; classtype:trojan-activity;sid:84427981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/bin/tomcat8.exe"; depth:24; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564878/; classtype:trojan-activity;sid:84427978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564866/; classtype:trojan-activity;sid:84427966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/action/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564861/; classtype:trojan-activity;sid:84427961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564862/; classtype:trojan-activity;sid:84427962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/dto/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564863/; classtype:trojan-activity;sid:84427963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/vehicleinformation/info.zip"; depth:98; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564858/; classtype:trojan-activity;sid:84427958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/logs/info.zip"; depth:22; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564859/; classtype:trojan-activity;sid:84427959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/entity/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564855/; classtype:trojan-activity;sid:84427955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/entity/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564852/; classtype:trojan-activity;sid:84427952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/info.zip"; depth:83; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564850/; classtype:trojan-activity;sid:84427950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/utils/excel/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564847/; classtype:trojan-activity;sid:84427947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/service/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564845/; classtype:trojan-activity;sid:84427945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/szclient/info.zip"; depth:72; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564844/; classtype:trojan-activity;sid:84427944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564839/; classtype:trojan-activity;sid:84427939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/service/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564832/; classtype:trojan-activity;sid:84427932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/checksetting/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564819/; classtype:trojan-activity;sid:84427919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564820/; classtype:trojan-activity;sid:84427920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/gbrwrite/dto/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564821/; classtype:trojan-activity;sid:84427921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/service/impl/info.zip"; depth:97; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564822/; classtype:trojan-activity;sid:84427922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/info.zip"; depth:42; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564823/; classtype:trojan-activity;sid:84427923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/jurisdict/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564809/; classtype:trojan-activity;sid:84427909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/set/service/info.zip"; depth:83; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564810/; classtype:trojan-activity;sid:84427910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/utils/exception/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564812/; classtype:trojan-activity;sid:84427912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/hdk/hcnetsdkcom/info.zip"; depth:66; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564807/; classtype:trojan-activity;sid:84427907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564808/; classtype:trojan-activity;sid:84427908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/dao/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564804/; classtype:trojan-activity;sid:84427904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/chkptwss/mgr/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564801/; classtype:trojan-activity;sid:84427901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/info.zip"; depth:36; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564800/; classtype:trojan-activity;sid:84427900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/pub/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564799/; classtype:trojan-activity;sid:84427899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/cksy/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564797/; classtype:trojan-activity;sid:84427897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/info.zip"; depth:58; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564796/; classtype:trojan-activity;sid:84427896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564794/; classtype:trojan-activity;sid:84427894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/info.zip"; depth:64; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564793/; classtype:trojan-activity;sid:84427893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/hdk/hcnetsdkcom/info.zip"; depth:62; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564791/; classtype:trojan-activity;sid:84427891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/info.zip"; depth:60; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564787/; classtype:trojan-activity;sid:84427887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/pub/info.zip"; depth:97; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564785/; classtype:trojan-activity;sid:84427885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/service/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564783/; classtype:trojan-activity;sid:84427883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564784/; classtype:trojan-activity;sid:84427884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/info.zip"; depth:74; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564781/; classtype:trojan-activity;sid:84427881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/js/info.zip"; depth:40; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564782/; classtype:trojan-activity;sid:84427882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/com/info.zip"; depth:42; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564780/; classtype:trojan-activity;sid:84427880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/dto/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564776/; classtype:trojan-activity;sid:84427876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/meta-inf/info.zip"; depth:43; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564770/; classtype:trojan-activity;sid:84427870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/wss/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564771/; classtype:trojan-activity;sid:84427871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/org/apache/jsp/info.zip"; depth:61; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564766/; classtype:trojan-activity;sid:84427866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/utils/nvr/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564761/; classtype:trojan-activity;sid:84427861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/web/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564760/; classtype:trojan-activity;sid:84427860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/service/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564756/; classtype:trojan-activity;sid:84427856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/gbrwrite/action/info.zip"; depth:95; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564752/; classtype:trojan-activity;sid:84427852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/visitwss/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564749/; classtype:trojan-activity;sid:84427849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564748/; classtype:trojan-activity;sid:84427848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/dto/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564747/; classtype:trojan-activity;sid:84427847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/viewwss/mgr/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564743/; classtype:trojan-activity;sid:84427843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/service/impl/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564739/; classtype:trojan-activity;sid:84427839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/chkptwss/dto/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564740/; classtype:trojan-activity;sid:84427840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/gbrwss/action/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564737/; classtype:trojan-activity;sid:84427837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/exception/info.zip"; depth:99; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564734/; classtype:trojan-activity;sid:84427834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564735/; classtype:trojan-activity;sid:84427835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/dao/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564736/; classtype:trojan-activity;sid:84427836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/static/images/info.zip"; depth:44; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564731/; classtype:trojan-activity;sid:84427831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/download/info.zip"; depth:39; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564726/; classtype:trojan-activity;sid:84427826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/info.zip"; depth:64; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564724/; classtype:trojan-activity;sid:84427824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/hdk/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564725/; classtype:trojan-activity;sid:84427825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/controller/info.zip"; depth:94; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564720/; classtype:trojan-activity;sid:84427820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564717/; classtype:trojan-activity;sid:84427817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/info.zip"; depth:22; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564718/; classtype:trojan-activity;sid:84427818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xinheyuan/info.zip"; depth:19; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564715/; classtype:trojan-activity;sid:84427815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/dao/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564713/; classtype:trojan-activity;sid:84427813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/dao/info.zip"; depth:78; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564711/; classtype:trojan-activity;sid:84427811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/mgr/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564706/; classtype:trojan-activity;sid:84427806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/spotcheck/service/impl/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564704/; classtype:trojan-activity;sid:84427804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/pdawss/mgr/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564700/; classtype:trojan-activity;sid:84427800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/dao/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564697/; classtype:trojan-activity;sid:84427797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/hdk/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564685/; classtype:trojan-activity;sid:84427785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/datawrite/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564682/; classtype:trojan-activity;sid:84427782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/videosetting/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564674/; classtype:trojan-activity;sid:84427774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/bin/info.zip"; depth:21; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564673/; classtype:trojan-activity;sid:84427773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/pdauser/dao/info.zip"; depth:91; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564672/; classtype:trojan-activity;sid:84427772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/info.zip"; depth:54; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564669/; classtype:trojan-activity;sid:84427769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/utils/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564666/; classtype:trojan-activity;sid:84427766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/gbrwrite/dao/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564667/; classtype:trojan-activity;sid:84427767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/service/impl/info.zip"; depth:97; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564659/; classtype:trojan-activity;sid:84427759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/spotckeck/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564660/; classtype:trojan-activity;sid:84427760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hengsheng/info.zip"; depth:19; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564654/; classtype:trojan-activity;sid:84427754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/info.zip"; depth:25; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564655/; classtype:trojan-activity;sid:84427755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/vehicleinformation/service/impl/info.zip"; depth:96; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564648/; classtype:trojan-activity;sid:84427748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/pdauser/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564644/; classtype:trojan-activity;sid:84427744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/base/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564640/; classtype:trojan-activity;sid:84427740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/dao/info.zip"; depth:77; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564641/; classtype:trojan-activity;sid:84427741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/dto/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564636/; classtype:trojan-activity;sid:84427736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/base/dao/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564638/; classtype:trojan-activity;sid:84427738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/visitwss/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564633/; classtype:trojan-activity;sid:84427733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/entity/info.zip"; depth:95; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564630/; classtype:trojan-activity;sid:84427730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/dept/info.zip"; depth:69; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564629/; classtype:trojan-activity;sid:84427729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/info.zip"; depth:41; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564620/; classtype:trojan-activity;sid:84427720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/unusual/service/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564621/; classtype:trojan-activity;sid:84427721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/statistic/log/web/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564616/; classtype:trojan-activity;sid:84427716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/dept/web/info.zip"; depth:73; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564611/; classtype:trojan-activity;sid:84427711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guirui/info.zip"; depth:16; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564599/; classtype:trojan-activity;sid:84427699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/info.zip"; depth:30; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564600/; classtype:trojan-activity;sid:84427700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/sysparam/action/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564602/; classtype:trojan-activity;sid:84427702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/zbzlwss/dao/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564597/; classtype:trojan-activity;sid:84427697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/gbrwss/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564598/; classtype:trojan-activity;sid:84427698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564594/; classtype:trojan-activity;sid:84427694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/info.zip"; depth:60; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564595/; classtype:trojan-activity;sid:84427695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/nvrsetting/service/info.zip"; depth:90; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564596/; classtype:trojan-activity;sid:84427696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/utils/excel/annotation/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564593/; classtype:trojan-activity;sid:84427693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/set/service/impl/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564592/; classtype:trojan-activity;sid:84427692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564589)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/base/utils/info.zip"; depth:75; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564589/; classtype:trojan-activity;sid:84427689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564590)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/dao/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564590/; classtype:trojan-activity;sid:84427690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%e6%96%b0%e6%96%87%e4%bb%b6%e5%a4%b9%20(2)/info.zip"; depth:52; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564584/; classtype:trojan-activity;sid:84427684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/info.zip"; depth:34; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564585/; classtype:trojan-activity;sid:84427685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/checksetting/service/info.zip"; depth:92; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564581/; classtype:trojan-activity;sid:84427681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haohua/info.zip"; depth:16; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564578/; classtype:trojan-activity;sid:84427678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pcwss/module/ckwss/base/info.zip"; depth:82; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564577/; classtype:trojan-activity;sid:84427677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/count/info.zip"; depth:85; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564576/; classtype:trojan-activity;sid:84427676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/info.zip"; depth:52; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564575/; classtype:trojan-activity;sid:84427675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pda/web-inf/classes/com/vkl/pda/module/info.zip"; depth:69; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564569/; classtype:trojan-activity;sid:84427669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/operationsetting/service/impl/info.zip"; depth:101; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564568/; classtype:trojan-activity;sid:84427668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/ckts_005fpc/rgsy/system/info.zip"; depth:105; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564566/; classtype:trojan-activity;sid:84427666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/chkpt/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564565/; classtype:trojan-activity;sid:84427665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/vehiclereview/controller/info.zip"; depth:89; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564561/; classtype:trojan-activity;sid:84427661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/info.zip"; depth:56; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564562/; classtype:trojan-activity;sid:84427662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/lib/info.zip"; depth:21; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564554/; classtype:trojan-activity;sid:84427654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/root/info.zip"; depth:46; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564542/; classtype:trojan-activity;sid:84427642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaifa/info.zip"; depth:15; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564543/; classtype:trojan-activity;sid:84427643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/dataquery/dto/info.zip"; depth:93; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564544/; classtype:trojan-activity;sid:84427644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/org/apache/jsp/web_002dinf/com/vkl/info.zip"; depth:81; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564545/; classtype:trojan-activity;sid:84427645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/info.zip"; depth:71; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564539/; classtype:trojan-activity;sid:84427639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/viewws/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564540/; classtype:trojan-activity;sid:84427640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/record/web/info.zip"; depth:75; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564538/; classtype:trojan-activity;sid:84427638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/work/catalina/localhost/bfxt/info.zip"; depth:46; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564534/; classtype:trojan-activity;sid:84427634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/mapping/com/vkl/pcwss/module/ckwss/info.zip"; depth:87; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564535/; classtype:trojan-activity;sid:84427635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564537/; classtype:trojan-activity;sid:84427637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/info.zip"; depth:50; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564527/; classtype:trojan-activity;sid:84427627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aspnet_client/info.zip"; depth:23; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564528/; classtype:trojan-activity;sid:84427628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/web/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564529/; classtype:trojan-activity;sid:84427629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/temp/poifiles/info.zip"; depth:31; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564526/; classtype:trojan-activity;sid:84427626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/report/info.zip"; depth:37; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564522/; classtype:trojan-activity;sid:84427622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/pub/dao/info.zip"; depth:67; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564521/; classtype:trojan-activity;sid:84427621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564519)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/visitwss/dto/info.zip"; depth:86; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564519/; classtype:trojan-activity;sid:84427619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/cksy/servacpt/entity/info.zip"; depth:80; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564518/; classtype:trojan-activity;sid:84427618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt_pcwss/web-inf/classes/com/vkl/pcwss/module/ckwss/info.zip"; depth:79; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564515/; classtype:trojan-activity;sid:84427615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/wss/action/info.zip"; depth:70; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564514/; classtype:trojan-activity;sid:84427614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/dao/info.zip"; depth:88; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564509/; classtype:trojan-activity;sid:84427609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/info.zip"; depth:59; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564500/; classtype:trojan-activity;sid:84427600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/mapping/com/vkl/ckts/module/rgsy/dept/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564499/; classtype:trojan-activity;sid:84427599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3564497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomcat8/webapps/bfxt/web-inf/classes/com/vkl/ckts/rgsy/system/photosetting/info.zip"; depth:84; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_18; reference:url, urlhaus.abuse.ch/url/3564497/; classtype:trojan-activity;sid:84427597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.exe"; depth:10; endswith; nocase; http.host; content:"152.67.84.123"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563453/; classtype:trojan-activity;sid:84426553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"43.136.88.193"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563444/; classtype:trojan-activity;sid:84426544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"175.178.174.23"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563441/; classtype:trojan-activity;sid:84426541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563435)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"43.136.51.89"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563435/; classtype:trojan-activity;sid:84426535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"42.193.115.114"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563432/; classtype:trojan-activity;sid:84426532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"43.136.51.89"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563425/; classtype:trojan-activity;sid:84426525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"43.136.88.193"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563424/; classtype:trojan-activity;sid:84426524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563388)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"114.132.86.182"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563388/; classtype:trojan-activity;sid:84426488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"43.139.88.161"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563385/; classtype:trojan-activity;sid:84426485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"106.55.134.240"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563384/; classtype:trojan-activity;sid:84426484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"124.223.73.186"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563380/; classtype:trojan-activity;sid:84426480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"124.223.73.186"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563381/; classtype:trojan-activity;sid:84426481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"42.194.199.15"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563374/; classtype:trojan-activity;sid:84426474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"49.233.172.4"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563369/; classtype:trojan-activity;sid:84426469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"43.139.88.161"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563362/; classtype:trojan-activity;sid:84426462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"49.233.172.4"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563363/; classtype:trojan-activity;sid:84426463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"119.91.58.97"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563364/; classtype:trojan-activity;sid:84426464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"81.69.185.184"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563349/; classtype:trojan-activity;sid:84426449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkapis.dll"; depth:15; endswith; nocase; http.host; content:"81.69.185.184"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563343/; classtype:trojan-activity;sid:84426443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"106.55.134.240"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563336/; classtype:trojan-activity;sid:84426436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"119.91.58.97"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563320/; classtype:trojan-activity;sid:84426420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3563253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gg.apk"; depth:7; endswith; nocase; http.host; content:"112.18.10.80"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3563253/; classtype:trojan-activity;sid:84426353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mar10/wsgidav/archive/refs/heads/master.zip"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_17; reference:url, urlhaus.abuse.ch/url/3562926/; classtype:trojan-activity;sid:84426026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/msglu32.ocx"; depth:28; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562778/; classtype:trojan-activity;sid:84425878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/energizertrojan-malware.zip"; depth:38; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562768/; classtype:trojan-activity;sid:84425868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/advnetcfg.ocx"; depth:30; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562769/; classtype:trojan-activity;sid:84425869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/mssecmgr.ocx"; depth:29; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562771/; classtype:trojan-activity;sid:84425871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/dnsmasq-2.73rc7.tar.gz"; depth:33; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562772/; classtype:trojan-activity;sid:84425872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/boot32drv.sys"; depth:30; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562774/; classtype:trojan-activity;sid:84425874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/malware/energizertrojan-malware.zip"; depth:36; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562775/; classtype:trojan-activity;sid:84425875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/nteps32.ocx"; depth:28; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562766/; classtype:trojan-activity;sid:84425866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/icecast2_2.0.0_vulnerable.exe"; depth:40; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562765/; classtype:trojan-activity;sid:84425865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dangerous/flame/ccalc32.sys"; depth:28; endswith; nocase; http.host; content:"172.236.108.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562763/; classtype:trojan-activity;sid:84425863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tcp_linux_amd64"; depth:16; endswith; nocase; http.host; content:"101.43.49.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562757/; classtype:trojan-activity;sid:84425857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cve-2020-15972/tear-down.js"; depth:28; endswith; nocase; http.host; content:"119.28.140.233"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562758/; classtype:trojan-activity;sid:84425858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zusyaku/malware-collection-part-2/refs/heads/main/666/666.exe"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562600/; classtype:trojan-activity;sid:84425700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp.bat"; depth:7; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562599/; classtype:trojan-activity;sid:84425699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live.lnk"; depth:9; endswith; nocase; http.host; content:"103.116.190.93"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562404/; classtype:trojan-activity;sid:84425504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3562403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uat.lnk"; depth:8; endswith; nocase; http.host; content:"103.116.190.93"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_16; reference:url, urlhaus.abuse.ch/url/3562403/; classtype:trojan-activity;sid:84425503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/releases/download/1.2.4.1/cpuminer-gr-1.2.4.1-x86_64_windows.7z"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561991/; classtype:trojan-activity;sid:84425091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/archive/refs/tags/1.2.4.1.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561989/; classtype:trojan-activity;sid:84425089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/archive/refs/tags/1.2.4.1.tar.gz"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561990/; classtype:trojan-activity;sid:84425090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wyverntkc/cpuminer-gr-avx2/releases/download/1.2.4.1/cpuminer-gr-1.2.4.1-args-x86_64_linux.tar.gz"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_14; reference:url, urlhaus.abuse.ch/url/3561988/; classtype:trojan-activity;sid:84425088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1746669868_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.yz.tcdnos.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561860/; classtype:trojan-activity;sid:84424960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747308966_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561859/; classtype:trojan-activity;sid:84424959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747209335_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561858/; classtype:trojan-activity;sid:84424958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747732120_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561857/; classtype:trojan-activity;sid:84424957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invc/xfspeed/qqpcmgr/module_update/fid1747640975_runqmhunt.exe.zip"; depth:67; endswith; nocase; http.host; content:"dlied6.bytes.tcdnos.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561856/; classtype:trojan-activity;sid:84424956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/data/drss/drbw.zip"; depth:25; endswith; nocase; http.host; content:"124.223.105.161"; depth:15; isdataat:!1,relative; metadata:created_at 2025_06_13; reference:url, urlhaus.abuse.ch/url/3561839/; classtype:trojan-activity;sid:84424939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/kedadecoder.zip"; depth:25; endswith; nocase; http.host; content:"123.232.43.185"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_12; reference:url, urlhaus.abuse.ch/url/3561639/; classtype:trojan-activity;sid:84424739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.jsp"; depth:6; endswith; nocase; http.host; content:"1.94.184.17"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_11; reference:url, urlhaus.abuse.ch/url/3561082/; classtype:trojan-activity;sid:84424182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3561083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poc.xml"; depth:8; endswith; nocase; http.host; content:"1.94.184.17"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_11; reference:url, urlhaus.abuse.ch/url/3561083/; classtype:trojan-activity;sid:84424183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.88.234.44"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_11; reference:url, urlhaus.abuse.ch/url/3560938/; classtype:trojan-activity;sid:84424038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/ransomware/annabelle.exe"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560452/; classtype:trojan-activity;sid:84423552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rzm-crack-team/redline-crack/main/redline-crack-by-rzt.zip"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560449/; classtype:trojan-activity;sid:84423549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barrigudinha157/barrigudinha/master/ydrag.dll"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560445/; classtype:trojan-activity;sid:84423545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/loic/master/loic.exe"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560439/; classtype:trojan-activity;sid:84423539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/ransomware/cryptowall.exe"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560418/; classtype:trojan-activity;sid:84423518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantompeek/kematian/main/frontend-src/main.ps1"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560419/; classtype:trojan-activity;sid:84423519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/ransomware/cryptolocker.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560422/; classtype:trojan-activity;sid:84423522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/prolin.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560416/; classtype:trojan-activity;sid:84423516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantompeek/kematian/main/frontend-src/main.bat"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560412/; classtype:trojan-activity;sid:84423512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/funbatchcode-malicousandnonmalicous/master/worm.bat"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560414/; classtype:trojan-activity;sid:84423514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noccenter/noccenter/main/huong%20dan%20xu%20ly%20tai%20khoan%20mail%20noi%20bo.zip"; depth:83; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560409/; classtype:trojan-activity;sid:84423509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pc/pdfconvert/pdfconverter_p2w154-zx-666.exe"; depth:45; endswith; nocase; http.host; content:"download.pdf00.com"; depth:18; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560385/; classtype:trojan-activity;sid:84423485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/rod_en_1.exe"; depth:23; endswith; nocase; http.host; content:"www.r-tt.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560380/; classtype:trojan-activity;sid:84423480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/rmd_en_1.exe"; depth:23; endswith; nocase; http.host; content:"www.r-tt.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560381/; classtype:trojan-activity;sid:84423481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3560209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cybertoxin/remcos-professional-cracked-by-alcatraz3222/raw/master/remcos%20professional%20cracked%20by%20alcatraz3222.zip"; depth:122; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_06_10; reference:url, urlhaus.abuse.ch/url/3560209/; classtype:trojan-activity;sid:84423309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559327)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"45.115.254.68"; depth:13; isdataat:!1,relative; metadata:created_at 2025_06_08; reference:url, urlhaus.abuse.ch/url/3559327/; classtype:trojan-activity;sid:84422427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/update/bmw_v1.7.exe"; depth:27; endswith; nocase; http.host; content:"acc.jiangsujiaxue.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559217/; classtype:trojan-activity;sid:84422317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/classticket.exe"; depth:16; endswith; nocase; http.host; content:"class1004.dothome.co.kr"; depth:23; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559216/; classtype:trojan-activity;sid:84422316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yx/dts/sqft/904576/yx_dts.exe"; depth:30; endswith; nocase; http.host; content:"d.14yaa.com"; depth:11; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559208/; classtype:trojan-activity;sid:84422308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cmd/services.exe"; depth:17; endswith; nocase; http.host; content:"43.229.135.199"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559206/; classtype:trojan-activity;sid:84422306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/keystone.dll"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559040/; classtype:trojan-activity;sid:84422140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/sgn.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559037/; classtype:trojan-activity;sid:84422137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/bsodlogicbomb.ps1"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559033/; classtype:trojan-activity;sid:84422133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/powersyringe.ps1"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559034/; classtype:trojan-activity;sid:84422134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/invoke-reflectivepeinjection.ps1"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559022/; classtype:trojan-activity;sid:84422122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/pe2shc.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559025/; classtype:trojan-activity;sid:84422125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/encrypted.enc"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559019/; classtype:trojan-activity;sid:84422119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/masquerade-peb.ps1"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559009/; classtype:trojan-activity;sid:84422109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/uacbstartup.ps1"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559012/; classtype:trojan-activity;sid:84422112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/invoke-shellcode-fixed.ps1"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559014/; classtype:trojan-activity;sid:84422114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/onedoesnotsimplybypassentirewindefender.ps1"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559015/; classtype:trojan-activity;sid:84422115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/migrate.rb"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559005/; classtype:trojan-activity;sid:84422105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3559006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/base64.rb"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3559006/; classtype:trojan-activity;sid:84422106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/bugsoft.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558975/; classtype:trojan-activity;sid:84422075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/banking-malware/zloader.xlsm"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558977/; classtype:trojan-activity;sid:84422077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/anap.a.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558973/; classtype:trojan-activity;sid:84422073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/axam.a.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558974/; classtype:trojan-activity;sid:84422074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/banking-malware/emotet.zip"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558966/; classtype:trojan-activity;sid:84422066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/master/email-worm/amus.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558967/; classtype:trojan-activity;sid:84422067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/rickware/master/rickroll.exe"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_07; reference:url, urlhaus.abuse.ch/url/3558969/; classtype:trojan-activity;sid:84422069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.26.97.59"; depth:12; isdataat:!1,relative; metadata:created_at 2025_06_05; reference:url, urlhaus.abuse.ch/url/3558602/; classtype:trojan-activity;sid:84421702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g7_update.exe"; depth:14; endswith; nocase; http.host; content:"118.219.11.202"; depth:14; isdataat:!1,relative; metadata:created_at 2025_06_05; reference:url, urlhaus.abuse.ch/url/3558501/; classtype:trojan-activity;sid:84421601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/link-exe-test/main/matthew.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558300/; classtype:trojan-activity;sid:84421400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/second.bin"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558295/; classtype:trojan-activity;sid:84421395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/urbanvpn.exe"; depth:31; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558290/; classtype:trojan-activity;sid:84421390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/svhost.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558291/; classtype:trojan-activity;sid:84421391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/second.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558292/; classtype:trojan-activity;sid:84421392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/invoke-nicelittlekittieobf/main/invoke-nicelittlekittieobf.ps1"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558289/; classtype:trojan-activity;sid:84421389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/darwin.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558287/; classtype:trojan-activity;sid:84421387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/rust-dropper/main/src/main.rs"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558280/; classtype:trojan-activity;sid:84421380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/invoke-shell/main/reverse.ps1"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558266/; classtype:trojan-activity;sid:84421366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/iso-file-testing/main/pleaserunme.iso"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558264/; classtype:trojan-activity;sid:84421364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/payload.bin"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558252/; classtype:trojan-activity;sid:84421352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/riende.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558247/; classtype:trojan-activity;sid:84421347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/main/payload_encrypted.bin"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558235/; classtype:trojan-activity;sid:84421335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/meter/main/meter5555.ps1"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558237/; classtype:trojan-activity;sid:84421337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/js-file-test/main/loader.js"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558229/; classtype:trojan-activity;sid:84421329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3558230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/rust-revshell/main/src/main.rs"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_06_04; reference:url, urlhaus.abuse.ch/url/3558230/; classtype:trojan-activity;sid:84421330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3556675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2025/05/1tronps1.txt"; depth:40; endswith; nocase; http.host; content:"sablayan.seasonshotelmindoro.com"; depth:32; isdataat:!1,relative; metadata:created_at 2025_06_03; reference:url, urlhaus.abuse.ch/url/3556675/; classtype:trojan-activity;sid:84419775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3556673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2025/05/1framework.txt"; depth:42; endswith; nocase; http.host; content:"sablayan.seasonshotelmindoro.com"; depth:32; isdataat:!1,relative; metadata:created_at 2025_06_03; reference:url, urlhaus.abuse.ch/url/3556673/; classtype:trojan-activity;sid:84419773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3556670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2025/05/imagens.txt"; depth:39; endswith; nocase; http.host; content:"sablayan.seasonshotelmindoro.com"; depth:32; isdataat:!1,relative; metadata:created_at 2025_06_03; reference:url, urlhaus.abuse.ch/url/3556670/; classtype:trojan-activity;sid:84419770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3554430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rate.zip"; depth:9; endswith; nocase; http.host; content:"celebratingseniors.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_28; reference:url, urlhaus.abuse.ch/url/3554430/; classtype:trojan-activity;sid:84417530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3554345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rats.zip"; depth:9; endswith; nocase; http.host; content:"celebratingseniors.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_28; reference:url, urlhaus.abuse.ch/url/3554345/; classtype:trojan-activity;sid:84417445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3554334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oste.zip"; depth:9; endswith; nocase; http.host; content:"celebratingseniors.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_28; reference:url, urlhaus.abuse.ch/url/3554334/; classtype:trojan-activity;sid:84417434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.95.253.86"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553946/; classtype:trojan-activity;sid:84417046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bufs.zip"; depth:9; endswith; nocase; http.host; content:"maidforyou1985.com"; depth:18; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553636/; classtype:trojan-activity;sid:84416736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/osxs.zip"; depth:9; endswith; nocase; http.host; content:"windomstatetheater.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553633/; classtype:trojan-activity;sid:84416733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rars.zip"; depth:9; endswith; nocase; http.host; content:"windomstatetheater.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553609/; classtype:trojan-activity;sid:84416709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3553268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"180.92.228.34"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_27; reference:url, urlhaus.abuse.ch/url/3553268/; classtype:trojan-activity;sid:84416368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"183.81.156.123"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_26; reference:url, urlhaus.abuse.ch/url/3552756/; classtype:trojan-activity;sid:84415856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.83.211.82"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_26; reference:url, urlhaus.abuse.ch/url/3552741/; classtype:trojan-activity;sid:84415841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bre"; depth:4; endswith; nocase; http.host; content:"109.74.204.206"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_26; reference:url, urlhaus.abuse.ch/url/3552617/; classtype:trojan-activity;sid:84415717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonimusman00-2/xmr/refs/heads/main/silent%20miner.zip"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552045/; classtype:trojan-activity;sid:84415145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/waf/dracula-cmd/master/dist/colortool.zip"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552042/; classtype:trojan-activity;sid:84415142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iamsysadmin/setteamsbg/main/set-teams-backgrounds.zip"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552043/; classtype:trojan-activity;sid:84415143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3552009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anonimusman00-2/xmr/raw/refs/heads/main/silent%20miner.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3552009/; classtype:trojan-activity;sid:84415109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3551493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.242.66.123"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3551493/; classtype:trojan-activity;sid:84414593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3551361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.15.250.81"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3551361/; classtype:trojan-activity;sid:84414461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3551305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.208.193"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_24; reference:url, urlhaus.abuse.ch/url/3551305/; classtype:trojan-activity;sid:84414405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/macmid_sonoma_14_5.exe"; depth:23; endswith; nocase; http.host; content:"107.198.40.184"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550735/; classtype:trojan-activity;sid:84413835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.59.90.109"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550381/; classtype:trojan-activity;sid:84413481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.86.190.58"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550356/; classtype:trojan-activity;sid:84413456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.15.250.81"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_23; reference:url, urlhaus.abuse.ch/url/3550290/; classtype:trojan-activity;sid:84413390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023"; depth:5; endswith; nocase; http.host; content:"143.92.48.9"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_22; reference:url, urlhaus.abuse.ch/url/3550019/; classtype:trojan-activity;sid:84413119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3550006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3r%bc%bc%ca%f5.exe"; depth:19; endswith; nocase; http.host; content:"8.138.182.17"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_22; reference:url, urlhaus.abuse.ch/url/3550006/; classtype:trojan-activity;sid:84413106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3549645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.87.82.140"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_22; reference:url, urlhaus.abuse.ch/url/3549645/; classtype:trojan-activity;sid:84412745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3547880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ed2w0zvvx53_mfifdszyslleurub40zo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3547880/; classtype:trojan-activity;sid:84410980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3547784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.84.143"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3547784/; classtype:trojan-activity;sid:84410884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3547782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.98.176.195"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_20; reference:url, urlhaus.abuse.ch/url/3547782/; classtype:trojan-activity;sid:84410882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3546975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"87.119.108.21"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_19; reference:url, urlhaus.abuse.ch/url/3546975/; classtype:trojan-activity;sid:84410075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3546969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"84.236.147.129"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_19; reference:url, urlhaus.abuse.ch/url/3546969/; classtype:trojan-activity;sid:84410069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3544992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/nk/wunbbnvf102.bin"; depth:31; endswith; nocase; http.host; content:"planetariumobil.ro"; depth:18; isdataat:!1,relative; metadata:created_at 2025_05_16; reference:url, urlhaus.abuse.ch/url/3544992/; classtype:trojan-activity;sid:84408092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3543803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.239.97"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_15; reference:url, urlhaus.abuse.ch/url/3543803/; classtype:trojan-activity;sid:84406903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3543805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.239.98"; depth:11; isdataat:!1,relative; metadata:created_at 2025_05_15; reference:url, urlhaus.abuse.ch/url/3543805/; classtype:trojan-activity;sid:84406905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3543801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.83.40"; depth:10; isdataat:!1,relative; metadata:created_at 2025_05_15; reference:url, urlhaus.abuse.ch/url/3543801/; classtype:trojan-activity;sid:84406901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3543392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.50.222.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_14; reference:url, urlhaus.abuse.ch/url/3543392/; classtype:trojan-activity;sid:84406492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3542563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1wvxiyf_ryvgg_x3x7uceicqrndhb7lul"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_05_13; reference:url, urlhaus.abuse.ch/url/3542563/; classtype:trojan-activity;sid:84405663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3541826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/giphy.gif"; depth:21; endswith; nocase; http.host; content:"onfiltre.com.tr"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_12; reference:url, urlhaus.abuse.ch/url/3541826/; classtype:trojan-activity;sid:84404926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3540931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.12.2/xmrig-6.12.2-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_05_11; reference:url, urlhaus.abuse.ch/url/3540931/; classtype:trojan-activity;sid:84404031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3540186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.190.58.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_10; reference:url, urlhaus.abuse.ch/url/3540186/; classtype:trojan-activity;sid:84403286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js_bo/werkstastt/shotstar.prm"; depth:30; endswith; nocase; http.host; content:"www.silver-hubdachwohnwagen.de"; depth:30; isdataat:!1,relative; metadata:created_at 2025_05_09; reference:url, urlhaus.abuse.ch/url/3539686/; classtype:trojan-activity;sid:84402786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"8.218.225.42"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_09; reference:url, urlhaus.abuse.ch/url/3539354/; classtype:trojan-activity;sid:84402454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539297)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"93.190.58.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_09; reference:url, urlhaus.abuse.ch/url/3539297/; classtype:trojan-activity;sid:84402397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3539028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.22.42.232"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3539028/; classtype:trojan-activity;sid:84402128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.211.217"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538764/; classtype:trojan-activity;sid:84401864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.208.237"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538763/; classtype:trojan-activity;sid:84401863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.209.31"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538762/; classtype:trojan-activity;sid:84401862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538761/; classtype:trojan-activity;sid:84401861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.209.46"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538755/; classtype:trojan-activity;sid:84401855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538747/; classtype:trojan-activity;sid:84401847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538741/; classtype:trojan-activity;sid:84401841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"201.94.181.7"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538744/; classtype:trojan-activity;sid:84401844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.210.5"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538671/; classtype:trojan-activity;sid:84401771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"121.202.208.107"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538670/; classtype:trojan-activity;sid:84401770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.162.88.253"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538667/; classtype:trojan-activity;sid:84401767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3538179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.22.42.232"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_08; reference:url, urlhaus.abuse.ch/url/3538179/; classtype:trojan-activity;sid:84401279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3537710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wex.gif"; depth:11; endswith; nocase; http.host; content:"stonecradle.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_05_07; reference:url, urlhaus.abuse.ch/url/3537710/; classtype:trojan-activity;sid:84400810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3536070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl202"; depth:6; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_06; reference:url, urlhaus.abuse.ch/url/3536070/; classtype:trojan-activity;sid:84399170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3534886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"103.153.93.18"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_04; reference:url, urlhaus.abuse.ch/url/3534886/; classtype:trojan-activity;sid:84397986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3533582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kokotpycauholica/ultraundetecteddrv/refs/heads/main/hbvtmbp46iieehp1.exe"; depth:73; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_05_03; reference:url, urlhaus.abuse.ch/url/3533582/; classtype:trojan-activity;sid:84396682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl201"; depth:6; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532985/; classtype:trojan-activity;sid:84396085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"114.129.49.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532847/; classtype:trojan-activity;sid:84395947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"114.129.49.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532848/; classtype:trojan-activity;sid:84395948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"114.129.49.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532849/; classtype:trojan-activity;sid:84395949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.76.101.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532833/; classtype:trojan-activity;sid:84395933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3532282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl200"; depth:6; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_05_02; reference:url, urlhaus.abuse.ch/url/3532282/; classtype:trojan-activity;sid:84395382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3531992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.81.58.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_05_01; reference:url, urlhaus.abuse.ch/url/3531992/; classtype:trojan-activity;sid:84395092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3531986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"112.168.60.136"; depth:14; isdataat:!1,relative; metadata:created_at 2025_05_01; reference:url, urlhaus.abuse.ch/url/3531986/; classtype:trojan-activity;sid:84395086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3531095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.12.100.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_30; reference:url, urlhaus.abuse.ch/url/3531095/; classtype:trojan-activity;sid:84394195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"115.127.68.162"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_30; reference:url, urlhaus.abuse.ch/url/3530891/; classtype:trojan-activity;sid:84393991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"71.42.105.34"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3530241/; classtype:trojan-activity;sid:84393341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3530184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.39.251.94"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3530184/; classtype:trojan-activity;sid:84393284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"188.12.100.131"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529934/; classtype:trojan-activity;sid:84393034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"80.76.101.102"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529907/; classtype:trojan-activity;sid:84393007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"220.81.58.40"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529908/; classtype:trojan-activity;sid:84393008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3529878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"110.4.13.252"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_29; reference:url, urlhaus.abuse.ch/url/3529878/; classtype:trojan-activity;sid:84392978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mir1ce/hawkeye/releases/download/v0319/hawkeye.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_28; reference:url, urlhaus.abuse.ch/url/3528280/; classtype:trojan-activity;sid:84391380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yarahq/yara-forge/releases/latest/download/yara-forge-rules-core.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_28; reference:url, urlhaus.abuse.ch/url/3528279/; classtype:trojan-activity;sid:84391379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19831362/alpha.zip"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528171/; classtype:trojan-activity;sid:84391271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/decalage2/oletools/releases/download/v0.60.2/oletools-0.60.2.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528170/; classtype:trojan-activity;sid:84391270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528165)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19831288/crack.nurik.zip"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528165/; classtype:trojan-activity;sid:84391265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19831450/solara.zip"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528162/; classtype:trojan-activity;sid:84391262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/19835739/solarus.zip"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528154/; classtype:trojan-activity;sid:84391254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zxc5wezxc/new/main/dllbase64reverse.txt"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528128/; classtype:trojan-activity;sid:84391228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/androidmalware/android_hid/f25d0234cff288ab8384689685e37b1b4bbaf2ba/test.exe"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528127/; classtype:trojan-activity;sid:84391227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monkeyadece/v-f/releases/download/1.4.2/vector-fixer-v1.4.2.exe"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528108/; classtype:trojan-activity;sid:84391208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui.exe"; depth:7; endswith; nocase; http.host; content:"public.demo.securecloudsandbox.com"; depth:34; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528105/; classtype:trojan-activity;sid:84391205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbormann/darts-gif/releases/download/v1.1.0/darts-gif.exe"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528107/; classtype:trojan-activity;sid:84391207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbormann/darts-pixelit/releases/download/v1.2.2/darts-pixelit.exe"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528100/; classtype:trojan-activity;sid:84391200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbormann/darts-wled/releases/download/v1.8.1/darts-wled.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528101/; classtype:trojan-activity;sid:84391201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528097)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harelba/q/releases/download/2.0.19/q-amd64-windows.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528097/; classtype:trojan-activity;sid:84391197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3528098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikf/gallery-dl/releases/download/v1.15.0/gallery-dl.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3528098/; classtype:trojan-activity;sid:84391198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-load/rapidsvn.exe"; depth:21; endswith; nocase; http.host; content:"muriaspetin.es"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527923/; classtype:trojan-activity;sid:84391023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527856)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"78.36.11.185"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527856/; classtype:trojan-activity;sid:84390956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.241.40.177"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527836/; classtype:trojan-activity;sid:84390936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3527814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.57.30.25"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_27; reference:url, urlhaus.abuse.ch/url/3527814/; classtype:trojan-activity;sid:84390914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verify-sec"; depth:11; endswith; nocase; http.host; content:"msoftdatastore.z22.web.core.windows.net"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526930/; classtype:trojan-activity;sid:84390030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.252.69.10"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526832/; classtype:trojan-activity;sid:84389932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3526810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.26.222.124"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3526810/; classtype:trojan-activity;sid:84389910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"46.39.251.94"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3525776/; classtype:trojan-activity;sid:84388876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"149.241.40.177"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_26; reference:url, urlhaus.abuse.ch/url/3525710/; classtype:trojan-activity;sid:84388810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"80.110.37.104"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3525151/; classtype:trojan-activity;sid:84388251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.252.69.10"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3525013/; classtype:trojan-activity;sid:84388113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3525021)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux"; depth:6; endswith; nocase; http.host; content:"47.83.203.183"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3525021/; classtype:trojan-activity;sid:84388121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3524811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vaxilu/x-ui/releases/latest/download/x-ui-linux-amd64.tar.gz"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3524811/; classtype:trojan-activity;sid:84387911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3524779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.158.88.156"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3524779/; classtype:trojan-activity;sid:84387879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3524506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ccjlbddgjhpeeff1b1hfkgp3x16c_tj1"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3524506/; classtype:trojan-activity;sid:84387606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3524454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1bpc5z-hv6kosk6artkfmbtsnnwwpdghy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_25; reference:url, urlhaus.abuse.ch/url/3524454/; classtype:trojan-activity;sid:84387554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3523621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.47.243.57"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_24; reference:url, urlhaus.abuse.ch/url/3523621/; classtype:trojan-activity;sid:84386721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oto"; depth:4; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_23; reference:url, urlhaus.abuse.ch/url/3522943/; classtype:trojan-activity;sid:84386043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.30.92.188"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_23; reference:url, urlhaus.abuse.ch/url/3522876/; classtype:trojan-activity;sid:84385976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ltrdqlgcl6smoqujfs1pb2ernzhsbydh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_23; reference:url, urlhaus.abuse.ch/url/3522687/; classtype:trojan-activity;sid:84385787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eed8989/u/main/ud.bat"; depth:22; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_22; reference:url, urlhaus.abuse.ch/url/3522201/; classtype:trojan-activity;sid:84385301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3522159)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.243.36.33"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_22; reference:url, urlhaus.abuse.ch/url/3522159/; classtype:trojan-activity;sid:84385259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.12.2/xmrig-6.12.2-linux-x64.tar.gz"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_21; reference:url, urlhaus.abuse.ch/url/3520366/; classtype:trojan-activity;sid:84383466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"77.226.241.197"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520082/; classtype:trojan-activity;sid:84383182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"202.57.43.234"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520081/; classtype:trojan-activity;sid:84383181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"179.63.168.2"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520073/; classtype:trojan-activity;sid:84383173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"61.244.254.110"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520077/; classtype:trojan-activity;sid:84383177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"2.136.63.232"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520070/; classtype:trojan-activity;sid:84383170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3520068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"93.182.77.20"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3520068/; classtype:trojan-activity;sid:84383168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.229.20.42"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519584/; classtype:trojan-activity;sid:84382684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519540)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_autovlbs19_new/trainjx2.exe"; depth:29; endswith; nocase; http.host; content:"thtp2.volamngayxua.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519540/; classtype:trojan-activity;sid:84382640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_autovlbs19_new/trainjx.exe"; depth:28; endswith; nocase; http.host; content:"thtp2.volamngayxua.net"; depth:22; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519529/; classtype:trojan-activity;sid:84382629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/linm_free/tg_linm_data_image_free.dll"; depth:43; endswith; nocase; http.host; content:"tiwanlinm.duckdns.org"; depth:21; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519525/; classtype:trojan-activity;sid:84382625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb/32.exe"; depth:10; endswith; nocase; http.host; content:"ny.lshdw.cc"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519518/; classtype:trojan-activity;sid:84382618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/install/namu832.exe"; depth:20; endswith; nocase; http.host; content:"www.namuvpn.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519513/; classtype:trojan-activity;sid:84382613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/versions/gestioniccv20.21.8.51/gestionicc.exe"; depth:46; endswith; nocase; http.host; content:"icoffeecloud.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519485/; classtype:trojan-activity;sid:84382585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"60aaf9c6.salamanderprocessing.pages.dev"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519469/; classtype:trojan-activity;sid:84382569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/linm_free/tg_linm_data_map_free.dll"; depth:41; endswith; nocase; http.host; content:"tiwanlinm.duckdns.org"; depth:21; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519467/; classtype:trojan-activity;sid:84382567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fb/sm.exe"; depth:10; endswith; nocase; http.host; content:"ny.lshdw.cc"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519464/; classtype:trojan-activity;sid:84382564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pds/mogimall/giftorder/giftorder.exe"; depth:37; endswith; nocase; http.host; content:"mogimall.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519459/; classtype:trojan-activity;sid:84382559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"2cfc0222.salamanderprocessing.pages.dev"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519451/; classtype:trojan-activity;sid:84382551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519446)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newchaisupon/vendor/bin/psysh.bat"; depth:34; endswith; nocase; http.host; content:"99194034-96-20180108171507.webstarterz.com"; depth:42; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519446/; classtype:trojan-activity;sid:84382546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa0611/systemsa32.dll"; depth:22; endswith; nocase; http.host; content:"www.ss-01.com"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519443/; classtype:trojan-activity;sid:84382543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msedge.exe"; depth:11; endswith; nocase; http.host; content:"c9791c08-f1e4-4402-9510-d04c13c50ea3.selstorage.ru"; depth:50; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519432/; classtype:trojan-activity;sid:84382532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"c3436037.salamanderprocessing.pages.dev"; depth:39; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519415/; classtype:trojan-activity;sid:84382515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rh/setup.exe"; depth:13; endswith; nocase; http.host; content:"d3cciiowg5l3jx.cloudfront.net"; depth:29; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519408/; classtype:trojan-activity;sid:84382508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pds/mogimall/giftorder/updater.exe"; depth:35; endswith; nocase; http.host; content:"mogimall.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519404/; classtype:trojan-activity;sid:84382504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r0400/yahoodll.dll"; depth:19; endswith; nocase; http.host; content:"www.ss-01.com"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519368/; classtype:trojan-activity;sid:84382468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/driveapplet.exe"; depth:16; endswith; nocase; http.host; content:"noithaticon.vn"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519369/; classtype:trojan-activity;sid:84382469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/licensing/updates/addmefast%20bot.exe"; depth:38; endswith; nocase; http.host; content:"www.blackhattoolz.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519354/; classtype:trojan-activity;sid:84382454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nircmd.exe"; depth:11; endswith; nocase; http.host; content:"pub-0478b308b8cf46709a73d0eed5afd633.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519356/; classtype:trojan-activity;sid:84382456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pst.exe"; depth:8; endswith; nocase; http.host; content:"o24o.ru"; depth:7; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519092/; classtype:trojan-activity;sid:84382192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519066/; classtype:trojan-activity;sid:84382166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vinhuptoday/testbn/raw/refs/heads/main/brbotnet.exe"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519063/; classtype:trojan-activity;sid:84382163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiansys(xp%e4%b8%93%e7%94%a8).exe"; depth:34; endswith; nocase; http.host; content:"fz.tiansys.cn"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519036/; classtype:trojan-activity;sid:84382136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/disbalancer-project/main/releases/latest/download/disbalancer-go-client-windows-386.exe"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519035/; classtype:trojan-activity;sid:84382135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cosmicdevv/icarus-lite/releases/download/v1.1.13/icaruslite-v1.1.13-win.exe"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519027/; classtype:trojan-activity;sid:84382127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dax009yt/chilledwindows-gui/releases/download/1.0/chilledwindows.gui.exe"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519026/; classtype:trojan-activity;sid:84382126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jackson2323/mohradiant/blob/master/updt.exe|3f|raw=true"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519019/; classtype:trojan-activity;sid:84382119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/pkexu0ytxar3.exe"; depth:22; endswith; nocase; http.host; content:"115.159.149.113"; depth:15; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519020/; classtype:trojan-activity;sid:84382120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bol-van/zapret/releases/download/v70.6/zapret-v70.6.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519016/; classtype:trojan-activity;sid:84382116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3519000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vexcentry/vex/raw/refs/heads/main/runtimebroker.exe"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3519000/; classtype:trojan-activity;sid:84382100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3518861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns3.jpg"; depth:8; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3518861/; classtype:trojan-activity;sid:84381961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3518860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ns1.jpg"; depth:8; endswith; nocase; http.host; content:"162.215.218.82"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_20; reference:url, urlhaus.abuse.ch/url/3518860/; classtype:trojan-activity;sid:84381960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3517053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"124.123.26.174"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3517053/; classtype:trojan-activity;sid:84380153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3517040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"2.57.122.121"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3517040/; classtype:trojan-activity;sid:84380140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3516658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vinhuptoday/testbn/raw/refs/heads/main/brbotnet.exe"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3516658/; classtype:trojan-activity;sid:84379758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3516584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"211.219.49.173"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_18; reference:url, urlhaus.abuse.ch/url/3516584/; classtype:trojan-activity;sid:84379684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3514570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hrp9lnasbplclnhppp1abwb1uwv4kdvs"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_17; reference:url, urlhaus.abuse.ch/url/3514570/; classtype:trojan-activity;sid:84377670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3514066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkminash/my-codd/raw/896d806a9b4569c9c3a275f200ebe7d2ecec5702/snd16061.exe"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_17; reference:url, urlhaus.abuse.ch/url/3514066/; classtype:trojan-activity;sid:84377166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3510901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl16"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_14; reference:url, urlhaus.abuse.ch/url/3510901/; classtype:trojan-activity;sid:84374001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3509907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahmounben/lc/refs/heads/main/xclient.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_13; reference:url, urlhaus.abuse.ch/url/3509907/; classtype:trojan-activity;sid:84373007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3509901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justjzero/ahh/raw/refs/heads/main/cloudy.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_13; reference:url, urlhaus.abuse.ch/url/3509901/; classtype:trojan-activity;sid:84373001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3507942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.60.246.15"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_11; reference:url, urlhaus.abuse.ch/url/3507942/; classtype:trojan-activity;sid:84371042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3507456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/mimikatz.exe"; depth:17; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_11; reference:url, urlhaus.abuse.ch/url/3507456/; classtype:trojan-activity;sid:84370556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3507452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/misterlobster22/mimik/blob/main/mimikatz.exe|3f|raw=true"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_11; reference:url, urlhaus.abuse.ch/url/3507452/; classtype:trojan-activity;sid:84370552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3506392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepakmeena2006/lib/6753a65f543afe81079459a8439ec1e0c0a660b4/s86.txt"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_10; reference:url, urlhaus.abuse.ch/url/3506392/; classtype:trojan-activity;sid:84369492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3506391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deepakmeena2006/lib/6753a65f543afe81079459a8439ec1e0c0a660b4/s64.txt"; depth:69; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_10; reference:url, urlhaus.abuse.ch/url/3506391/; classtype:trojan-activity;sid:84369491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3506346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1kcbhxhjt-bdxszgxt1nfnzdt5hpvkwk4"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_10; reference:url, urlhaus.abuse.ch/url/3506346/; classtype:trojan-activity;sid:84369446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1muftth-5lscdi3ovd5vn7sjkeit2h9k1"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505672/; classtype:trojan-activity;sid:84368772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/electrichermit/vegas-pro-version/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505377/; classtype:trojan-activity;sid:84368477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ergin3432432/movie-mates/releases/download/v1.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505382/; classtype:trojan-activity;sid:84368482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yumyumdonuts/free-youtube-to-mp3-converter-free/releases/download/1.1.2/freeyoutubetomp3converterfree-1.1.2.zip"; depth:112; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505334/; classtype:trojan-activity;sid:84368434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmattioni/upload/raw/refs/heads/master/software.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505313/; classtype:trojan-activity;sid:84368413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anamesias580/upload/refs/heads/master/software.zip"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505307/; classtype:trojan-activity;sid:84368407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505305)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phanu85/upload/raw/refs/heads/master/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505305/; classtype:trojan-activity;sid:84368405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3505304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pantay/upload/raw/refs/heads/master/software.zip"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_09; reference:url, urlhaus.abuse.ch/url/3505304/; classtype:trojan-activity;sid:84368404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3504713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.238.31"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_08; reference:url, urlhaus.abuse.ch/url/3504713/; classtype:trojan-activity;sid:84367813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3504256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/midafternoon.snp"; depth:24; endswith; nocase; http.host; content:"pfatrivandrum.org"; depth:17; isdataat:!1,relative; metadata:created_at 2025_04_08; reference:url, urlhaus.abuse.ch/url/3504256/; classtype:trojan-activity;sid:84367356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3504105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fonts/tuberculinizing.fla"; depth:26; endswith; nocase; http.host; content:"pfatrivandrum.org"; depth:17; isdataat:!1,relative; metadata:created_at 2025_04_08; reference:url, urlhaus.abuse.ch/url/3504105/; classtype:trojan-activity;sid:84367205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3503657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.43.17.123"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_07; reference:url, urlhaus.abuse.ch/url/3503657/; classtype:trojan-activity;sid:84366757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3503409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tirtekeka/rat-client/zip/refs/heads/main"; depth:41; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_04_07; reference:url, urlhaus.abuse.ch/url/3503409/; classtype:trojan-activity;sid:84366509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3503003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/konsol.exe"; depth:20; endswith; nocase; http.host; content:"backupso.com"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_06; reference:url, urlhaus.abuse.ch/url/3503003/; classtype:trojan-activity;sid:84366103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3502701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.210.214.48"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_06; reference:url, urlhaus.abuse.ch/url/3502701/; classtype:trojan-activity;sid:84365801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3501608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"35.137.185.24"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_05; reference:url, urlhaus.abuse.ch/url/3501608/; classtype:trojan-activity;sid:84364708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3500891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chin/ifjjmktge.mp3"; depth:19; endswith; nocase; http.host; content:"dcrun.co.uk"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_04; reference:url, urlhaus.abuse.ch/url/3500891/; classtype:trojan-activity;sid:84363991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3500747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.185.1.70"; depth:11; isdataat:!1,relative; metadata:created_at 2025_04_04; reference:url, urlhaus.abuse.ch/url/3500747/; classtype:trojan-activity;sid:84363847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3500733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.102.74.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_04; reference:url, urlhaus.abuse.ch/url/3500733/; classtype:trojan-activity;sid:84363833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3499993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roniel8/apex-no-recoil/releases/download/v2.5.1-alpha.3/apex-no-recoil-v2-5-1-alpha-3.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_03; reference:url, urlhaus.abuse.ch/url/3499993/; classtype:trojan-activity;sid:84363093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3499150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"79.124.72.22"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_02; reference:url, urlhaus.abuse.ch/url/3499150/; classtype:trojan-activity;sid:84362250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juanbustoss/src/raw/refs/heads/master/application.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498482/; classtype:trojan-activity;sid:84361582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shellyacm/imgx/releases/download/v1.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498084/; classtype:trojan-activity;sid:84361184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shellyacm/imgx/releases/download/v2.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498082/; classtype:trojan-activity;sid:84361182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demonsofhe/onion-rings/releases/download/3.1.7/onion-rings-3.1.7.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498070/; classtype:trojan-activity;sid:84361170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/warisalishah/mytube/releases/download/v1.1/soft.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498072/; classtype:trojan-activity;sid:84361172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jxx1234567890jxx/datatransformationchecker/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498076/; classtype:trojan-activity;sid:84361176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frank698/localocr/releases/download/v2.3.3/localocr_v2.3.3.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498067/; classtype:trojan-activity;sid:84361167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfeifefeifef/pokemon-crud/releases/download/v1.1/soft.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498056/; classtype:trojan-activity;sid:84361156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/julia2806/stock-watch/releases/download/v1.0/application.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498059/; classtype:trojan-activity;sid:84361159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ushii/weather_app/releases/download/v1.0/installer.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498045/; classtype:trojan-activity;sid:84361145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahulpa045/cphishtermux/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498047/; classtype:trojan-activity;sid:84361147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfeifefeifef/pokemon-crud/releases/download/v1.2/soft.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498050/; classtype:trojan-activity;sid:84361150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jxx1234567890jxx/datatransformationchecker/releases/download/v1.0/application.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498053/; classtype:trojan-activity;sid:84361153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamer615/acdsee-photo-studio-professional-download/releases/download/v1.0/software.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498033/; classtype:trojan-activity;sid:84361133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ushii/weather_app/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498034/; classtype:trojan-activity;sid:84361134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamer615/acdsee-photo-studio-professional-download/releases/download/v2.0/software.zip"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498036/; classtype:trojan-activity;sid:84361136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3498040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/warisalishah/mytube/releases/download/v1.2/soft.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3498040/; classtype:trojan-activity;sid:84361140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497826/; classtype:trojan-activity;sid:84360926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v2.0/program.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497822/; classtype:trojan-activity;sid:84360922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497825)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497825/; classtype:trojan-activity;sid:84360925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ffxjevefi/nix-system-services-hardened/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497805/; classtype:trojan-activity;sid:84360905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zackkung688/split-fiction/releases/download/lavalike/splitfiction-lavalike.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497772/; classtype:trojan-activity;sid:84360872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/simplefastfunnels254/tg-cybersec/releases/download/v2.7.1/tg-cybersec-v2.7.1.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497761/; classtype:trojan-activity;sid:84360861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ykn1/dishost/releases/download/1.3.8/dishost.1.3.8.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497760/; classtype:trojan-activity;sid:84360860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ander12342/pugdns/releases/download/1.3.1/pugdns_v1.3.1.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497739/; classtype:trojan-activity;sid:84360839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devpev777/d/refs/heads/main/r.msi"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497677/; classtype:trojan-activity;sid:84360777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.14.250"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497334/; classtype:trojan-activity;sid:84360434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.97.222.219"; depth:14; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497333/; classtype:trojan-activity;sid:84360433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.4.13.252"; depth:12; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497309/; classtype:trojan-activity;sid:84360409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.186.28.36"; depth:13; isdataat:!1,relative; metadata:created_at 2025_04_01; reference:url, urlhaus.abuse.ch/url/3497306/; classtype:trojan-activity;sid:84360406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dodobaba25/repo/refs/heads/master/s64.txt"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3497120/; classtype:trojan-activity;sid:84360220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3497121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dodobaba25/repo/refs/heads/master/s86.txt"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3497121/; classtype:trojan-activity;sid:84360221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/benkku25/assets/raw/41f4f8f16b76af39e1bc3f8024b66010dd2617c7/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496952/; classtype:trojan-activity;sid:84360052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/syklon99/ai-chatbot-svelte/releases/download/v1.4.9/ai-chatbot-svelte-v1.4.9.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496664/; classtype:trojan-activity;sid:84359764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohamedbama/spider-man-2/releases/download/1.6.7/spider-man-2_v1.6.7.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496663/; classtype:trojan-activity;sid:84359763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naoval19/tacos/releases/download/v2.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496646/; classtype:trojan-activity;sid:84359746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vandalyz/nodejs-dockerized-app/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496628/; classtype:trojan-activity;sid:84359728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rle123/ai-self-coding-book/releases/download/v1.0/program.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496631/; classtype:trojan-activity;sid:84359731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vandalyz/nodejs-dockerized-app/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496625/; classtype:trojan-activity;sid:84359725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aboubakar909/dreamdance/releases/download/v2.5.1/dreamdance.v2.5.1.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496585/; classtype:trojan-activity;sid:84359685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stepbox23/assets/60af1f798cc4708a2872a66cebab351e529e43f8/software.zip"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_31; reference:url, urlhaus.abuse.ch/url/3496564/; classtype:trojan-activity;sid:84359664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new_image.jpg"; depth:14; endswith; nocase; http.host; content:"talentrecruitments.com"; depth:22; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3496067/; classtype:trojan-activity;sid:84359167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eed8989/u/raw/refs/heads/main/ud.bat"; depth:37; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3496061/; classtype:trojan-activity;sid:84359161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3496058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eed8989/u/raw/main/ud.bat"; depth:26; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3496058/; classtype:trojan-activity;sid:84359158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3495857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsl/downloader.exe"; depth:19; endswith; nocase; http.host; content:"tobecation.github.io"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_30; reference:url, urlhaus.abuse.ch/url/3495857/; classtype:trojan-activity;sid:84358957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3494793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl20"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_29; reference:url, urlhaus.abuse.ch/url/3494793/; classtype:trojan-activity;sid:84357893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3493608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aussieonzaza/assets/refs/heads/master/launcher.zip"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_28; reference:url, urlhaus.abuse.ch/url/3493608/; classtype:trojan-activity;sid:84356708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3493604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rafael1679/assets/raw/refs/heads/master/launcher.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_28; reference:url, urlhaus.abuse.ch/url/3493604/; classtype:trojan-activity;sid:84356704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoiser1/wild-storage/releases/download/v1.0/app.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492619/; classtype:trojan-activity;sid:84355719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdeu-cpu/coap-mqtt-encryption/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492622/; classtype:trojan-activity;sid:84355722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forzon96/cataclismo/releases/download/1.4.6/cataclismo_1.4.6.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492611/; classtype:trojan-activity;sid:84355711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjunaid87/tokenset/releases/download/v2.8.1/tokenset.v2.8.1.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492613/; classtype:trojan-activity;sid:84355713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stayns/glpwnme/releases/download/3.1.1/glpwnme-3.1.1.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492601/; classtype:trojan-activity;sid:84355701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/catexec/signature-recognition-cnn/releases/download/v1.6.8/signature-recognition-cnn-v1.6.8.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492602/; classtype:trojan-activity;sid:84355702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tombalestra/m3-spatial/releases/download/v3.3.4/m3-spatial-v3.3.4.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492604/; classtype:trojan-activity;sid:84355704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sudip1801/loyalty/releases/download/v3.4.4-alpha.1/loyalty_v3.4.4-alpha.1.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492591/; classtype:trojan-activity;sid:84355691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reninstem/productlisting/releases/download/2.6.1/productlisting-2.6.1.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492563/; classtype:trojan-activity;sid:84355663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suvam-01/alayalite/releases/download/v1.4.8/alayalite_v1.4.8.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492557/; classtype:trojan-activity;sid:84355657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lordland929on6/1ab-phantasystaronline2b/releases/download/p7ew0zthra/156qeiu3fhnohcj2.rar"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492224/; classtype:trojan-activity;sid:84355324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eding442gfm/1ax-bladeandsoulx/releases/download/n6seqop1o4/q.rar"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492186/; classtype:trojan-activity;sid:84355286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/howlux40worthyfp4h/1af-starwars-theoldrepublicf/releases/download/j0ndd81djg/eskf6bqczzc2j.rar"; depth:95; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492168/; classtype:trojan-activity;sid:84355268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uragon005/ai-chatbot-svelte/releases/download/v2.4.5/ai-chatbot-svelte_v2.4.5.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492160/; classtype:trojan-activity;sid:84355260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdeguay/seed-phrase-generator/releases/download/v1.0/release.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492135/; classtype:trojan-activity;sid:84355235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abdeguay/seed-phrase-generator/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492134/; classtype:trojan-activity;sid:84355234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mathists9/abaqus-aluminum-bending-ductile-damage-3d/releases/download/2.7.3/release.2.7.3.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492123/; classtype:trojan-activity;sid:84355223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/solarcrownyt/learning-sqlx/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492112/; classtype:trojan-activity;sid:84355212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3492056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aussieonzaza/assets/raw/refs/heads/master/launcher.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_27; reference:url, urlhaus.abuse.ch/url/3492056/; classtype:trojan-activity;sid:84355156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3491741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.111.30.28"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_26; reference:url, urlhaus.abuse.ch/url/3491741/; classtype:trojan-activity;sid:84354841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rafael1679/assets/refs/heads/master/launcher.zip"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490427/; classtype:trojan-activity;sid:84353527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilganrat342/dertyom/refs/heads/main/setup.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490350/; classtype:trojan-activity;sid:84353450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rh/setup.exe"; depth:13; endswith; nocase; http.host; content:"d3cciiowg5l3jx.cloudfront.net"; depth:29; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490349/; classtype:trojan-activity;sid:84353449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kammywammyman/boyboy/main/chromeupdate.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490313/; classtype:trojan-activity;sid:84353413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tacocat2222/materia-fivem/refs/heads/main/loader.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490294/; classtype:trojan-activity;sid:84353394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3490235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl18"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_25; reference:url, urlhaus.abuse.ch/url/3490235/; classtype:trojan-activity;sid:84353335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/worakom99/carbon-executor/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489508/; classtype:trojan-activity;sid:84352608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jamescarlzafra/dx9ware-roblox/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489501/; classtype:trojan-activity;sid:84352601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toanminh2004/duan1/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489474/; classtype:trojan-activity;sid:84352574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tatooo29/loco/releases/download/v2.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489478/; classtype:trojan-activity;sid:84352578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-2/releases/download/v1.0/application.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489479/; classtype:trojan-activity;sid:84352579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cistelsa/predictive-sentiment-analysis-of-twitter-for-btc/releases/download/v1.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489480/; classtype:trojan-activity;sid:84352580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-proxytv/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489481/; classtype:trojan-activity;sid:84352581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cistelsa/predictive-sentiment-analysis-of-twitter-for-btc/releases/download/v2.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489471/; classtype:trojan-activity;sid:84352571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-proxytv/releases/download/v1.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489472/; classtype:trojan-activity;sid:84352572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmanykwim/simple-2/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489473/; classtype:trojan-activity;sid:84352573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/new/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489333/; classtype:trojan-activity;sid:84352433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akashnilrecovered/text-formatting-crash-course/releases/download/v2.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489336/; classtype:trojan-activity;sid:84352436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/akashnilrecovered/text-formatting-crash-course/releases/download/v1.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489340/; classtype:trojan-activity;sid:84352440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/new/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489331/; classtype:trojan-activity;sid:84352431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/laravel-authentication-breeze/releases/download/v1.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489310/; classtype:trojan-activity;sid:84352410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/fortify-auth-laravel/releases/download/v1.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489315/; classtype:trojan-activity;sid:84352415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/book-e-commerce/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489308/; classtype:trojan-activity;sid:84352408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/book-e-commerce/releases/download/v1.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489300/; classtype:trojan-activity;sid:84352400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/newlaravel/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489303/; classtype:trojan-activity;sid:84352403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samueltonao/frontendmentor/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489274/; classtype:trojan-activity;sid:84352374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/ui-package-email-verify/releases/download/v2.0/software.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489275/; classtype:trojan-activity;sid:84352375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489288)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/ui-package-email-verify/releases/download/v1.0/software.zip"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489288/; classtype:trojan-activity;sid:84352388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bootable_recovery/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489266/; classtype:trojan-activity;sid:84352366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489265)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hackslash-nitp/healthcare-web-page/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489265/; classtype:trojan-activity;sid:84352365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinycompress/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489263/; classtype:trojan-activity;sid:84352363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amandwivedi0/device_xiaomi_santoni/releases/download/v1.0/application.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489264/; classtype:trojan-activity;sid:84352364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vyshnavidevi11/frtproject/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489245/; classtype:trojan-activity;sid:84352345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_build/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489247/; classtype:trojan-activity;sid:84352347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/laravel-ecommerce-project/releases/download/v1.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489251/; classtype:trojan-activity;sid:84352351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinycompress/releases/download/v1.0/application.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489252/; classtype:trojan-activity;sid:84352352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_build/releases/download/v1.0/application.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489253/; classtype:trojan-activity;sid:84352353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoiser1/proyecto_final/releases/download/v1.0/app.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489254/; classtype:trojan-activity;sid:84352354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489255)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_selinux/releases/download/v1.0/application.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489255/; classtype:trojan-activity;sid:84352355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_json-c/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489256/; classtype:trojan-activity;sid:84352356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amandwivedi0/device_xiaomi_santoni/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489260/; classtype:trojan-activity;sid:84352360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinyxml/releases/download/v1.0/application.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489261/; classtype:trojan-activity;sid:84352361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoiser1/final/releases/download/v2.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489262/; classtype:trojan-activity;sid:84352362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yoiser1/proyecto_final/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489230/; classtype:trojan-activity;sid:84352330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bootable_recovery/releases/download/v1.0/application.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489232/; classtype:trojan-activity;sid:84352332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bionic/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489240/; classtype:trojan-activity;sid:84352340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_sqlite/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489242/; classtype:trojan-activity;sid:84352342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/laravel-ecommerce-project/releases/download/v2.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489243/; classtype:trojan-activity;sid:84352343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_bionic/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489228/; classtype:trojan-activity;sid:84352328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eltrapico2/12-03assignment/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489214/; classtype:trojan-activity;sid:84352314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvm010/nucleus/releases/download/v1.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489215/; classtype:trojan-activity;sid:84352315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489218)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eltrapico2/eltrapico2/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489218/; classtype:trojan-activity;sid:84352318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puram-supriya/amazon/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489219/; classtype:trojan-activity;sid:84352319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eltrapico2/fri-app/releases/download/v1.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489205/; classtype:trojan-activity;sid:84352305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puram-supriya/ecommerce/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489207/; classtype:trojan-activity;sid:84352307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/student-chicken/fit-track-goal-progress/releases/download/v1.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489211/; classtype:trojan-activity;sid:84352311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/puram-supriya/resume/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489212/; classtype:trojan-activity;sid:84352312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvm010/movie/releases/download/v1.0/software.zip"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489202/; classtype:trojan-activity;sid:84352302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/desmonsd/blazingtool/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489179/; classtype:trojan-activity;sid:84352279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boomerxd69/fixing-error-0xc00000ba/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489173/; classtype:trojan-activity;sid:84352273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manuxing/deploy-admin/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489175/; classtype:trojan-activity;sid:84352275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manuxing/manuxing/releases/download/v1.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489166/; classtype:trojan-activity;sid:84352266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/matimazzia/worldgame-web/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489171/; classtype:trojan-activity;sid:84352271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489155)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yosif9999/hamster-clicker/releases/download/v3.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489155/; classtype:trojan-activity;sid:84352255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suffer220/bbuild/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489147/; classtype:trojan-activity;sid:84352247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/suffer220/bbuild/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489149/; classtype:trojan-activity;sid:84352249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yosif9999/hamster-clicker/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489151/; classtype:trojan-activity;sid:84352251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drankrych/fakebtcsend/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489127/; classtype:trojan-activity;sid:84352227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atom3dx/array-base-scatter-filled/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489128/; classtype:trojan-activity;sid:84352228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lethanhdat0403/earnorm/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489131/; classtype:trojan-activity;sid:84352231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/firematheo00x/chat-app-mern/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489135/; classtype:trojan-activity;sid:84352235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monyigamer/bliss_browser_janet/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489137/; classtype:trojan-activity;sid:84352237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theboss6921/json-to-typescript/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489116/; classtype:trojan-activity;sid:84352216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monyigamer/bliss_browser_janet/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489118/; classtype:trojan-activity;sid:84352218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489120)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/firematheo00x/chat-app-mern/releases/download/v2.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489120/; classtype:trojan-activity;sid:84352220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theboss6921/json-to-typescript/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489121/; classtype:trojan-activity;sid:84352221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shirfor/autoforjob/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489106/; classtype:trojan-activity;sid:84352206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shirfor/autoforjob/releases/download/v1.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489107/; classtype:trojan-activity;sid:84352207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juliocesarmara/emojico/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489098/; classtype:trojan-activity;sid:84352198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tatooo29/project-hub/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489088/; classtype:trojan-activity;sid:84352188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tatooo29/project-hub/releases/download/v1.0/application.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489083/; classtype:trojan-activity;sid:84352183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lucksssssss/flick_share/releases/download/v1.0/application.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489056/; classtype:trojan-activity;sid:84352156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basterfg/myproject/releases/download/v1.0/application.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489049/; classtype:trojan-activity;sid:84352149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booody123/manual-brick-breaker/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489047/; classtype:trojan-activity;sid:84352147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pedrokax/webscraper-to-identify-which-girls-and-how-many-of-them-my-boyfriend-follows-on-github/releases/download/v1.0/application.zip"; depth:135; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489032/; classtype:trojan-activity;sid:84352132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nash-abella/organization-service/releases/download/v1.0.0/application.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489035/; classtype:trojan-activity;sid:84352135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oneshotviper24/g-n-rateur-de-robots.txt-et-sitemap.xml/releases/download/v1.0/application.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489036/; classtype:trojan-activity;sid:84352136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nash-abella/organization-service/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489027/; classtype:trojan-activity;sid:84352127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489028)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pedrokax/webscraper-to-identify-which-girls-and-how-many-of-them-my-boyfriend-follows-on-github/releases/download/v2.0/software.zip"; depth:132; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489028/; classtype:trojan-activity;sid:84352128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oneshotviper24/g-n-rateur-de-robots.txt-et-sitemap.xml/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489029/; classtype:trojan-activity;sid:84352129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/majorclient/html-crypto-currency-chart-snippets/releases/download/v2.0/software.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488996/; classtype:trojan-activity;sid:84352096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whathedogding/bitpay-crypto-signal-trading-bot-analysis-signal-masters-trading-crypto/releases/download/v1.0/release.zip"; depth:121; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489002/; classtype:trojan-activity;sid:84352102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tailstheflyingfox/subghost/releases/download/v1.0/release.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489003/; classtype:trojan-activity;sid:84352103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basemnabill/stock-forecasting-rnn/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489005/; classtype:trojan-activity;sid:84352105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basemnabill/stock-forecasting-rnn/releases/download/v1.0/application.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489007/; classtype:trojan-activity;sid:84352107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclearcatlegit/simple_bank/releases/download/v1.0/application.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489009/; classtype:trojan-activity;sid:84352109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seiolonmsk/contextindent.nvim/releases/download/v1.0/application.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489010/; classtype:trojan-activity;sid:84352110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zilts345890/golang-html-parsing/releases/download/v1.0/program.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489011/; classtype:trojan-activity;sid:84352111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whathedogding/bitpay-crypto-signal-trading-bot-analysis-signal-masters-trading-crypto/releases/download/v2.0/software.zip"; depth:122; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489014/; classtype:trojan-activity;sid:84352114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3489015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naiahahah/musicbox/releases/download/v1.0/release.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3489015/; classtype:trojan-activity;sid:84352115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nuclearcatlegit/simple_bank/releases/download/v2.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488994/; classtype:trojan-activity;sid:84352094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/seiolonmsk/contextindent.nvim/releases/download/v1.0/program.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488995/; classtype:trojan-activity;sid:84352095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/majorclient/html-crypto-currency-chart-snippets/releases/download/v1.0/release.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488983/; classtype:trojan-activity;sid:84352083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peloixitu35/javascript-questions-pro/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488966/; classtype:trojan-activity;sid:84352066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/peloixitu35/javascript-questions-pro/releases/download/v1.0/program.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488969/; classtype:trojan-activity;sid:84352069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/finn9633/batchgenie/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488940/; classtype:trojan-activity;sid:84352040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/konnuyu/0xbuilder/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488941/; classtype:trojan-activity;sid:84352041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rakkunsatura/p.e.n.i.s./releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488943/; classtype:trojan-activity;sid:84352043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thiagx08/bue-introduction-to-programming-and-problem-solving/releases/download/v1.0/release_x64.zip"; depth:100; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488945/; classtype:trojan-activity;sid:84352045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t7dela/shadowtool/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488926/; classtype:trojan-activity;sid:84352026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samix151210/ndarray-base-normalize-indices/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488890/; classtype:trojan-activity;sid:84351990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdadadsaasdsadas991/database-project/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488880/; classtype:trojan-activity;sid:84351980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/merosegamerx/pizza_webapp/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488874/; classtype:trojan-activity;sid:84351974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/merosegamerx/pizza_webapp/releases/download/v1.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488879/; classtype:trojan-activity;sid:84351979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/astral-ash/deployeride-erc20-toolkit/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488849/; classtype:trojan-activity;sid:84351949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feelingfishy/challenge-backend-anotaai/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488821/; classtype:trojan-activity;sid:84351921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nsgaming999/lottery/releases/download/v1.0/application.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488822/; classtype:trojan-activity;sid:84351922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruka232323/network-traffic-visualizer/releases/download/v1.0/application.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488799/; classtype:trojan-activity;sid:84351899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feelingfishy/challenge-backend-anotaai/releases/download/v1.0/application.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488800/; classtype:trojan-activity;sid:84351900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pietro152/tgbot-for-orders/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488806/; classtype:trojan-activity;sid:84351906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nsgaming999/lottery/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488793/; classtype:trojan-activity;sid:84351893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hza3o/covid-19_dashboard/releases/download/v1.0.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488780/; classtype:trojan-activity;sid:84351880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1set-t/ai-model/releases/download/v1.0.0/application.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488765/; classtype:trojan-activity;sid:84351865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mah-22/room-occupancy-prediction-using-environmental-sensor-data/releases/download/v1.0/application.zip"; depth:104; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488755/; classtype:trojan-activity;sid:84351855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mah-22/room-occupancy-prediction-using-environmental-sensor-data/releases/download/v2.0/software.zip"; depth:101; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488746/; classtype:trojan-activity;sid:84351846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serbianty/eureka-framework/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488752/; classtype:trojan-activity;sid:84351852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaylnjohnart/vertex-ai-chat-prompting-tablular-data-bq/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488729/; classtype:trojan-activity;sid:84351829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrx-slayer/ai-resume-parser/releases/download/v1.0/application.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488730/; classtype:trojan-activity;sid:84351830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/papajszef/web-devapp/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488733/; classtype:trojan-activity;sid:84351833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gopuatop100/badan-hukum/releases/download/v1.0/release.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488734/; classtype:trojan-activity;sid:84351834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jobetsison/working-with-form-validation-in-an-asp.net-core-rich-text-editor/releases/download/v1.0/program.zip"; depth:111; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488735/; classtype:trojan-activity;sid:84351835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/papajszef/web-devapp/releases/download/v1.0/application.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488736/; classtype:trojan-activity;sid:84351836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrx-slayer/ai-resume-parser/releases/download/v1.0/program.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488739/; classtype:trojan-activity;sid:84351839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/as3dyasen/portfolio/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488740/; classtype:trojan-activity;sid:84351840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/as3dyasen/portfolio/releases/download/v1.0/release.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488742/; classtype:trojan-activity;sid:84351842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gopuatop100/badan-hukum/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488725/; classtype:trojan-activity;sid:84351825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jaylnjohnart/vertex-ai-chat-prompting-tablular-data-bq/releases/download/v1.0/program.zip"; depth:90; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488722/; classtype:trojan-activity;sid:84351822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/papajszef/web-devapp/releases/download/v1.0/program.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488723/; classtype:trojan-activity;sid:84351823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azw1/suction-funnel-for-bosch-click-clean-system/releases/download/v1.0/program.zip"; depth:84; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488720/; classtype:trojan-activity;sid:84351820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zrty456/web-development-project-2/releases/download/v1.0/program.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488711/; classtype:trojan-activity;sid:84351811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekin441/urban_company_clone/releases/download/v1.0/program.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488712/; classtype:trojan-activity;sid:84351812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekin441/urban_company_clone/releases/download/v1.0/application.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488713/; classtype:trojan-activity;sid:84351813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flameoptics/xkucoinbot-script-autoclicker/releases/download/v1.0/program.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488714/; classtype:trojan-activity;sid:84351814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flameoptics/xkucoinbot-script-autoclicker/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488716/; classtype:trojan-activity;sid:84351816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psxdupes028/comfyui-bs_kokoro-onnx/releases/download/v1.0/application.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488717/; classtype:trojan-activity;sid:84351817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zrty456/web-development-project-2/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488706/; classtype:trojan-activity;sid:84351806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azw1/suction-funnel-for-bosch-click-clean-system/releases/download/v1.0/application.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488708/; classtype:trojan-activity;sid:84351808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azw1/suction-funnel-for-bosch-click-clean-system/releases/download/v2.0/software.zip"; depth:85; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488703/; classtype:trojan-activity;sid:84351803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psxdupes028/comfyui-bs_kokoro-onnx/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488704/; classtype:trojan-activity;sid:84351804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/psxdupes028/comfyui-bs_kokoro-onnx/releases/download/v1.0/program.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488699/; classtype:trojan-activity;sid:84351799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antonio12gkn71/underlayer/releases/download/v1.0/application.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488684/; classtype:trojan-activity;sid:84351784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sundarlalji/autoimport/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488686/; classtype:trojan-activity;sid:84351786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sundarlalji/autoimport/releases/download/v1.0.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488682/; classtype:trojan-activity;sid:84351782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antonio12gkn71/underlayer/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488679/; classtype:trojan-activity;sid:84351779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hadesxyzz/baichuan-m1-14b/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488674/; classtype:trojan-activity;sid:84351774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hadesxyzz/baichuan-m1-14b/releases/download/v1.0/application.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488663/; classtype:trojan-activity;sid:84351763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/samueltonao/lauth/releases/download/v1.0/application.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488666/; classtype:trojan-activity;sid:84351766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muum1209/couplers/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488647/; classtype:trojan-activity;sid:84351747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/npcgamingyt-thegoat/telegram-robot-handler/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488654/; classtype:trojan-activity;sid:84351754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/npcgamingyt-thegoat/telegram-robot-handler/releases/download/v1.0/application.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488643/; classtype:trojan-activity;sid:84351743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18630095/software.zip"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488636/; classtype:trojan-activity;sid:84351736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericsribas/linux-studies/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488637/; classtype:trojan-activity;sid:84351737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dasara21/hypermatch/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488630/; classtype:trojan-activity;sid:84351730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488632)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18630095/software.zip"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488632/; classtype:trojan-activity;sid:84351732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brevidade/fleet-pattern/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488634/; classtype:trojan-activity;sid:84351734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saninmysore/aws-face-recognition/releases/download/v1.0/software.zip/"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488620/; classtype:trojan-activity;sid:84351720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ericsribas/linux-studies/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488599/; classtype:trojan-activity;sid:84351699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v1.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488602/; classtype:trojan-activity;sid:84351702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/binnizenobiocordovaleandro/apachimuhkayqui-server/releases/download/v2.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488605/; classtype:trojan-activity;sid:84351705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bryandejesusrt/reconocimiento-de-placas-con-ia-bytecoders/releases/download/v2.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488606/; classtype:trojan-activity;sid:84351706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boomerxd69/amog-os-lts/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488608/; classtype:trojan-activity;sid:84351708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roblox12400z/dx9ware-roblox/releases/download/v1.0/app.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488609/; classtype:trojan-activity;sid:84351709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasonsh2450/bananan-shooter-hack-interna-/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488614/; classtype:trojan-activity;sid:84351714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18722098/application.zip"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488615/; classtype:trojan-activity;sid:84351715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/18722098/application.zip"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488595/; classtype:trojan-activity;sid:84351695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/razzisproatgaming/hacathon-backend-smit/releases/download/v1.0/application.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488582/; classtype:trojan-activity;sid:84351682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/farizalsalman21/keon/releases/download/v2.0/release_x64.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488567/; classtype:trojan-activity;sid:84351667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/razzisproatgaming/hacathon-backend-smit/releases/download/v2.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488580/; classtype:trojan-activity;sid:84351680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nass3344/trello-like-api/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488548/; classtype:trojan-activity;sid:84351648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toe2132313/zorvex-cat/releases/download/v1.0/software.zip/"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488549/; classtype:trojan-activity;sid:84351649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xaviertya/.dotfiles/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488550/; classtype:trojan-activity;sid:84351650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zilts345890/golang-html-parsing/releases/download/v2.0/software.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488552/; classtype:trojan-activity;sid:84351652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naiahahah/musicbox/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488555/; classtype:trojan-activity;sid:84351655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xaviertya/.dotfiles/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488533/; classtype:trojan-activity;sid:84351633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aufahuhs/advanced-machine-learning-personal-project/releases/download/v1.0/software.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488537/; classtype:trojan-activity;sid:84351637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggusercool/pancakeswapbnbprediction/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488543/; classtype:trojan-activity;sid:84351643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12301530/pump-fun-frontend/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488511/; classtype:trojan-activity;sid:84351611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giiyu12/codex-roblox/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488477/; classtype:trojan-activity;sid:84351577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahulpa045/cphishtermux/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488478/; classtype:trojan-activity;sid:84351578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davinjoeevano/batch-project-scaffolds/releases/download/v2.0/software.zip/"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488483/; classtype:trojan-activity;sid:84351583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488487/; classtype:trojan-activity;sid:84351587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bashspicerb/quasarrat-remote-access-tool/releases/download/v2.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488488/; classtype:trojan-activity;sid:84351588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vyshnavidevi11/frtproject/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488490/; classtype:trojan-activity;sid:84351590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/githubtutorial/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488496/; classtype:trojan-activity;sid:84351596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/globalnewsory/layeredge-auto-bot/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488497/; classtype:trojan-activity;sid:84351597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinyxml/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488501/; classtype:trojan-activity;sid:84351601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muterfree/nexus-roblox/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488470/; classtype:trojan-activity;sid:84351570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agr1us/roblox-oxygen/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488471/; classtype:trojan-activity;sid:84351571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loudwens/displayindex/releases/download/v2.0/software.zip/"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488460/; classtype:trojan-activity;sid:84351560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v2.0/program.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488443/; classtype:trojan-activity;sid:84351543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488436)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elijahhx/dead1ock-h4ck/releases/download/v2.0/program.zip/"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488436/; classtype:trojan-activity;sid:84351536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elijahhx/dead1ock-h4ck/releases/download/v2.0/program.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488433/; classtype:trojan-activity;sid:84351533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rag7720/coretech-solutions-custom-odoo-module/releases/download/v1.0/software.zip"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488426/; classtype:trojan-activity;sid:84351526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/notready155/whatsapp-chat-analysis/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488368/; classtype:trojan-activity;sid:84351468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilovedoo/ted-lasso-gpt/releases/download/v1.0/application.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488350/; classtype:trojan-activity;sid:84351450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerovr988/apaphx_ads1015/releases/download/v1.0/application.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488355/; classtype:trojan-activity;sid:84351455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilovedoo/ted-lasso-gpt/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488360/; classtype:trojan-activity;sid:84351460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zerovr988/apaphx_ads1015/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488363/; classtype:trojan-activity;sid:84351463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigdaveyy/react-form-validator-pro/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488346/; classtype:trojan-activity;sid:84351446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin49/gym-management-system-/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488334/; classtype:trojan-activity;sid:84351434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yunichi/livekit-voice-ai-agent-setup/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488325/; classtype:trojan-activity;sid:84351425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dianfauzi16/school-project/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488309/; classtype:trojan-activity;sid:84351409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thandoman/seedtool/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488307/; classtype:trojan-activity;sid:84351407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thandoman/seedtool/releases/download/v1.0/application.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488304/; classtype:trojan-activity;sid:84351404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/solana-trading-bot/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488294/; classtype:trojan-activity;sid:84351394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bashspicerb/quasarrat-remote-access-tool/releases/download/v1.0/installer.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488268/; classtype:trojan-activity;sid:84351368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marig1204/dmail_classicemail/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488269/; classtype:trojan-activity;sid:84351369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itztoastie/email2_classicemail/releases/download/v1.0/installer.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488273/; classtype:trojan-activity;sid:84351373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488278)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/solana-trading-bot/releases/download/v1.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488278/; classtype:trojan-activity;sid:84351378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cartervr/taxdatabase-sql-tableau/releases/download/v1.0/release.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488282/; classtype:trojan-activity;sid:84351382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itztoastie/email2_classicemail/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488264/; classtype:trojan-activity;sid:84351364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bashspicerb/quasarrat-remote-access-tool/releases/download/v2.0/software.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488261/; classtype:trojan-activity;sid:84351361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pyc888/dbcachinglayer/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488243/; classtype:trojan-activity;sid:84351343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bolfymcplayer/intermag/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488233/; classtype:trojan-activity;sid:84351333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bolfymcplayer/intermag/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488234/; classtype:trojan-activity;sid:84351334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pyc888/dbcachinglayer/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488239/; classtype:trojan-activity;sid:84351339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kirito1110/licenses/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488214/; classtype:trojan-activity;sid:84351314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsparedes/pycalc/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488213/; classtype:trojan-activity;sid:84351313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skibiditoilet123xx/sinav-otomasyonu-prototip/releases/download/v2.0/software.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488208/; classtype:trojan-activity;sid:84351308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skibiditoilet123xx/sinav-otomasyonu-prototip/releases/download/v1.0/software.zip"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488209/; classtype:trojan-activity;sid:84351309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fluidx2/roombooking_application/releases/download/v1.0/software.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488210/; classtype:trojan-activity;sid:84351310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488211)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/viper700pro/serum-vst-installer-2024-free/releases/download/v1.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488211/; classtype:trojan-activity;sid:84351311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488203)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ella00311/erugo/releases/download/v1.0/software.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488203/; classtype:trojan-activity;sid:84351303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nour10381/cosmicstar/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488182/; classtype:trojan-activity;sid:84351282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nour10381/cosmicstar/releases/download/v1.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488184/; classtype:trojan-activity;sid:84351284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/powerangermerah/esp8266_esp32_web_file_manager/releases/download/v1.0/software.zip"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488186/; classtype:trojan-activity;sid:84351286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aufahuhs/advanced-machine-learning-personal-project/releases/download/v1.0/software.zip"; depth:88; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488181/; classtype:trojan-activity;sid:84351281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/berstarhunter/deepseek-start/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488162/; classtype:trojan-activity;sid:84351262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeremiah95676t/openmetadata-helm-argocd/releases/download/v2.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488161/; classtype:trojan-activity;sid:84351261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davinjoeevano/batch-project-scaffolds/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488157/; classtype:trojan-activity;sid:84351257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irfanr-source/synthtweet/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488156/; classtype:trojan-activity;sid:84351256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arya-gg/axium/releases/download/v1.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488147/; classtype:trojan-activity;sid:84351247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488148)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/davinjoeevano/batch-project-scaffolds/releases/download/v1.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488148/; classtype:trojan-activity;sid:84351248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeremiah95676t/openmetadata-helm-argocd/releases/download/v1.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488149/; classtype:trojan-activity;sid:84351249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/berstarhunter/deepseek-start/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488152/; classtype:trojan-activity;sid:84351252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toe2132313/zorvex-cat/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488153/; classtype:trojan-activity;sid:84351253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irfanr-source/synthtweet/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488146/; classtype:trojan-activity;sid:84351246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loudwens/displayindex/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488128/; classtype:trojan-activity;sid:84351228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12301530/pump-fun-frontend/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488131/; classtype:trojan-activity;sid:84351231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loudwens/displayindex/releases/download/v1.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488132/; classtype:trojan-activity;sid:84351232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iguit-1/instagramuseranalysis/releases/download/v2.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488134/; classtype:trojan-activity;sid:84351234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lleonex/marsdevx/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488114/; classtype:trojan-activity;sid:84351214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saninmysore/aws-face-recognition/releases/download/v1.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488103/; classtype:trojan-activity;sid:84351203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flarerealfr/url-biblioteca-web/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488110/; classtype:trojan-activity;sid:84351210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huizuohaode/leaf/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488100/; classtype:trojan-activity;sid:84351200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maxiazzinnari/mint-nft-on-sui/releases/download/v2.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488090/; classtype:trojan-activity;sid:84351190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alsooory/svg-templates/releases/download/v1.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488079/; classtype:trojan-activity;sid:84351179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moshe236/vanishmail/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488083/; classtype:trojan-activity;sid:84351183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bobbysaremine/hb2/releases/download/v2.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488085/; classtype:trojan-activity;sid:84351185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manuxing/cloudflare-dns-swarm/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488088/; classtype:trojan-activity;sid:84351188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_airbnb-lottie/releases/download/v2.0/software.zip"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488075/; classtype:trojan-activity;sid:84351175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ayobcoding/deep-research-py/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488061/; classtype:trojan-activity;sid:84351161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kossiw/olievra/releases/download/v1.0/software.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488035/; classtype:trojan-activity;sid:84351135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rila111/content2map/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488024/; classtype:trojan-activity;sid:84351124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alfa786-creator/pic-squeeze/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488025/; classtype:trojan-activity;sid:84351125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcaptain27/lianjiascraper/releases/download/v1.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488030/; classtype:trojan-activity;sid:84351130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yogeshnicks/loader-ldtk/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488034/; classtype:trojan-activity;sid:84351134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vukhang16/ggg/releases/download/v1.0/software.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488023/; classtype:trojan-activity;sid:84351123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titiaswe12/rozetka-admin-panel/releases/download/v2.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488010/; classtype:trojan-activity;sid:84351110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/perish76b/ratter-app/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488018/; classtype:trojan-activity;sid:84351118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3488000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/invenstock/releases/download/v1.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3488000/; classtype:trojan-activity;sid:84351100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/titiaswe12/rozetka-admin-panel/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487995/; classtype:trojan-activity;sid:84351095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeidmakic/quorixjwt/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487983/; classtype:trojan-activity;sid:84351083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zeidmakic/quorixjwt/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487977/; classtype:trojan-activity;sid:84351077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amoni2019/fonepaw-screen-recorder-free/releases/download/v1.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487974/; classtype:trojan-activity;sid:84351074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brotimer24/chargingassignment.withtests/releases/download/v1.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487975/; classtype:trojan-activity;sid:84351075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mkiuk/jullus2api/releases/download/v1.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487961/; classtype:trojan-activity;sid:84351061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brotimer24/chargingassignment.withtests/releases/download/v2.0/software.zip"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487950/; classtype:trojan-activity;sid:84351050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amoni2019/fonepaw-screen-recorder-free/releases/download/v2.0/software.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487952/; classtype:trojan-activity;sid:84351052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daveyisbricked/movie-finder-react/releases/download/v1.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487953/; classtype:trojan-activity;sid:84351053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daveyisbricked/movie-finder-react/releases/download/v2.0/software.zip"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487954/; classtype:trojan-activity;sid:84351054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jay3x/auto-commit/releases/download/v1.0/software.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487955/; classtype:trojan-activity;sid:84351055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/okijuinhbugvygbuhi/concept/releases/download/v2.0/software.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487943/; classtype:trojan-activity;sid:84351043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hafijulkhan786/fhnw-dashboard/releases/download/v2.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487944/; classtype:trojan-activity;sid:84351044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iampriam-dev/invenstock/releases/download/v2.0/software.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487935/; classtype:trojan-activity;sid:84351035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yourmumsbad/testkanban/releases/download/v1.0/app.zip"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487937/; classtype:trojan-activity;sid:84351037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justnem/deep-research/releases/download/v2.0/software.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487930/; classtype:trojan-activity;sid:84351030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rofix12/spring-microservices/releases/download/v2.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487931/; classtype:trojan-activity;sid:84351031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justnem/deep-research/releases/download/v1.0/app.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487929/; classtype:trojan-activity;sid:84351029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mkiuk/jullus2api/releases/download/v2.0/software.zip"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487927/; classtype:trojan-activity;sid:84351027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeff2807/githubaipy/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487918/; classtype:trojan-activity;sid:84351018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul110110/rocket-telemetry-logger-using-raspberry-pi-pico/releases/download/v1.0/software.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487920/; classtype:trojan-activity;sid:84351020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jeff2807/githubaipy/releases/download/v2.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487921/; classtype:trojan-activity;sid:84351021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rofix12/spring-microservices/releases/download/v1.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487909/; classtype:trojan-activity;sid:84351009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahul110110/rocket-telemetry-logger-using-raspberry-pi-pico/releases/download/v2.0/software.zip"; depth:96; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487905/; classtype:trojan-activity;sid:84351005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bryandejesusrt/reconocimiento-de-placas-con-ia-bytecoders/releases/download/v2.0/software.zip"; depth:94; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_24; reference:url, urlhaus.abuse.ch/url/3487902/; classtype:trojan-activity;sid:84351002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wer812/vbvgghjjio999000/raw/refs/heads/main/bnoaprihjatuasss.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3487363/; classtype:trojan-activity;sid:84350463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wer812/bbgy555555551/raw/refs/heads/main/ntladlklthawd.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3487364/; classtype:trojan-activity;sid:84350464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3487069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl19"; depth:5; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_23; reference:url, urlhaus.abuse.ch/url/3487069/; classtype:trojan-activity;sid:84350169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3486184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilganrat342/dgasgxc/refs/heads/main/setup.exe"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_22; reference:url, urlhaus.abuse.ch/url/3486184/; classtype:trojan-activity;sid:84349284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdqsadsdahhhhhtxt"; depth:19; endswith; nocase; http.host; content:"8.218.50.207"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485330/; classtype:trojan-activity;sid:84348430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps_z.txt"; depth:9; endswith; nocase; http.host; content:"8.218.50.207"; depth:12; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485329/; classtype:trojan-activity;sid:84348429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curly3/n3xus-scr1pt-r0bl0x/releases/download/v1.0/application.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485213/; classtype:trojan-activity;sid:84348313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roblox12400z/dx9ware-roblox/releases/download/v1.0/app.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485214/; classtype:trojan-activity;sid:84348314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massambaf/dx9ware-roblox/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485196/; classtype:trojan-activity;sid:84348296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khalid2344/mint-executor/releases/download/v2.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485193/; classtype:trojan-activity;sid:84348293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1k4idibw1vtsntpbqtvbfabfgm2h5s14d"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485144/; classtype:trojan-activity;sid:84348244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1km_hwk7sn_amuk7q2dk9kttzwk1taelw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485126/; classtype:trojan-activity;sid:84348226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3485125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ek4th7ucqd9_h2yf9orhzhuallukeo0n"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3485125/; classtype:trojan-activity;sid:84348225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3484465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stepegemeyod/codex-roblox/releases/download/v1.0.2/release-x64.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3484465/; classtype:trojan-activity;sid:84347565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3484464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stepegemeyod/codex-roblox/releases/download/v1.0.1/release-x64.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_21; reference:url, urlhaus.abuse.ch/url/3484464/; classtype:trojan-activity;sid:84347564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v2.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483995/; classtype:trojan-activity;sid:84347095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v3.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483984/; classtype:trojan-activity;sid:84347084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoodxsp5dda/domain-executor/releases/download/v1.0/software.zip"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483980/; classtype:trojan-activity;sid:84347080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1q6iji-1uq5ksrr3luufy3to-jfs4ec4d"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483406/; classtype:trojan-activity;sid:84346506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1inbpqtz2qyus0zqldnbhutbzwgdghhs0"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483319/; classtype:trojan-activity;sid:84346419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1g4q6iay5qjzlgigjqnwftkdc5-o_2pqx"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483317/; classtype:trojan-activity;sid:84346417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3483309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1cl-nvhrrue_wg2zkpuxmvk40tk3knacb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_20; reference:url, urlhaus.abuse.ch/url/3483309/; classtype:trojan-activity;sid:84346409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omio-saha/spotify_data_pipe_snowflake/releases/download/v1.0/release_x64.zip"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482360/; classtype:trojan-activity;sid:84345460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v1.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482367/; classtype:trojan-activity;sid:84345467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qaqmmw/music-recommendation-based-on-facial-expression/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482368/; classtype:trojan-activity;sid:84345468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/sunrise/xundfaxgnsp84.bin"; depth:46; endswith; nocase; http.host; content:"www.automobile-bk.de"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482262/; classtype:trojan-activity;sid:84345362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3482257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bear/2020/goldarnedest.aca"; depth:27; endswith; nocase; http.host; content:"www.support-data.com"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3482257/; classtype:trojan-activity;sid:84345357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3481956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/numonehittaboy/cdn/refs/heads/main/cvf.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_19; reference:url, urlhaus.abuse.ch/url/3481956/; classtype:trojan-activity;sid:84345056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3481600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.218.189.41"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_18; reference:url, urlhaus.abuse.ch/url/3481600/; classtype:trojan-activity;sid:84344700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3481344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alishazara/api/refs/heads/master/rh_s.txt"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_03_18; reference:url, urlhaus.abuse.ch/url/3481344/; classtype:trojan-activity;sid:84344444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/u/raw/main/ud.bat"; depth:25; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480616/; classtype:trojan-activity;sid:84343716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elijahhx/dead1ock-h4ck/releases/download/v2.0/program.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480361/; classtype:trojan-activity;sid:84343461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dasara21/hypermatch/releases/download/v1.0/software.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480322/; classtype:trojan-activity;sid:84343422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gollfinho/browser-testing/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480274/; classtype:trojan-activity;sid:84343374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3480243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/monggosporlyp/circlexo/releases/download/v1.2/soft.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_17; reference:url, urlhaus.abuse.ch/url/3480243/; classtype:trojan-activity;sid:84343343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/farizalsalman21/keon/releases/download/v2.0/release_x64.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475894/; classtype:trojan-activity;sid:84338994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufferfish420/fixing-error-0x8007000e/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475656/; classtype:trojan-activity;sid:84338756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/githubtutorial/releases/download/v2.0/software.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475642/; classtype:trojan-activity;sid:84338742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attorneywenn/pragati_backend_2025/releases/download/v2.0/application.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475645/; classtype:trojan-activity;sid:84338745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufferfish420/fixing-error-0x8007000e/releases/download/v2.0/program.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475646/; classtype:trojan-activity;sid:84338746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_selinux/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475651/; classtype:trojan-activity;sid:84338751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coltostemp/platform_external_tinyxml/releases/download/v2.0/software.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475630/; classtype:trojan-activity;sid:84338730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vyshnavidevi11/frtproject/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475631/; classtype:trojan-activity;sid:84338731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mehedihasanfarabi10/realtime-chat-app/releases/download/v2.0/software.zip"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475635/; classtype:trojan-activity;sid:84338735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/itznaviya/hamster-kombat-bot/releases/download/v3.0/software.zip"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475636/; classtype:trojan-activity;sid:84338736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasonsh2450/fixing-error-0x80070005-access-denied/releases/download/v2.0/software.zip"; depth:86; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475637/; classtype:trojan-activity;sid:84338737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toanminh2004/fixing-error-0x80070424-specified-service/releases/download/v2.0/software.zip"; depth:91; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475639/; classtype:trojan-activity;sid:84338739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naiahahah/musicbox/releases/download/v2.0/software.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475615/; classtype:trojan-activity;sid:84338715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kasonsh2450/bananan-shooter-hack-interna-/releases/download/v2.0/software.zip"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475620/; classtype:trojan-activity;sid:84338720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3475623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zilts345890/golang-html-parsing/releases/download/v2.0/software.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_13; reference:url, urlhaus.abuse.ch/url/3475623/; classtype:trojan-activity;sid:84338723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/muterfree/nexus-roblox/releases/download/v2.0/software.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474801/; classtype:trojan-activity;sid:84337901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/giiyu12/codex-roblox/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474808/; classtype:trojan-activity;sid:84337908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agr1us/roblox-oxygen/releases/download/v2.0/software.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474817/; classtype:trojan-activity;sid:84337917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3474749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ishratali007/n3xus-scr1pt-r0bl0x/releases/download/v1.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_12; reference:url, urlhaus.abuse.ch/url/3474749/; classtype:trojan-activity;sid:84337849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cartervr/taxdatabase-sql-tableau/releases/download/v2.0/software.zip"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473787/; classtype:trojan-activity;sid:84336887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggusercool/pancakeswapbnbprediction/releases/download/v2.0/software.zip"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473766/; classtype:trojan-activity;sid:84336866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nass3344/trello-like-api/releases/download/v1.0/software.zip"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473767/; classtype:trojan-activity;sid:84336867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/huizuohaode/ai-image-generator/releases/download/v1.0/software.zip"; depth:67; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473774/; classtype:trojan-activity;sid:84336874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yosif9999/hamster-clicker/releases/download/v2.0/software.zip"; depth:62; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473777/; classtype:trojan-activity;sid:84336877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/led-sol/mental-health-chatbot/releases/download/v1.0/software.zip"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473779/; classtype:trojan-activity;sid:84336879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ovluq0bdu-cys5xvyogyjd5qidqb1per"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_11; reference:url, urlhaus.abuse.ch/url/3473576/; classtype:trojan-activity;sid:84336676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3473160)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1d4aper-gjv3agk8yeny5scayonlc68yo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_10; reference:url, urlhaus.abuse.ch/url/3473160/; classtype:trojan-activity;sid:84336260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3472675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_10; reference:url, urlhaus.abuse.ch/url/3472675/; classtype:trojan-activity;sid:84335775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3469685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"128.127.102.134"; depth:15; isdataat:!1,relative; metadata:created_at 2025_03_06; reference:url, urlhaus.abuse.ch/url/3469685/; classtype:trojan-activity;sid:84332785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3468872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xraqwapfu.pdf"; depth:14; endswith; nocase; http.host; content:"galerisenimutiara.com"; depth:21; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3468872/; classtype:trojan-activity;sid:84331972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3468005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7.nn"; depth:8; endswith; nocase; http.host; content:"gobiotechpestcontrol.com"; depth:24; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3468005/; classtype:trojan-activity;sid:84331105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1eczx8yjtfxwos26grqtdixajed3ukcao"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467628/; classtype:trojan-activity;sid:84330728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1drptefwc7xybtum52bikrhp4j4l6lttc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467629/; classtype:trojan-activity;sid:84330729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467546)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2d42ffe-779b-4107-ac42-7f36375aab37/downloads/fojik.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467546/; classtype:trojan-activity;sid:84330646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/61705749605.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467537/; classtype:trojan-activity;sid:84330637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dd3b43cd-389e-413e-87b9-e21f40c2630d/downloads/guledazawabumoda.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467538/; classtype:trojan-activity;sid:84330638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/637623a6-af9b-4a69-90a8-85cd562c999e/downloads/niwexokaburule.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467533/; classtype:trojan-activity;sid:84330633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/96f90b6e-3939-4cac-a3ad-eba9fb8219bf/downloads/71599608952.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467528/; classtype:trojan-activity;sid:84330628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3e712c63-2f24-4e6b-a5dc-ff3233100bea/downloads/72290413200.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467523/; classtype:trojan-activity;sid:84330623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2eabcd0a-1fbf-48aa-8399-71392232a891/downloads/rafubagosewuniwudob.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467524/; classtype:trojan-activity;sid:84330624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/70485427967.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467525/; classtype:trojan-activity;sid:84330625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e9dc005a-39e6-474d-bf2f-ef67b812a261/downloads/xenogipojadamomixaxulute.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467526/; classtype:trojan-activity;sid:84330626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/9089368795.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467527/; classtype:trojan-activity;sid:84330627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8014aeaa-17b8-4bcd-a9d7-094ad1ff7644/downloads/fusoze.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467517/; classtype:trojan-activity;sid:84330617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/83838390139.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467521/; classtype:trojan-activity;sid:84330621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6104a42e-c9ca-496d-9156-92538fddca06/downloads/vevowezirebojikidebof.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467510/; classtype:trojan-activity;sid:84330610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/temisipilotiba.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467513/; classtype:trojan-activity;sid:84330613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/79427765137.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467501/; classtype:trojan-activity;sid:84330601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/examples_of_employee_goals_for_performance_review.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467478/; classtype:trojan-activity;sid:84330578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/50228966329.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467477/; classtype:trojan-activity;sid:84330577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/educational_leadership_philosophy_examples.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467475/; classtype:trojan-activity;sid:84330575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/299c0676-bac5-4db6-8fea-3075091e1687/downloads/61526216713.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467476/; classtype:trojan-activity;sid:84330576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/mawanigokur.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467466/; classtype:trojan-activity;sid:84330566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/36054141231.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467469/; classtype:trojan-activity;sid:84330569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37fc73a-27ae-4e8d-87b6-7c807b298be6/downloads/85925649248.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467470/; classtype:trojan-activity;sid:84330570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/educacion_financiera_avanzada_partiendo_de_cero_autor_gregor.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467471/; classtype:trojan-activity;sid:84330571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/biwejukajurel.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467474/; classtype:trojan-activity;sid:84330574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62128af0-82d0-4bae-b967-d393a4304003/downloads/69065118383.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467459/; classtype:trojan-activity;sid:84330559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/94224235634.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467462/; classtype:trojan-activity;sid:84330562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/739cff78-28a4-4749-8c7f-abf371b6a947/downloads/62789327536.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467463/; classtype:trojan-activity;sid:84330563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d9b3f7f8-355a-428e-bb44-74bff775274d/downloads/supix.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467453/; classtype:trojan-activity;sid:84330553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/670646a4-4ce8-4367-bccc-c52d2083c9a3/downloads/chronogramme_dune_these_de_doctorat.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467454/; classtype:trojan-activity;sid:84330554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467455)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1e222df8-d197-4254-b90b-be3d3b023ef4/downloads/zopawakabubijipek.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467455/; classtype:trojan-activity;sid:84330555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/27590969755.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467456/; classtype:trojan-activity;sid:84330556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kudokexogikekuporeso.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467457/; classtype:trojan-activity;sid:84330557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/48255006417.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467452/; classtype:trojan-activity;sid:84330552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09540d0c-1db9-4e3c-a32d-6eed7b48ae00/downloads/3841723103.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467448/; classtype:trojan-activity;sid:84330548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/exemple_de_dossier_raep_redige.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467443/; classtype:trojan-activity;sid:84330543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/munich_tourist_attractions_map.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467445/; classtype:trojan-activity;sid:84330545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4a17de4-bdbb-4d1a-aaee-49990939d4cf/downloads/problue_7_nordson_manual.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467438/; classtype:trojan-activity;sid:84330538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/30229793875.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467440/; classtype:trojan-activity;sid:84330540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/cooling_tower_working.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467433/; classtype:trojan-activity;sid:84330533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/corporate_signature_authority_matrix_template_printable.pdf"; depth:117; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467434/; classtype:trojan-activity;sid:84330534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467425)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/continental_online_assessment_test_answers.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467425/; classtype:trojan-activity;sid:84330525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/465f36af-7a24-4906-9c2a-986dcb6b15f8/downloads/where_can_i_get_edo_state_of_origin_certificate_in_lagos.pdf"; depth:118; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467426/; classtype:trojan-activity;sid:84330526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/sample_testimonials_for_employees.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467427/; classtype:trojan-activity;sid:84330527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bf8d6b31-0867-4cc2-b138-2d2dbb23ec3a/downloads/bawananulufobomoderawulen.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467428/; classtype:trojan-activity;sid:84330528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37fc73a-27ae-4e8d-87b6-7c807b298be6/downloads/86119351354.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467422/; classtype:trojan-activity;sid:84330522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467423)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/kagoferoxotopelabalim.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467423/; classtype:trojan-activity;sid:84330523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/how_to_write_letter_against_show_cause_notice.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467411/; classtype:trojan-activity;sid:84330511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/bevakabopodo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467412/; classtype:trojan-activity;sid:84330512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/55669141050.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467416/; classtype:trojan-activity;sid:84330516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fb13673c-7b10-403f-be9e-1b04622101d6/downloads/61656569082.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467417/; classtype:trojan-activity;sid:84330517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/98264302577.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467418/; classtype:trojan-activity;sid:84330518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467408)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/grammar_plus_class_8.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467408/; classtype:trojan-activity;sid:84330508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/32575227287.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467409/; classtype:trojan-activity;sid:84330509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/xavibow.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467410/; classtype:trojan-activity;sid:84330510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b566d4a5-149a-4042-a2b5-fa837a998781/downloads/62246613540.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467400/; classtype:trojan-activity;sid:84330500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a19a3dcf-f832-45fe-91ff-ed566d492286/downloads/31803450103.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467403/; classtype:trojan-activity;sid:84330503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/26449761459.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467404/; classtype:trojan-activity;sid:84330504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/manual_de_uso_cummins_insite.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467395/; classtype:trojan-activity;sid:84330495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/83127272265.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467397/; classtype:trojan-activity;sid:84330497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/50013116393.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467389/; classtype:trojan-activity;sid:84330489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/muxem.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467386/; classtype:trojan-activity;sid:84330486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467381)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aa930190-2e12-4ce7-8bd7-0454f2ef6721/downloads/remonstration_visum_ablehnung_muster.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467381/; classtype:trojan-activity;sid:84330481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1cd14ca4-3aaa-4349-a92b-5919cb2c71ee/downloads/37493963429.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467382/; classtype:trojan-activity;sid:84330482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467383)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/26417869572.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467383/; classtype:trojan-activity;sid:84330483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467370)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4240411-5b76-4ebe-95b9-c00242399cf6/downloads/libevisuxalozusofaze.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467370/; classtype:trojan-activity;sid:84330470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/remebemakuvomurixulat.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467372/; classtype:trojan-activity;sid:84330472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/35713869772.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467377/; classtype:trojan-activity;sid:84330477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/popezefere.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467363/; classtype:trojan-activity;sid:84330463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/57373027197.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467365/; classtype:trojan-activity;sid:84330465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467367)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1e00f0b9-c207-4cb1-9a9a-c11d057e31a3/downloads/request_letter_for_hold_amount_release.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467367/; classtype:trojan-activity;sid:84330467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9569c183-65dc-4f14-a45e-e7944584cb65/downloads/58650400832.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467369/; classtype:trojan-activity;sid:84330469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0684881f-11f6-455b-9188-fb070acdb368/downloads/you_too_can_be_prosperous.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467358/; classtype:trojan-activity;sid:84330458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e51c42a2-48a1-43ea-b124-a034de3679a6/downloads/sizusobimemitu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467359/; classtype:trojan-activity;sid:84330459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/her_yonuyle_modern_almanca_dursun_zengin.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467353/; classtype:trojan-activity;sid:84330453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/towedokunorazageleside.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467354/; classtype:trojan-activity;sid:84330454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/65604431763.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467355/; classtype:trojan-activity;sid:84330455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/ruwuxa.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467357/; classtype:trojan-activity;sid:84330457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467347)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c725aa89-ce3b-4b0b-861e-e7c40702153d/downloads/sulupob.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467347/; classtype:trojan-activity;sid:84330447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0a2e88a7-385b-4aed-a81e-123c037cba5d/downloads/57067255053.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467348/; classtype:trojan-activity;sid:84330448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2ad58263-1b5c-4da7-bc4a-7b8f99e22218/downloads/2544897802.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467350/; classtype:trojan-activity;sid:84330450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/66812037618.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467352/; classtype:trojan-activity;sid:84330452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b4da0e1a-7caf-4ed8-aaa9-0949952990f3/downloads/49347806429.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467344/; classtype:trojan-activity;sid:84330444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/gununemedusotojipime.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467340/; classtype:trojan-activity;sid:84330440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/92c7bb30-769c-4722-92cc-8b01b59910e0/downloads/36512394005.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467334/; classtype:trojan-activity;sid:84330434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7592d1e2-3dca-48f2-9f42-bb08c23dfb67/downloads/zutav.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467337/; classtype:trojan-activity;sid:84330437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8f97cb07-1cfa-4fca-b6d8-3f1bf47f56b3/downloads/dulerugufep.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467326/; classtype:trojan-activity;sid:84330426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467328)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/nopurumonufulelu.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467328/; classtype:trojan-activity;sid:84330428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/security_daily_activity_report_template.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467321/; classtype:trojan-activity;sid:84330421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ac66f4da-754b-4df9-b080-4728fb201349/downloads/nimoma.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467313/; classtype:trojan-activity;sid:84330413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/11677680583.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467317/; classtype:trojan-activity;sid:84330417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/elkonin_boxes_word_list.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467318/; classtype:trojan-activity;sid:84330418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c3d6560-d229-4015-8af2-a70ad89bde0a/downloads/80071621679.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467307/; classtype:trojan-activity;sid:84330407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/kapabemirowajuzaxadirokef.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467303/; classtype:trojan-activity;sid:84330403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/modexad.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467304/; classtype:trojan-activity;sid:84330404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467298)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0bdc9896-149c-4815-8e37-9e55432c4120/downloads/bofugesugipufibutunida.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467298/; classtype:trojan-activity;sid:84330398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467300)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c30937d-c8da-4e7b-9f7a-432344b46400/downloads/xuguxupevubitutuzoju.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467300/; classtype:trojan-activity;sid:84330400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/rubejemi.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467301/; classtype:trojan-activity;sid:84330401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/atividades_de_concordancia_verbal_5o_ano_com_gabarito.pdf"; depth:115; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467286/; classtype:trojan-activity;sid:84330386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467287)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/78c14b69-39ed-4d94-8d63-a7b29776e43c/downloads/45524925955.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467287/; classtype:trojan-activity;sid:84330387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/cyberark_psmp_admin_guide.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467292/; classtype:trojan-activity;sid:84330392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467295)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/kitab_shams_al_maarif.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467295/; classtype:trojan-activity;sid:84330395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3298be68-ecf2-4e6e-8fa7-1bf1d7657489/downloads/xagoje.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467283/; classtype:trojan-activity;sid:84330383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/83df8ca9-16c2-4244-8f9e-8be918c4b8a3/downloads/86611585002.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467279/; classtype:trojan-activity;sid:84330379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467271)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fae029f6-27b1-4578-94bc-ae0bbaeebde4/downloads/53744052149.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467271/; classtype:trojan-activity;sid:84330371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9927c1c5-c61c-4f5e-807e-67bd1833b3e4/downloads/nijalox.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467274/; classtype:trojan-activity;sid:84330374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/how_to_change_font_size_in_xchange_editor.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467275/; classtype:trojan-activity;sid:84330375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/limitorque_mx_ordering_guide.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467277/; classtype:trojan-activity;sid:84330377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/timex_expedition_indiglo_wr50m_manual.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467266/; classtype:trojan-activity;sid:84330366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a3b63b5-3e6a-48ac-8e49-14ed0037cbc4/downloads/hitachi_cd_sem_operation_manual.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467269/; classtype:trojan-activity;sid:84330369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/36672004653.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467259/; classtype:trojan-activity;sid:84330359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9dc6fd8e-b629-406d-be34-231dfc94d5e9/downloads/catia_v5_simulation_tutorial.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467260/; classtype:trojan-activity;sid:84330360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467262)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/80e9e7c7-d97b-4b5a-96c4-9a83854a3065/downloads/vuzabovamipavowaseke.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467262/; classtype:trojan-activity;sid:84330362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/weguma.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467258/; classtype:trojan-activity;sid:84330358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/119d5b03-e78f-4725-87b7-ed496b267f6d/downloads/attributes_of_a_good_research_topic_ppt.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467246/; classtype:trojan-activity;sid:84330346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1663535d-289f-4a17-902d-0bb53881ce69/downloads/kurupojofuxerixutalo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467249/; classtype:trojan-activity;sid:84330349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467250)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/mizibatazikitawejubidodog.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467250/; classtype:trojan-activity;sid:84330350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/gibabasakofalulizuwa.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467251/; classtype:trojan-activity;sid:84330351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/meravinuvisudome.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467240/; classtype:trojan-activity;sid:84330340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/64114a94-94a3-4f5d-866a-beee254b955f/downloads/70815730326.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467241/; classtype:trojan-activity;sid:84330341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/86649529175.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467235/; classtype:trojan-activity;sid:84330335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/nims_703_b_answers.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467236/; classtype:trojan-activity;sid:84330336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cf660a09-f805-468d-bb57-fa3593615f41/downloads/tojanigawexulametuzuk.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467237/; classtype:trojan-activity;sid:84330337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bc2ad79b-5832-4a2d-a335-92537db54849/downloads/pinestars_choice.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467230/; classtype:trojan-activity;sid:84330330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/vupegazezo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467231/; classtype:trojan-activity;sid:84330331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/18985117210.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467221/; classtype:trojan-activity;sid:84330321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467223)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/03167ecf-a61c-49ea-b541-7a074a81e1da/downloads/6655537579.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467223/; classtype:trojan-activity;sid:84330323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/41957679215.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467225/; classtype:trojan-activity;sid:84330325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/exemple_de_livret_2_vae_rempli.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467226/; classtype:trojan-activity;sid:84330326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f569f34e-b7af-41eb-9a21-0f9939c54b3f/downloads/64195657437.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467228/; classtype:trojan-activity;sid:84330328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/20019605198.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467210/; classtype:trojan-activity;sid:84330310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d258c0c8-b9d9-4d64-b965-01378617d9c6/downloads/45706940387.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467212/; classtype:trojan-activity;sid:84330312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/xajuxe.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467213/; classtype:trojan-activity;sid:84330313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/81f7a7ad-d4fe-4147-943f-584c2d1e9bf5/downloads/because_of_mr_terupt_online.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467214/; classtype:trojan-activity;sid:84330314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/fajupip.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467215/; classtype:trojan-activity;sid:84330315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/minetest_wiki_commands.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467205/; classtype:trojan-activity;sid:84330305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/ohanian_physics_volume_1.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467206/; classtype:trojan-activity;sid:84330306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/900d123a-2557-4fa9-92f6-1446b602b979/downloads/deporiramuga.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467208/; classtype:trojan-activity;sid:84330308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/traffic_light_risk_assessment_template_mental_health.pdf"; depth:114; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467209/; classtype:trojan-activity;sid:84330309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/suritotowid.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467202/; classtype:trojan-activity;sid:84330302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/41821413009.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467196/; classtype:trojan-activity;sid:84330296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/804274b4-5f10-4c26-9de6-df56f38aac7c/downloads/14312384720.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467200/; classtype:trojan-activity;sid:84330300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/23776368177.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467188/; classtype:trojan-activity;sid:84330288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/eb8ff9f7-37bb-4420-bfa0-f018b38dcfa6/downloads/17065535031.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467190/; classtype:trojan-activity;sid:84330290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/432a6cf0-f63b-4132-8b03-52615cd2c1c3/downloads/41591669011.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467191/; classtype:trojan-activity;sid:84330291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/437a989b-0a84-4105-b8c7-1870eb56af29/downloads/sbi_disbursement_request_form.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467177/; classtype:trojan-activity;sid:84330277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/27f26436-44ad-4647-8929-a76a4ea0ea67/downloads/sample_query_letter_for_negligence_of_duty.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467180/; classtype:trojan-activity;sid:84330280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/sapebufuj.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467181/; classtype:trojan-activity;sid:84330281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4365da4a-8d29-4708-8e67-b3b566794d83/downloads/fovizijazobupukototofosop.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467184/; classtype:trojan-activity;sid:84330284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/ligitove.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467175/; classtype:trojan-activity;sid:84330275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/62404701972.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467176/; classtype:trojan-activity;sid:84330276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/069f5eef-b21d-41b6-aaa6-569b53af1c5a/downloads/rawidesukusutalunug.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467171/; classtype:trojan-activity;sid:84330271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d102a54e-7197-4308-a937-d70c58240642/downloads/26442784020.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467172/; classtype:trojan-activity;sid:84330272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/modelo_carta_entrega_de_inmueble_word.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467168/; classtype:trojan-activity;sid:84330268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467163)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/61905f2a-55dd-4144-8c7c-fce5e91063a8/downloads/british_army_all_arms_tactical_aide_memoire.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467163/; classtype:trojan-activity;sid:84330263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/rakotojifodonosanilorefa.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467166/; classtype:trojan-activity;sid:84330266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1ec2f808-78a9-4c99-aa80-be96e23bf450/downloads/gewikunobapizati.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467157/; classtype:trojan-activity;sid:84330257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7dda8154-e680-4c60-8651-19cf13768d49/downloads/jadol.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467158/; classtype:trojan-activity;sid:84330258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/nojivurajojirezizi.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467154/; classtype:trojan-activity;sid:84330254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98571e96-4bd9-4ee2-bb76-481ac550907e/downloads/genebugutisevijuk.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467156/; classtype:trojan-activity;sid:84330256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9483bc30-bb1c-4c04-9cf3-38d205924dab/downloads/jugilususosu.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467150/; classtype:trojan-activity;sid:84330250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/virapajoridubibakoxofa.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467151/; classtype:trojan-activity;sid:84330251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/319984769.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467152/; classtype:trojan-activity;sid:84330252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/makusikarubikowaxosop.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467142/; classtype:trojan-activity;sid:84330242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467143)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/gikuxuze.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467143/; classtype:trojan-activity;sid:84330243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/963d457e-5dea-4a7e-aae8-47aada2a7cc0/downloads/velafeke.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467135/; classtype:trojan-activity;sid:84330235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/97fcff61-ad1b-4591-bfda-ed7d6d6690f0/downloads/49593663309.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467137/; classtype:trojan-activity;sid:84330237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5e489076-b026-43ca-95da-8c6fe49f6d00/downloads/49103789197.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467138/; classtype:trojan-activity;sid:84330238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/zafekupegagasaza.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467132/; classtype:trojan-activity;sid:84330232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/55585429936.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467133/; classtype:trojan-activity;sid:84330233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/fedex_air_waybill_form.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467126/; classtype:trojan-activity;sid:84330226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d567d1b9-5a9f-4b97-a387-65a7c02f8ff4/downloads/barapinawowaja.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467127/; classtype:trojan-activity;sid:84330227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/ravibopegaxipodek.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467115/; classtype:trojan-activity;sid:84330215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/haojue_chopper_road_150_manual.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467116/; classtype:trojan-activity;sid:84330216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/23c146af-6c5b-426f-944d-9bf55106e4d8/downloads/de_quien_es_hija_elisa_salinas.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467117/; classtype:trojan-activity;sid:84330217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/rewekawejujawidubekafebur.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467118/; classtype:trojan-activity;sid:84330218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3425f1f9-2741-4cdd-9a85-f51cd8a77838/downloads/pyidaungsu_font_keyboard_layout.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467121/; classtype:trojan-activity;sid:84330221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kulefenev.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467110/; classtype:trojan-activity;sid:84330210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/acquisition_value_negative_in_area_01_aa617.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467108/; classtype:trojan-activity;sid:84330208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d8f5bd9b-2c75-4c1f-8d4d-84a7de1d3443/downloads/widavizuxorig.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467101/; classtype:trojan-activity;sid:84330201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/chris_mccandless_travel_route.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467102/; classtype:trojan-activity;sid:84330202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467103)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/17ef1a7d-be6f-43bc-ac3a-a9c4fb65005e/downloads/powejavatunepoxaj.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467103/; classtype:trojan-activity;sid:84330203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/937a3a5d-28a9-4a6d-983b-63f9d4fe1460/downloads/90328489234.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467106/; classtype:trojan-activity;sid:84330206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0319bbe-78e1-4446-90fc-2b4b4cc85a3e/downloads/wurowujezodabod.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467098/; classtype:trojan-activity;sid:84330198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467099)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pubobagawu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467099/; classtype:trojan-activity;sid:84330199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/forest_fire_causes_and_effects.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467100/; classtype:trojan-activity;sid:84330200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6b07c7a9-24ea-41b4-835a-7daa4871c250/downloads/16_personality_factors_by_cattell.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467086/; classtype:trojan-activity;sid:84330186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2224247e-29ce-4f8d-b838-abfcbdf269c0/downloads/psicoweb_respuestas_2019.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467088/; classtype:trojan-activity;sid:84330188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/koxisiranarigavod.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467092/; classtype:trojan-activity;sid:84330192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467093)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59d4bc6c-1e33-45d9-a430-f89e52f3f795/downloads/subazituwa.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467093/; classtype:trojan-activity;sid:84330193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6f72d87-e560-495a-a5bd-684e976b53e4/downloads/lettre_promesse_dembauche.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467094/; classtype:trojan-activity;sid:84330194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/971e893d-d96e-4c35-b8d0-897850ea3ce6/downloads/ice_quarterly_development_report_example.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467080/; classtype:trojan-activity;sid:84330180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/testigos_tablero_foton.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467081/; classtype:trojan-activity;sid:84330181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8df58291-e0db-425a-9cda-a9882386ada6/downloads/24365322622.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467083/; classtype:trojan-activity;sid:84330183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4831e354-44dc-4759-9d14-0dd6cfda589f/downloads/91284214985.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467085/; classtype:trojan-activity;sid:84330185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c5dd25fc-7740-402b-aa70-862b15f3342c/downloads/8958005659.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467078/; classtype:trojan-activity;sid:84330178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9e5b6b40-f934-4273-a65f-cbaee9aa4b00/downloads/9665669589.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467072/; classtype:trojan-activity;sid:84330172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/konibaxixim.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467073/; classtype:trojan-activity;sid:84330173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/20a6346a-1701-43f8-be7d-6426912a09c2/downloads/self_introduction_during_interview_example.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467074/; classtype:trojan-activity;sid:84330174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ff494cbe-9d2a-4ae4-802e-f50cfad48f0a/downloads/74334894285.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467075/; classtype:trojan-activity;sid:84330175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/55534301355.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467077/; classtype:trojan-activity;sid:84330177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/tevolutirasuvujivol.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467065/; classtype:trojan-activity;sid:84330165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3f5ecf8d-ba74-430f-ac11-9eb6ace92d02/downloads/73100246338.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467066/; classtype:trojan-activity;sid:84330166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6f72d87-e560-495a-a5bd-684e976b53e4/downloads/earth_making_of_a_planet_national_geographic_worksheet.pdf"; depth:116; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467067/; classtype:trojan-activity;sid:84330167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/bisebinalujivefiwugagabu.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467070/; classtype:trojan-activity;sid:84330170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/miludafat.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467064/; classtype:trojan-activity;sid:84330164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ea6e6a77-ad86-47ad-bec1-a500695628d4/downloads/66906319004.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467061/; classtype:trojan-activity;sid:84330161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467062)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b77102f9-1066-4a92-8a14-af011902d081/downloads/75162502331.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467062/; classtype:trojan-activity;sid:84330162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/mapisirukuw.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467063/; classtype:trojan-activity;sid:84330163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/guzupuzuradadutov.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467058/; classtype:trojan-activity;sid:84330158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/081e0348-3bf0-4a3e-a723-749adc1aa630/downloads/teks_ratib_al_attas.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467059/; classtype:trojan-activity;sid:84330159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d07e2353-3643-42fe-ba11-ffa772b1a28d/downloads/49693757117.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467060/; classtype:trojan-activity;sid:84330160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6702c9de-d943-4d22-b78e-7985c91f7713/downloads/84525111813.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467051/; classtype:trojan-activity;sid:84330151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/26bbb7e6-2f83-462e-b1a0-c9b7b5a50d38/downloads/training_needs_assessment_questionnaire_for_sales.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467052/; classtype:trojan-activity;sid:84330152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/najovozulubameto.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467053/; classtype:trojan-activity;sid:84330153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c718f9e1-28ba-4c02-b434-4456f7af09a8/downloads/masizaz.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467055/; classtype:trojan-activity;sid:84330155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/rolinejagogid.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467044/; classtype:trojan-activity;sid:84330144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/buxam.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467042/; classtype:trojan-activity;sid:84330142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6be9a470-c465-4776-ab76-53713c51537a/downloads/nokura.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467032/; classtype:trojan-activity;sid:84330132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/69da2f53-c229-4dc7-a889-7b67b52b1a78/downloads/nokejafowikazuvojoj.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467033/; classtype:trojan-activity;sid:84330133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e43067a0-6374-4a70-a00d-00ee3b01ce8d/downloads/93917384180.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467035/; classtype:trojan-activity;sid:84330135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0336533-680f-4ead-a55e-7e292796b70a/downloads/veteluruxoge.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467037/; classtype:trojan-activity;sid:84330137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cc5e3c0a-70ce-48cf-a48d-87f83c6b3256/downloads/major_problems_in_african_american_history.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467027/; classtype:trojan-activity;sid:84330127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d38d43db-37ad-45ec-b237-63ac8c84a196/downloads/latovin.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467029/; classtype:trojan-activity;sid:84330129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c10f3982-2d8c-41ef-9c88-95b9c7e0984b/downloads/exagrid_admin_guide.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467018/; classtype:trojan-activity;sid:84330118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/2880955338.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467019/; classtype:trojan-activity;sid:84330119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9f4350e3-635b-45ba-b69f-b1a7e95f309e/downloads/24638138520.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467020/; classtype:trojan-activity;sid:84330120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/54349718441.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467022/; classtype:trojan-activity;sid:84330122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/satyanarayan_puja_vidhi_in_sanskrit.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467023/; classtype:trojan-activity;sid:84330123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/sample_letter_to_be_excused_from_jury_service.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467016/; classtype:trojan-activity;sid:84330116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cf660a09-f805-468d-bb57-fa3593615f41/downloads/vumemaxexepemetesa.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467011/; classtype:trojan-activity;sid:84330111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/93a7eb93-9eef-4244-8f20-7f48de1f8294/downloads/95493308607.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467012/; classtype:trojan-activity;sid:84330112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/right_to_information_act_application_form_malayalam.pdf"; depth:113; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467015/; classtype:trojan-activity;sid:84330115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/zesowafasunufezef.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467006/; classtype:trojan-activity;sid:84330106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8e46fb0c-8d21-4b8c-82fc-88315c96ddde/downloads/bevurusip.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467008/; classtype:trojan-activity;sid:84330108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09d72da9-ee58-43de-9ce0-8696fa874a10/downloads/zanozibiwakixubunifelok.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467002/; classtype:trojan-activity;sid:84330102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3467000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/54040f30-acd4-4a4c-a314-5c4c261b537d/downloads/printable_foods_high_in_uric_acid_chart.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3467000/; classtype:trojan-activity;sid:84330100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/15318963311.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466992/; classtype:trojan-activity;sid:84330092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0f7f4ed-2d7c-4134-aa94-503b1eb6600b/downloads/pagulabomezex.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466993/; classtype:trojan-activity;sid:84330093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/katisugenifikipevas.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466996/; classtype:trojan-activity;sid:84330096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/xowawetavudazinomo.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466997/; classtype:trojan-activity;sid:84330097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7662afb9-5d02-4eb9-bd3b-6426a66215ee/downloads/2312138967.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466985/; classtype:trojan-activity;sid:84330085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/evaluation_geographie_6eme_habiter_une_metropole.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466986/; classtype:trojan-activity;sid:84330086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8fc62093-f93e-447d-8e21-b1e235f4d9cc/downloads/vadigoxevujo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466989/; classtype:trojan-activity;sid:84330089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/64414313920.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466991/; classtype:trojan-activity;sid:84330091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/mizoxuloniwi.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466979/; classtype:trojan-activity;sid:84330079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/66244318284.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466984/; classtype:trojan-activity;sid:84330084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6cdacb6d-7fbf-4d09-a986-56cdfa4edeb2/downloads/15247939327.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466971/; classtype:trojan-activity;sid:84330071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/example_of_a_lobola_letter_in_zulu.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466972/; classtype:trojan-activity;sid:84330072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466973)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ea25ddad-ebb0-4880-b714-a3f2cdadcbd9/downloads/notas_de_dinheiro_para_imprimir.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466973/; classtype:trojan-activity;sid:84330073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/606585da-2917-4da6-a9df-810ae6e7fbc1/downloads/asme_sec_8_div_1_appendix_8.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466975/; classtype:trojan-activity;sid:84330075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/segaxifalawanevake.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466976/; classtype:trojan-activity;sid:84330076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2c827e54-9a2c-449a-9d97-e20f9555c87a/downloads/pearson_iit_foundation_class_9_maths.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466969/; classtype:trojan-activity;sid:84330069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3d2c6212-591e-450b-b673-947709e569a9/downloads/jidikegegudafipi.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466970/; classtype:trojan-activity;sid:84330070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62bebe3a-24c2-4a56-9b26-65d7a4a8233d/downloads/gupira.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466966/; classtype:trojan-activity;sid:84330066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7219dffe-e0ab-4b31-b3e7-77acd35b52f5/downloads/79599984772.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466958/; classtype:trojan-activity;sid:84330058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/actaris_meter_manual.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466957/; classtype:trojan-activity;sid:84330057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0c2227e9-a807-4022-9307-9c68c8629142/downloads/59021495355.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466950/; classtype:trojan-activity;sid:84330050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466952)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/malaysia_company_employee_handbook.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466952/; classtype:trojan-activity;sid:84330052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/988c0021-e131-496b-8725-ae310052894b/downloads/berakigevep.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466937/; classtype:trojan-activity;sid:84330037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0325f5e-ab4f-48af-8631-8757a310624e/downloads/87631223928.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466938/; classtype:trojan-activity;sid:84330038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/majisumilorenanevivo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466941/; classtype:trojan-activity;sid:84330041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c272bee0-a4e4-45f4-a8ce-0b066973e0cb/downloads/gateman_wk_20_english_manual.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466933/; classtype:trojan-activity;sid:84330033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/koxid.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466934/; classtype:trojan-activity;sid:84330034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/sasufazovosonufowam.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466935/; classtype:trojan-activity;sid:84330035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/6554737977.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466929/; classtype:trojan-activity;sid:84330029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4b7c63a1-8c4d-413e-83dc-2db6954011c6/downloads/42942412664.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466931/; classtype:trojan-activity;sid:84330031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/43589756342.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466928/; classtype:trojan-activity;sid:84330028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/juporuko.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466923/; classtype:trojan-activity;sid:84330023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1d231bc1-15b8-4d3d-b451-c05909392126/downloads/71014366481.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466924/; classtype:trojan-activity;sid:84330024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/29389545569.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466920/; classtype:trojan-activity;sid:84330020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fbb7d95c-19ce-4e6b-832c-1ccce7746b31/downloads/jebagokapinezax.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466915/; classtype:trojan-activity;sid:84330015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cb46680e-64d4-4308-8a44-9926381d0750/downloads/85747587751.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466916/; classtype:trojan-activity;sid:84330016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/mopuma.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466910/; classtype:trojan-activity;sid:84330010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a618ca0f-2608-47c2-ab22-bbc2ca127bb7/downloads/saziva.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466911/; classtype:trojan-activity;sid:84330011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/76c40511-888a-4b14-bb65-87429974a9ff/downloads/gemotukuwitawusagulobez.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466913/; classtype:trojan-activity;sid:84330013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ab86f22-a419-4e4f-91d4-5a654823f744/downloads/21711123451.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466905/; classtype:trojan-activity;sid:84330005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9e5b6b40-f934-4273-a65f-cbaee9aa4b00/downloads/14203617612.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466900/; classtype:trojan-activity;sid:84330000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e4ad6e04-69d1-4aa9-ba9f-c194e0ac5eef/downloads/lotavawofasopupe.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466902/; classtype:trojan-activity;sid:84330002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/mental_state_examination_checklist.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466898/; classtype:trojan-activity;sid:84329998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e5728c18-e5b3-4c69-bf59-a4be42aea8ac/downloads/22515332125.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466893/; classtype:trojan-activity;sid:84329993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/metso_neles_positioner_manual.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466894/; classtype:trojan-activity;sid:84329994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/9840498620.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466895/; classtype:trojan-activity;sid:84329995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3fffd8a4-4d1d-42f8-a3e8-f124f6724c06/downloads/kejawisenukasi.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466897/; classtype:trojan-activity;sid:84329997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/72065953692.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466885/; classtype:trojan-activity;sid:84329985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1ecb10a4-49e9-4fe5-a6bc-f0f227949dd2/downloads/60627448414.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466890/; classtype:trojan-activity;sid:84329990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/ramevedasap.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466881/; classtype:trojan-activity;sid:84329981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fbb7d95c-19ce-4e6b-832c-1ccce7746b31/downloads/67882203250.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466882/; classtype:trojan-activity;sid:84329982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/df312c7d-f650-4c0e-a98f-02aee1a43694/downloads/77125885812.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466877/; classtype:trojan-activity;sid:84329977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37e9011-77af-43eb-9e7b-dd6853450512/downloads/27721436213.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466864/; classtype:trojan-activity;sid:84329964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6abf7f7e-d12c-48f3-aa9a-703f4ccff8d7/downloads/81403469667.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466866/; classtype:trojan-activity;sid:84329966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466870)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/antibiotic_sensitivity_chart_sanford_guide.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466870/; classtype:trojan-activity;sid:84329970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c8a6489-894f-4446-8722-19ef31b6a173/downloads/26803015720.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466872/; classtype:trojan-activity;sid:84329972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4d2b55bf-cda3-4071-bf2e-8c27282b789f/downloads/chambre_de_tirage_telecom.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466873/; classtype:trojan-activity;sid:84329973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/48283c5b-b198-4860-9bf9-7f30a2f8146b/downloads/10387443769.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466875/; classtype:trojan-activity;sid:84329975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/zasuporuxumuza.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466876/; classtype:trojan-activity;sid:84329976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3d0a6e54-c95b-4e67-871e-882f39f9c203/downloads/77235011630.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466861/; classtype:trojan-activity;sid:84329961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/luvuges.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466863/; classtype:trojan-activity;sid:84329963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/tovidesukowoxam.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466858/; classtype:trojan-activity;sid:84329958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a5a93100-d349-4291-8bce-18547efeb268/downloads/14773335318.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466859/; classtype:trojan-activity;sid:84329959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62bebe3a-24c2-4a56-9b26-65d7a4a8233d/downloads/xijawef.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466845/; classtype:trojan-activity;sid:84329945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98fd26ea-5c50-4ebf-945e-7ed158ebe1b6/downloads/75925905792.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466847/; classtype:trojan-activity;sid:84329947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3ccd9234-721c-480b-91a1-84bae34c2069/downloads/votudomafuze.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466849/; classtype:trojan-activity;sid:84329949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ed3e7e73-6deb-4ec1-95e4-868a6659fe93/downloads/manning_guide_hotel_sample.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466851/; classtype:trojan-activity;sid:84329951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466852)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/45596981954.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466852/; classtype:trojan-activity;sid:84329952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466853)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/tilovapexof.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466853/; classtype:trojan-activity;sid:84329953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/najufijirubedejalu.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466838/; classtype:trojan-activity;sid:84329938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/ludejawirusoxodofe.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466839/; classtype:trojan-activity;sid:84329939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/4959938645.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466843/; classtype:trojan-activity;sid:84329943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/dasuxugolod.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466833/; classtype:trojan-activity;sid:84329933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/804274b4-5f10-4c26-9de6-df56f38aac7c/downloads/attestation_de_non_affiliation_cnas_algerie.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466827/; classtype:trojan-activity;sid:84329927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72502959-bd3f-431c-9582-055fb0eb9e9d/downloads/vw_gehaltstabelle_2022.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466828/; classtype:trojan-activity;sid:84329928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f6f33080-7dde-4e51-88ef-59c9fd931fca/downloads/latoletevuwogerovug.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466831/; classtype:trojan-activity;sid:84329931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/40119004199.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466818/; classtype:trojan-activity;sid:84329918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466824)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/ansul_piranha_system_installation_manual.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466824/; classtype:trojan-activity;sid:84329924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/scada_system_architecture.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466813/; classtype:trojan-activity;sid:84329913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/63541235931.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466814/; classtype:trojan-activity;sid:84329914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bd6582d9-c54a-4b0b-ad89-3fd92efb45aa/downloads/gaylord_texan_hotel_map.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466802/; classtype:trojan-activity;sid:84329902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/laxokuzigurebudisinatonu.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466803/; classtype:trojan-activity;sid:84329903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09d72da9-ee58-43de-9ce0-8696fa874a10/downloads/kojutaz.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466805/; classtype:trojan-activity;sid:84329905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/civil_engineer_experience_certificate_word_format.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466808/; classtype:trojan-activity;sid:84329908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/55d28ff0-9d0b-42b4-8190-887f90038148/downloads/gimisomogaro.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466799/; classtype:trojan-activity;sid:84329899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/payment_under_protest_letter_sample.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466794/; classtype:trojan-activity;sid:84329894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/43447829480.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466797/; classtype:trojan-activity;sid:84329897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/97374790135.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466798/; classtype:trojan-activity;sid:84329898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/71423402684.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466788/; classtype:trojan-activity;sid:84329888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5c9ed0ab-abf7-4895-9a79-d81e87aed60a/downloads/nezumizegorazulamalit.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466790/; classtype:trojan-activity;sid:84329890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a4c519f1-5301-485e-9e9c-56d1397df289/downloads/79371210580.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466791/; classtype:trojan-activity;sid:84329891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kekososiwixokaz.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466792/; classtype:trojan-activity;sid:84329892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/14889765830.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466778/; classtype:trojan-activity;sid:84329878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/rikisiwudepelapopazi.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466779/; classtype:trojan-activity;sid:84329879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/boriwivamafegujiser.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466781/; classtype:trojan-activity;sid:84329881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466782)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/seaworld_donation_request_orlando.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466782/; classtype:trojan-activity;sid:84329882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/schumacher_battery_charger_parts_se-4022.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466786/; classtype:trojan-activity;sid:84329886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d83328cf-50de-409a-9bf6-de7a48f66ed6/downloads/40650293844.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466787/; classtype:trojan-activity;sid:84329887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/narigokukeminozitema.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466768/; classtype:trojan-activity;sid:84329868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/32231114245.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466770/; classtype:trojan-activity;sid:84329870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fa0b65d5-8cfc-4875-922a-b490488b42be/downloads/schmersal_de-_42279_datasheet.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466771/; classtype:trojan-activity;sid:84329871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/checklist_format_for_housekeeping_in_hospital.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466772/; classtype:trojan-activity;sid:84329872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/91812224211.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466773/; classtype:trojan-activity;sid:84329873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/rizepigarebovubugebo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466774/; classtype:trojan-activity;sid:84329874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/kawopixar.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466775/; classtype:trojan-activity;sid:84329875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/58311665155.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466767/; classtype:trojan-activity;sid:84329867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0325f5e-ab4f-48af-8631-8757a310624e/downloads/93503353547.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466763/; classtype:trojan-activity;sid:84329863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6974f1eb-71bf-4f90-8572-d8ac4e4f765d/downloads/wazakovefonetak.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466764/; classtype:trojan-activity;sid:84329864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9978fe41-dbcb-4b88-8a80-a839de3f86b5/downloads/42576721881.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466758/; classtype:trojan-activity;sid:84329858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/suvuraxelikubok.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466761/; classtype:trojan-activity;sid:84329861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3e09336e-0817-489c-96db-d43d5fd51fc4/downloads/i9_birth_certificate_example.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466762/; classtype:trojan-activity;sid:84329862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/stromer_st1_owners_manual.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466750/; classtype:trojan-activity;sid:84329850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/7215421885.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466753/; classtype:trojan-activity;sid:84329853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/43947647531.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466756/; classtype:trojan-activity;sid:84329856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466748)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2ec5b631-127b-4a5e-84ff-7de19674a208/downloads/daxukipavibipukoj.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466748/; classtype:trojan-activity;sid:84329848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/66a9f463-0ae0-4403-bef2-3061bb9e36ef/downloads/rate_list_of_test_in_dr.lal_pathlabs.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466740/; classtype:trojan-activity;sid:84329840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c8939508-8a93-4f90-8b11-ddca3342e83a/downloads/4803379677.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466742/; classtype:trojan-activity;sid:84329842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/gomik.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466738/; classtype:trojan-activity;sid:84329838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ef27ce0e-c911-4d37-baad-bea065e796b8/downloads/kirekafusofo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466736/; classtype:trojan-activity;sid:84329836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/wiremabodopigotaf.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466732/; classtype:trojan-activity;sid:84329832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/67856105857.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466733/; classtype:trojan-activity;sid:84329833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/af0be9d0-b995-4f2a-8f66-25f04f50db42/downloads/rubetugetafapojopodibom.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466734/; classtype:trojan-activity;sid:84329834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/3048437595.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466724/; classtype:trojan-activity;sid:84329824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cc370600-8080-4216-8e6c-52a7f34eeccf/downloads/iso_weld_symbols_chart.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466726/; classtype:trojan-activity;sid:84329826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/47b969d8-0664-43a5-a1cb-4ec8411e9eef/downloads/powerflex_755_user_manual_espanol.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466728/; classtype:trojan-activity;sid:84329828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7539d3e4-198a-4c91-addc-38e6066bfe55/downloads/2305786492.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466729/; classtype:trojan-activity;sid:84329829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/kangwon_land_inc_annual_report.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466730/; classtype:trojan-activity;sid:84329830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c0bdcf4-6f9c-40c3-8219-8cbbbcfb4026/downloads/wanigukanewalew.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466731/; classtype:trojan-activity;sid:84329831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/milagetuxinofu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466717/; classtype:trojan-activity;sid:84329817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7eafcf9d-33bd-4fd4-8489-654d240ab2f3/downloads/51295545026.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466719/; classtype:trojan-activity;sid:84329819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/xezumiriruko.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466720/; classtype:trojan-activity;sid:84329820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/cleavage_front_row_amy_measurements.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466721/; classtype:trojan-activity;sid:84329821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/diamond_sieve_chart.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466708/; classtype:trojan-activity;sid:84329808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/09b152c4-bf66-44a7-8224-2992cea3ed0a/downloads/sample_indian_renunciation_form.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466710/; classtype:trojan-activity;sid:84329810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/pelebesepasirokirefukew.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466711/; classtype:trojan-activity;sid:84329811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/455fd801-8453-4cfe-b6ee-1af9e2a627f6/downloads/7558215776.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466712/; classtype:trojan-activity;sid:84329812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e262bb3c-3205-4bb6-954b-f565479d59e0/downloads/50787175728.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466713/; classtype:trojan-activity;sid:84329813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/rotem_sigma_user_manual.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466706/; classtype:trojan-activity;sid:84329806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/lista_de_verbos_em_italiano.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466705/; classtype:trojan-activity;sid:84329805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a580c741-29a0-435a-a011-6aa538a5edae/downloads/25870917787.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466702/; classtype:trojan-activity;sid:84329802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/siwetofulugo.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466694/; classtype:trojan-activity;sid:84329794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0739216d-b619-42bb-83b4-7432b4331862/downloads/26798739628.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466695/; classtype:trojan-activity;sid:84329795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f36019eb-f077-446f-b5b6-39b8eacedf97/downloads/23513409250.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466696/; classtype:trojan-activity;sid:84329796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/the_long_dark_crumbling_highway_map.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466697/; classtype:trojan-activity;sid:84329797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2eabcd0a-1fbf-48aa-8399-71392232a891/downloads/92332863676.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466698/; classtype:trojan-activity;sid:84329798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c633c3b-7c73-43a9-a161-0e7459f617b4/downloads/popajuzokovuluboz.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466682/; classtype:trojan-activity;sid:84329782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4b7c63a1-8c4d-413e-83dc-2db6954011c6/downloads/6759358871.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466684/; classtype:trojan-activity;sid:84329784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466686)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41809607-5bd4-4a52-8a62-530dfb6fcdd7/downloads/gelumoxosudasikaxo.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466686/; classtype:trojan-activity;sid:84329786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cb46680e-64d4-4308-8a44-9926381d0750/downloads/47722224691.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466687/; classtype:trojan-activity;sid:84329787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/57326063662.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466689/; classtype:trojan-activity;sid:84329789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/porebejotenojudud.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466691/; classtype:trojan-activity;sid:84329791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72502959-bd3f-431c-9582-055fb0eb9e9d/downloads/duff_and_phelps_size_premium_2022.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466681/; classtype:trojan-activity;sid:84329781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ae40ccb-f0fa-4b6b-bfcc-06032a30498c/downloads/logical_thinking_worksheets_for_kindergarten.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466679/; classtype:trojan-activity;sid:84329779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/cessna_172_instrument_panel_layout.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466666/; classtype:trojan-activity;sid:84329766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/24459864622.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466667/; classtype:trojan-activity;sid:84329767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c0bdcf4-6f9c-40c3-8219-8cbbbcfb4026/downloads/10451479360.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466658/; classtype:trojan-activity;sid:84329758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466659)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/sap_fico_cutover_activities.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466659/; classtype:trojan-activity;sid:84329759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/98444125074.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466662/; classtype:trojan-activity;sid:84329762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/686c0a2e-9a90-4936-9f96-7d72f3c65f03/downloads/54960661120.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466663/; classtype:trojan-activity;sid:84329763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c30937d-c8da-4e7b-9f7a-432344b46400/downloads/3262231356.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466664/; classtype:trojan-activity;sid:84329764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/livro_pesquisa_bibliografica.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466648/; classtype:trojan-activity;sid:84329748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41780010-2245-4f59-96ea-abe2bb04704f/downloads/request_letter_format_in_marathi_language.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466652/; classtype:trojan-activity;sid:84329752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5809a244-7d90-46f4-9de4-ee86dda3a2de/downloads/evaluation_emc_6eme_devenir_collegien.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466645/; classtype:trojan-activity;sid:84329745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dd809168-aa55-4437-9a0e-42447fbc16fd/downloads/22731947285.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466640/; classtype:trojan-activity;sid:84329740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41780010-2245-4f59-96ea-abe2bb04704f/downloads/hypothecation_cancellation_request_letter_format.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466641/; classtype:trojan-activity;sid:84329741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bd6582d9-c54a-4b0b-ad89-3fd92efb45aa/downloads/aocs_official_method_ce_1b_89.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466634/; classtype:trojan-activity;sid:84329734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pigogini.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466635/; classtype:trojan-activity;sid:84329735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ab158387-fd14-4136-be83-18d2feafd209/downloads/regonadafufosofujerijasur.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466639/; classtype:trojan-activity;sid:84329739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/xewegemodigu.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466625/; classtype:trojan-activity;sid:84329725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f9b61407-e9a0-4bfb-ac42-6ba811f07eed/downloads/daycare_reference_letter_template.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466626/; classtype:trojan-activity;sid:84329726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/displayport_1.4_spec.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466629/; classtype:trojan-activity;sid:84329729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9441f8ad-6e79-4d4a-9602-3585b1269b7e/downloads/dajagunowe.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466619/; classtype:trojan-activity;sid:84329719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/migolijidawononavez.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466622/; classtype:trojan-activity;sid:84329722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6286d8b4-6ffa-4d84-aeea-f2a9bc58a594/downloads/hotel_courtesy_call_template.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466623/; classtype:trojan-activity;sid:84329723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/48cf8ef6-fe89-47b6-9b8e-43119a3d3833/downloads/89759746182.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466617/; classtype:trojan-activity;sid:84329717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9a32841c-0d54-4ad0-8acd-a5b15c41cae1/downloads/luxutevosevuke.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466610/; classtype:trojan-activity;sid:84329710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/vamiralu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466611/; classtype:trojan-activity;sid:84329711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/bonunorovekofa.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466605/; classtype:trojan-activity;sid:84329705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/657a2269-1311-41bc-be7f-365fba299599/downloads/36407415595.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466606/; classtype:trojan-activity;sid:84329706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/82707682561.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466607/; classtype:trojan-activity;sid:84329707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a0620227-6f33-427f-8ac7-1fb80d24bd78/downloads/loxabafefomukewizirefa.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466608/; classtype:trojan-activity;sid:84329708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/metric_bolt_specification_chart.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466609/; classtype:trojan-activity;sid:84329709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6875802-d83d-45fa-a01c-dd9f30c53739/downloads/22305465780.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466597/; classtype:trojan-activity;sid:84329697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/efeaa59e-2423-41d8-b482-9a37e80979c7/downloads/ge_disconnect_switch.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466598/; classtype:trojan-activity;sid:84329698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7518eff6-349e-4445-8380-e1c43aacea7b/downloads/gemudewefedevovep.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466600/; classtype:trojan-activity;sid:84329700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41809607-5bd4-4a52-8a62-530dfb6fcdd7/downloads/tugojokuru.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466601/; classtype:trojan-activity;sid:84329701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/hadoop_notes_by_durgasoft_ramakrishna.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466602/; classtype:trojan-activity;sid:84329702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/compassionate_leave_letter_examples.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466603/; classtype:trojan-activity;sid:84329703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2294c0f6-d737-4b16-8fca-94076227dda5/downloads/garrison_carbon_monoxide_and_gas_detector_manual.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466604/; classtype:trojan-activity;sid:84329704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/kuradorug.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466593/; classtype:trojan-activity;sid:84329693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7eafcf9d-33bd-4fd4-8489-654d240ab2f3/downloads/38053692779.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466594/; classtype:trojan-activity;sid:84329694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4240411-5b76-4ebe-95b9-c00242399cf6/downloads/26107131918.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466595/; classtype:trojan-activity;sid:84329695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/tozivagal.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466587/; classtype:trojan-activity;sid:84329687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1b026e03-5af6-461d-a832-b5e23f93b19f/downloads/rojumedevunez.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466591/; classtype:trojan-activity;sid:84329691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466585)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/nefusajoxepisajejod.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466585/; classtype:trojan-activity;sid:84329685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/tubewerapip.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466581/; classtype:trojan-activity;sid:84329681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/18645484853.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466583/; classtype:trojan-activity;sid:84329683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/50ab7773-f1d2-4be6-a8e2-1065b2477787/downloads/4850921377.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466584/; classtype:trojan-activity;sid:84329684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/basimonuje.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466567/; classtype:trojan-activity;sid:84329667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4490da21-0774-43c2-8f10-26fe1384ffab/downloads/convention_collective_ucanss_mutatio.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466568/; classtype:trojan-activity;sid:84329668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e297ab99-26f3-4763-8aa9-4b5ba8336826/downloads/61556440139.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466571/; classtype:trojan-activity;sid:84329671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/93a7eb93-9eef-4244-8f20-7f48de1f8294/downloads/rikeleneliteta.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466572/; classtype:trojan-activity;sid:84329672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/dupibutemuxubezukexe.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466559/; classtype:trojan-activity;sid:84329659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/58f82e37-5723-4fc5-be87-1ca34da7fc9c/downloads/ladovarudugusujo.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466561/; classtype:trojan-activity;sid:84329661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/93623530863.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466562/; classtype:trojan-activity;sid:84329662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f4482b02-adbc-4511-a01d-8f5a32444a75/downloads/31982364803.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466563/; classtype:trojan-activity;sid:84329663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c29905cb-cab1-47d6-9263-d073f5bcab67/downloads/manually_update_officescan_server.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466564/; classtype:trojan-activity;sid:84329664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/meligofat.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466565/; classtype:trojan-activity;sid:84329665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/pibajusapasadasizuvabo.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466566/; classtype:trojan-activity;sid:84329666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/vuguvukopipokimukunoju.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466552/; classtype:trojan-activity;sid:84329652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/vmware_horizon_not_loading.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466553/; classtype:trojan-activity;sid:84329653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/gekepozokenaxaketojakoj.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466556/; classtype:trojan-activity;sid:84329656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/xekinozu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466557/; classtype:trojan-activity;sid:84329657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d258c0c8-b9d9-4d64-b965-01378617d9c6/downloads/tanaber.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466558/; classtype:trojan-activity;sid:84329658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/wijigezafububofelib.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466547/; classtype:trojan-activity;sid:84329647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1a64ed17-85a2-4cee-b266-878ed957a17a/downloads/wezixipusafa.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466548/; classtype:trojan-activity;sid:84329648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ed9a7df-8325-4b88-b206-4975011bd8d3/downloads/73303046927.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466551/; classtype:trojan-activity;sid:84329651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466542)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cdf9b72e-240a-4a41-ac28-e187be75db3e/downloads/10008295817.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466542/; classtype:trojan-activity;sid:84329642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466539)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/35017680871.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466539/; classtype:trojan-activity;sid:84329639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b5346c1d-c474-4a92-9b4c-cbf0eee37189/downloads/jamupipenimewuroveg.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466534/; classtype:trojan-activity;sid:84329634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/697088a1-6c9a-496e-9a4d-922308cd97be/downloads/98558988287.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466524/; classtype:trojan-activity;sid:84329624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3d8c405e-d09a-43e6-b2b9-f8bbfe0e4b05/downloads/japifitakudisudupuweb.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466525/; classtype:trojan-activity;sid:84329625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b7519557-5091-4de7-b104-8e86c3953c5d/downloads/66697702965.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466527/; classtype:trojan-activity;sid:84329627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466528)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4d8863b-da23-437d-86ed-df2351a23265/downloads/sazodaxorega.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466528/; classtype:trojan-activity;sid:84329628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/36655168913.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466512/; classtype:trojan-activity;sid:84329612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/wevularaboxurewugawe.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466513/; classtype:trojan-activity;sid:84329613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/rubizegelolulagexarunup.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466514/; classtype:trojan-activity;sid:84329614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466515)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c29905cb-cab1-47d6-9263-d073f5bcab67/downloads/pipe_fittings_surface_area_chart.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466515/; classtype:trojan-activity;sid:84329615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/ludirov.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466517/; classtype:trojan-activity;sid:84329617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c2f5ec0b-52d8-40cb-8fa6-a66f6f891fa9/downloads/64630520522.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466522/; classtype:trojan-activity;sid:84329622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/19f0e93a-8f01-4f21-8964-dcc990dea571/downloads/honeywell_dc3002_manual.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466506/; classtype:trojan-activity;sid:84329606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/30963207670.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466507/; classtype:trojan-activity;sid:84329607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/963d457e-5dea-4a7e-aae8-47aada2a7cc0/downloads/36202936872.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466508/; classtype:trojan-activity;sid:84329608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/738cd3ca-10f0-4f1e-865e-c0932904fbb2/downloads/28412734415.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466509/; classtype:trojan-activity;sid:84329609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/atpco_fare_filing_manual_s.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466503/; classtype:trojan-activity;sid:84329603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/gartner_magic_quadrant_ips.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466504/; classtype:trojan-activity;sid:84329604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2215a6c-0436-4d82-8033-c5d079398259/downloads/xawegifurixikinixi.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466505/; classtype:trojan-activity;sid:84329605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/nolovafitavire.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466501/; classtype:trojan-activity;sid:84329601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9f11cc6f-a645-4f71-bee4-e3848f35abf2/downloads/mojijodexiv.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466495/; classtype:trojan-activity;sid:84329595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/64114a94-94a3-4f5d-866a-beee254b955f/downloads/xipefodefanotare.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466497/; classtype:trojan-activity;sid:84329597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/gekulafemidafalijuw.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466498/; classtype:trojan-activity;sid:84329598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/types_of_lines_in_construction_drawings.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466489/; classtype:trojan-activity;sid:84329589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/psa_birth_certificate_authorization_letter.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466490/; classtype:trojan-activity;sid:84329590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/53202951-38c7-4c35-8280-6cefaf47915f/downloads/libububodanusakamarad.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466492/; classtype:trojan-activity;sid:84329592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/41202776349.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466480/; classtype:trojan-activity;sid:84329580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dc583f51-62de-45fb-b9c6-f152dd4c2594/downloads/combining_like_terms_pyramid_worksheet_answers.pdf"; depth:108; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466481/; classtype:trojan-activity;sid:84329581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/puzenesariwalez.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466484/; classtype:trojan-activity;sid:84329584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0eb552d-3ccf-4b3e-a340-0e3717106147/downloads/kalozarisi.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466485/; classtype:trojan-activity;sid:84329585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/wilikof.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466486/; classtype:trojan-activity;sid:84329586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/geruzirejexexani.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466487/; classtype:trojan-activity;sid:84329587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/de9d9f96-a289-4877-85d4-e6d2d4cc419c/downloads/minerva_t2000_manual.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466476/; classtype:trojan-activity;sid:84329576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/710760ab-5054-4fd2-86ee-e72953d604bd/downloads/siemens_pcs_7_full_training_manual.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466474/; classtype:trojan-activity;sid:84329574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/add57eeb-0480-4d3e-871c-79d9b8fe2772/downloads/lozataroziwukurejigax.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466462/; classtype:trojan-activity;sid:84329562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/jesafi.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466464/; classtype:trojan-activity;sid:84329564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/wofewipawo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466465/; classtype:trojan-activity;sid:84329565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/58423586845.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466468/; classtype:trojan-activity;sid:84329568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466469)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/89849145142.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466469/; classtype:trojan-activity;sid:84329569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4c26a93a-50bb-4104-895b-059e3fc9a02c/downloads/zoxinigexozojadidara.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466460/; classtype:trojan-activity;sid:84329560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/tutorialspoint_sap_pp.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466459/; classtype:trojan-activity;sid:84329559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/lafebokoz.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466449/; classtype:trojan-activity;sid:84329549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466450)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/advance_payment_request_letter_format_word.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466450/; classtype:trojan-activity;sid:84329550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466452)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0a0c7596-8583-4967-abed-67d8d1ffd610/downloads/boilermaker_drawings_and_developments.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466452/; classtype:trojan-activity;sid:84329552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8532eb1d-13c2-4756-9d41-225750b056f4/downloads/litimuwabu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466453/; classtype:trojan-activity;sid:84329553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/telcordia_sr_332_issue_4.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466444/; classtype:trojan-activity;sid:84329544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466445)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d89879dd-a0f6-4cd8-8b66-99c2d6e48b2c/downloads/stopaq_application_manual_2018.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466445/; classtype:trojan-activity;sid:84329545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3daad7b2-98c5-4dc1-b37a-5570afcba267/downloads/40472163846.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466447/; classtype:trojan-activity;sid:84329547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/89247847196.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466439/; classtype:trojan-activity;sid:84329539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d258c0c8-b9d9-4d64-b965-01378617d9c6/downloads/72993487295.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466440/; classtype:trojan-activity;sid:84329540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/de9155fa-7173-4766-94c3-9e400d4aed58/downloads/def_stan_91-91.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466441/; classtype:trojan-activity;sid:84329541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/42d6a3b4-bbc0-47ab-bf86-c3ddb806b2ed/downloads/rafadaduveputev.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466443/; classtype:trojan-activity;sid:84329543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/woleb.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466417/; classtype:trojan-activity;sid:84329517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/dururotilonid.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466418/; classtype:trojan-activity;sid:84329518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/150_dialogues_en_francais.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466419/; classtype:trojan-activity;sid:84329519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/88031585580.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466420/; classtype:trojan-activity;sid:84329520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466424)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4e8158-a082-4b1f-960e-1d82a946a72b/downloads/76239393989.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466424/; classtype:trojan-activity;sid:84329524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/51c1105d-a687-468d-b1aa-293ca9578a34/downloads/giwuroganapedokozijave.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466414/; classtype:trojan-activity;sid:84329514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/50e5aae7-a15c-4d74-a4ed-a8edfca980c4/downloads/atividades_adaptadas_de_ingles_para_deficientes_intelectuais.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466406/; classtype:trojan-activity;sid:84329506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2d664301-7b5e-474d-97a1-1305c7ece601/downloads/35905190672.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466409/; classtype:trojan-activity;sid:84329509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/804274b4-5f10-4c26-9de6-df56f38aac7c/downloads/20643132370.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466412/; classtype:trojan-activity;sid:84329512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2bb4e8cb-ec7e-44c1-a645-d94d4534f3a4/downloads/far_from_you_tess_sharpe.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466401/; classtype:trojan-activity;sid:84329501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/40331451843.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466396/; classtype:trojan-activity;sid:84329496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/71d9f42f-0bad-4406-8a48-95c698e57e68/downloads/sumitomo_f50_compressor_manual.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466397/; classtype:trojan-activity;sid:84329497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/tusosexukitut.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466398/; classtype:trojan-activity;sid:84329498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/chambre_de_tirage_telecom.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466387/; classtype:trojan-activity;sid:84329487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d45c0d9d-8581-471d-bee0-51d1b9891f05/downloads/nisisot.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466389/; classtype:trojan-activity;sid:84329489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/tojabuka.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466390/; classtype:trojan-activity;sid:84329490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/16219919996.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466391/; classtype:trojan-activity;sid:84329491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/famous_athletes_banned_for_drug_use.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466392/; classtype:trojan-activity;sid:84329492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/31075581028.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466393/; classtype:trojan-activity;sid:84329493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/table_trigonometrique_complet.pdf"; depth:91; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466394/; classtype:trojan-activity;sid:84329494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f20719e2-319c-4f10-aabc-5dffb4a98912/downloads/45233279752.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466385/; classtype:trojan-activity;sid:84329485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/10e01255-b324-4a54-ae63-f4e28a319147/downloads/how_to_make_authorization_letter_to_claim_money_in_palawan.pdf"; depth:120; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466376/; classtype:trojan-activity;sid:84329476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a69ed85-566a-4d22-8bd3-47a8a314b3bf/downloads/baropuzijavalerivotenujop.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466378/; classtype:trojan-activity;sid:84329478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4831e354-44dc-4759-9d14-0dd6cfda589f/downloads/demag_ac_350_dwg.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466366/; classtype:trojan-activity;sid:84329466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e35dded4-68df-49bc-a9b0-aad8c63628c2/downloads/polipuzikiwelines.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466371/; classtype:trojan-activity;sid:84329471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/jakirezimukixinirivuvizuw.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466372/; classtype:trojan-activity;sid:84329472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c4bf44b4-a39c-49f8-89f5-4b487ef61751/downloads/safety_precautions_during_rainy_season_ppt.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466373/; classtype:trojan-activity;sid:84329473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/gasanon.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466358/; classtype:trojan-activity;sid:84329458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/87218120165.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466359/; classtype:trojan-activity;sid:84329459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6c9fdcec-b167-4620-b064-54b8917c32b8/downloads/57211354597.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466364/; classtype:trojan-activity;sid:84329464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9927c1c5-c61c-4f5e-807e-67bd1833b3e4/downloads/2687436544.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466355/; classtype:trojan-activity;sid:84329455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4454ad30-3f6f-488a-b5e6-19e7bcca2146/downloads/duzinijilufixikedaluw.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466353/; classtype:trojan-activity;sid:84329453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/47a03532-4838-4d3f-b185-a29c87fa882c/downloads/24511080679.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466340/; classtype:trojan-activity;sid:84329440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/35512569741.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466341/; classtype:trojan-activity;sid:84329441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/fiselarodinolapin.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466344/; classtype:trojan-activity;sid:84329444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/fonuferin.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466348/; classtype:trojan-activity;sid:84329448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/59681288373.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466349/; classtype:trojan-activity;sid:84329449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9db526fb-d62a-447a-9766-8665158ad47a/downloads/skf_linear_bearing_catalogue.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466350/; classtype:trojan-activity;sid:84329450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/45838770375.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466351/; classtype:trojan-activity;sid:84329451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466336)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98a1791f-f3a9-4ef2-ac34-41b3393c3d1d/downloads/original_documents_handover_letter_format.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466336/; classtype:trojan-activity;sid:84329436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466337)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/60272662631.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466337/; classtype:trojan-activity;sid:84329437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aa44ab49-4d64-4d64-8bfd-2dfce545052f/downloads/limitations_act_2004_nigeria.pdf"; depth:90; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466338/; classtype:trojan-activity;sid:84329438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466331)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72cc53f9-3bf4-447c-963a-353f48ad8500/downloads/puwutokok.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466331/; classtype:trojan-activity;sid:84329431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2224247e-29ce-4f8d-b838-abfcbdf269c0/downloads/emdr_cognitive_interweaves.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466333/; classtype:trojan-activity;sid:84329433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/15715958975.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466325/; classtype:trojan-activity;sid:84329425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466326)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/sanugesijeviwo.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466326/; classtype:trojan-activity;sid:84329426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f36019eb-f077-446f-b5b6-39b8eacedf97/downloads/22914289512.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466316/; classtype:trojan-activity;sid:84329416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f842cd9f-c67c-4749-ba01-22d7c1ea502c/downloads/93070455772.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466317/; classtype:trojan-activity;sid:84329417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466319)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/61240910211.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466319/; classtype:trojan-activity;sid:84329419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/800cff82-04ba-4c47-9f8b-d21367acb04d/downloads/84098559127.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466321/; classtype:trojan-activity;sid:84329421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kaxajopisojurivo.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466322/; classtype:trojan-activity;sid:84329422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/424b0398-579a-4717-a17a-ffb972bf5819/downloads/manual_ppap_4_edicao.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466313/; classtype:trojan-activity;sid:84329413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b2a026b5-555a-437c-867f-3969f62b48d7/downloads/3703775959.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466314/; classtype:trojan-activity;sid:84329414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466307)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/lord_of_the_flies_script.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466307/; classtype:trojan-activity;sid:84329407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466304)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/depo_provera_osteoporosis_guidelines.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466304/; classtype:trojan-activity;sid:84329404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/397fbc33-145f-44ec-a774-e1fa1b866d82/downloads/fekesijurada.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466301/; classtype:trojan-activity;sid:84329401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1e222df8-d197-4254-b90b-be3d3b023ef4/downloads/78299826683.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466293/; classtype:trojan-activity;sid:84329393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466294)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bc2da57a-5cad-4b1e-b658-8efa7e30bee5/downloads/como_transferir_saldo_de_dados_unitel.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466294/; classtype:trojan-activity;sid:84329394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466283)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/billetes_didacticos_mexicanos_para_imprimir.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466283/; classtype:trojan-activity;sid:84329383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466284)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/xutodorimalibavexididoson.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466284/; classtype:trojan-activity;sid:84329384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/vatalikuxigepiwu.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466285/; classtype:trojan-activity;sid:84329385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466286)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2fda8269-9b7e-4008-b093-ed7dc0bde9d7/downloads/zinivegosejuriwevagowu.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466286/; classtype:trojan-activity;sid:84329386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9c30937d-c8da-4e7b-9f7a-432344b46400/downloads/jubomumifekomu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466291/; classtype:trojan-activity;sid:84329391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aa25c895-a966-4265-aeb1-bc094284554e/downloads/jifig.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466279/; classtype:trojan-activity;sid:84329379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/90378982159.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466280/; classtype:trojan-activity;sid:84329380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466268)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/46578941429.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466268/; classtype:trojan-activity;sid:84329368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466269)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/elenco_corsi_vam_viterbo.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466269/; classtype:trojan-activity;sid:84329369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/17714436684.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466259/; classtype:trojan-activity;sid:84329359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466260)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/planet_fitness_membership_cancellation_letter.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466260/; classtype:trojan-activity;sid:84329360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466261)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/af067739-2dfe-40f3-ae00-a758e587d7d3/downloads/61105974714.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466261/; classtype:trojan-activity;sid:84329361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466266)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/933c3405-1572-4648-b39e-d98567eb5bee/downloads/for_your_kind_perusal_and_necessary_action_meaning.pdf"; depth:112; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466266/; classtype:trojan-activity;sid:84329366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/119d5b03-e78f-4725-87b7-ed496b267f6d/downloads/scrubber_design_calculation_excel.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466267/; classtype:trojan-activity;sid:84329367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6787db73-833d-4393-867e-1b786eb5e101/downloads/60859753638.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466249/; classtype:trojan-activity;sid:84329349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466252)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62a7895e-5f81-4049-920b-e70e38d29e37/downloads/why_is_annexure_d_required_for_minor_passport.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466252/; classtype:trojan-activity;sid:84329352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/574284889.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466253/; classtype:trojan-activity;sid:84329353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9e5b6b40-f934-4273-a65f-cbaee9aa4b00/downloads/xikapataxofako.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466254/; classtype:trojan-activity;sid:84329354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466256)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2470d53e-fef7-4646-9c8b-919894e66d18/downloads/72646482584.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466256/; classtype:trojan-activity;sid:84329356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8c16f145-4fc0-4af7-a4db-de4acd818fe4/downloads/46429707192.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466257/; classtype:trojan-activity;sid:84329357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466245)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7153ec40-cd7f-411a-a08b-66d173a33455/downloads/standards_australia_handbook_197.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466245/; classtype:trojan-activity;sid:84329345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/55745505506.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466247/; classtype:trojan-activity;sid:84329347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/43311556781.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466241/; classtype:trojan-activity;sid:84329341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/80691091889.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466244/; classtype:trojan-activity;sid:84329344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/sewuxazomuwara.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466238/; classtype:trojan-activity;sid:84329338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ce549e8-3051-428a-a71b-b48f204ac3cd/downloads/rapid_router_level_43_solution.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466231/; classtype:trojan-activity;sid:84329331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0620bed2-a9d8-4f06-ab8c-173ea1a60a70/downloads/jijegarazomimubusawogam.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466232/; classtype:trojan-activity;sid:84329332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/matunekuv.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466233/; classtype:trojan-activity;sid:84329333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/53202951-38c7-4c35-8280-6cefaf47915f/downloads/statsafe_3000_msds.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466230/; classtype:trojan-activity;sid:84329330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/82647770508.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466221/; classtype:trojan-activity;sid:84329321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ee3e2894-0337-41f6-9371-caecf7034a22/downloads/26991821255.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466222/; classtype:trojan-activity;sid:84329322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/gesuzodekutiz.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466226/; classtype:trojan-activity;sid:84329326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466227)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62a7895e-5f81-4049-920b-e70e38d29e37/downloads/how_to_register_in_upstox.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466227/; classtype:trojan-activity;sid:84329327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/exercises_for_trigger_thumb.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466228/; classtype:trojan-activity;sid:84329328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466229)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/132d13c5-3f89-41bf-85b4-d1a24ddcf61c/downloads/nosiwevixina.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466229/; classtype:trojan-activity;sid:84329329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a56a106f-21b9-46c2-b5bc-12461919334c/downloads/vurarufa.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466215/; classtype:trojan-activity;sid:84329315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466217)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/how_to_get_a_wire_transfer_receipt_chase.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466217/; classtype:trojan-activity;sid:84329317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/3175972790.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466219/; classtype:trojan-activity;sid:84329319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62128af0-82d0-4bae-b967-d393a4304003/downloads/apex_sl_vibration_controller_manual.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466213/; classtype:trojan-activity;sid:84329313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/nakozixuwelafi.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466214/; classtype:trojan-activity;sid:84329314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/mobesapovasag.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466205/; classtype:trojan-activity;sid:84329305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466206)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fae029f6-27b1-4578-94bc-ae0bbaeebde4/downloads/imperial_vernier_caliper_worksheet.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466206/; classtype:trojan-activity;sid:84329306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e2ab423c-1813-4cd0-becb-6a8adbf01641/downloads/ribafimimeriledok.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466207/; classtype:trojan-activity;sid:84329307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/91a706e9-d066-47d7-89af-69535d865c3d/downloads/carteirinha_de_estudante_falsa_em.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466209/; classtype:trojan-activity;sid:84329309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/80e9e7c7-d97b-4b5a-96c4-9a83854a3065/downloads/35740879646.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466196/; classtype:trojan-activity;sid:84329296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2d42ffe-779b-4107-ac42-7f36375aab37/downloads/zeneliginuboripiriza.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466201/; classtype:trojan-activity;sid:84329301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6bb5c8cf-e89d-49c0-aeeb-7278d39f6b32/downloads/fiche_grcf_bts_gpme.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466202/; classtype:trojan-activity;sid:84329302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/77724997403.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466193/; classtype:trojan-activity;sid:84329293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/xinunivigaxelifujukedo.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466181/; classtype:trojan-activity;sid:84329281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/pidipaxiworoguvosifap.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466182/; classtype:trojan-activity;sid:84329282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/rent_receipt_format_in_ms_word.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466183/; classtype:trojan-activity;sid:84329283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/nipipuk.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466184/; classtype:trojan-activity;sid:84329284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c0325f5e-ab4f-48af-8631-8757a310624e/downloads/57390845107.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466186/; classtype:trojan-activity;sid:84329286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/45659404876.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466187/; classtype:trojan-activity;sid:84329287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/80200009732.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466189/; classtype:trojan-activity;sid:84329289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3a657e0c-a872-4028-94b8-811aea249c49/downloads/shl_general_ability_test_answers_reddit.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466190/; classtype:trojan-activity;sid:84329290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06823f9b-45c4-43cb-a44f-1f9f645cebcf/downloads/32406777299.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466175/; classtype:trojan-activity;sid:84329275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/7694747911.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466177/; classtype:trojan-activity;sid:84329277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466178)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/danokubiwen.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466178/; classtype:trojan-activity;sid:84329278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62128af0-82d0-4bae-b967-d393a4304003/downloads/xibuvajuxaluvotom.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466179/; classtype:trojan-activity;sid:84329279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466180)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0a0c7596-8583-4967-abed-67d8d1ffd610/downloads/8393439781.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466180/; classtype:trojan-activity;sid:84329280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/redoripedigi.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466170/; classtype:trojan-activity;sid:84329270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/how_to_cancel_print_job_on_zebra_gk420d.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466172/; classtype:trojan-activity;sid:84329272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b83dcfc0-bbe6-4498-b356-e365ec2ed396/downloads/zofafiba.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466169/; classtype:trojan-activity;sid:84329269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a37e9011-77af-43eb-9e7b-dd6853450512/downloads/les_jours_de_la_semaine_exercices.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466161/; classtype:trojan-activity;sid:84329261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/90213521835.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466162/; classtype:trojan-activity;sid:84329262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/28725733968.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466154/; classtype:trojan-activity;sid:84329254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7aa15cc-b2d1-4fef-8a47-8d7810090a9c/downloads/jenuwegipujodunoj.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466149/; classtype:trojan-activity;sid:84329249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/dowuvibatekijutajuvavu.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466151/; classtype:trojan-activity;sid:84329251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/14196656823.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466152/; classtype:trojan-activity;sid:84329252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466153)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/44a9091e-2134-47ec-8037-250483142ad3/downloads/kenmore_elite_665.12783_k311_service_manual.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466153/; classtype:trojan-activity;sid:84329253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bd6582d9-c54a-4b0b-ad89-3fd92efb45aa/downloads/50362295282.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466144/; classtype:trojan-activity;sid:84329244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/navy_uic_code_list.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466145/; classtype:trojan-activity;sid:84329245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9f2acd38-413e-47a5-ac42-d6305581bfab/downloads/logerafanekox.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466147/; classtype:trojan-activity;sid:84329247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/zakojamoderuvovu.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466140/; classtype:trojan-activity;sid:84329240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b2a026b5-555a-437c-867f-3969f62b48d7/downloads/successfactors_recruiting_implementation_guide.pdf"; depth:108; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466133/; classtype:trojan-activity;sid:84329233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/97474238027.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466134/; classtype:trojan-activity;sid:84329234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/lebuk.pdf"; depth:67; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466138/; classtype:trojan-activity;sid:84329238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466128)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kumujadirifokekikivexe.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466128/; classtype:trojan-activity;sid:84329228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/2818265442.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466130/; classtype:trojan-activity;sid:84329230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e262bb3c-3205-4bb6-954b-f565479d59e0/downloads/examenes_psicometricos_pruebas_psicometricas_gratis_para_imp.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466132/; classtype:trojan-activity;sid:84329232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466122)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4252a31f-7a57-4ac8-a31e-ee71b2361194/downloads/61162239689.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466122/; classtype:trojan-activity;sid:84329222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/43b3ecff-25d4-4371-99a8-6df485cf4fd5/downloads/amoeba_sisters_classification_worksheet.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466125/; classtype:trojan-activity;sid:84329225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/fundamentals_of_power_supply_design_book.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466115/; classtype:trojan-activity;sid:84329215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/her_yonuyle_modern_almanca_dursun_zengin.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466116/; classtype:trojan-activity;sid:84329216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/15938565950.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466117/; classtype:trojan-activity;sid:84329217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d5271715-d4c2-447f-bd8c-804dbc17722c/downloads/experience_certificate_format_for_quality_control_engineer.pdf"; depth:120; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466107/; classtype:trojan-activity;sid:84329207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466110)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/courier_declaration_format.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466110/; classtype:trojan-activity;sid:84329210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466104)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/ruripumefenezalizaf.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466104/; classtype:trojan-activity;sid:84329204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466101)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/32a18e69-8d9d-488c-b50f-45023ca24343/downloads/87353354077.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466101/; classtype:trojan-activity;sid:84329201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0919b7e4-2541-44dd-b945-9d5e6d22eaf1/downloads/xibegakibojonabawaz.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466100/; classtype:trojan-activity;sid:84329200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466083)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/doxuwiponubagexotabos.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466083/; classtype:trojan-activity;sid:84329183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/gomanelakog.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466085/; classtype:trojan-activity;sid:84329185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/nx_nastran_element_library_reference_manual.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466089/; classtype:trojan-activity;sid:84329189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466074)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/collibra_expert_i_certification_answers_sheet_download_2017.pdf"; depth:121; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466074/; classtype:trojan-activity;sid:84329174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4ec11559-69c0-4903-84a6-3240babfcfe7/downloads/lapagikevipewijumodoru.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466075/; classtype:trojan-activity;sid:84329175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1bfc168f-d0df-43cb-a73e-d0c80e42fe5c/downloads/formulaire_virement_international_banque_postale.pdf"; depth:110; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466076/; classtype:trojan-activity;sid:84329176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1feaf4a2-3a85-48bd-b975-ab8d5bcee640/downloads/30816276176.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466079/; classtype:trojan-activity;sid:84329179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f0d27cad-ce96-47a4-a6b6-d00149677212/downloads/87562723190.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466073/; classtype:trojan-activity;sid:84329173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/swot_analysis_for_poultry_farming.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466066/; classtype:trojan-activity;sid:84329166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/bosokoxa.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466067/; classtype:trojan-activity;sid:84329167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/14962502915.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466065/; classtype:trojan-activity;sid:84329165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/42589334771.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466060/; classtype:trojan-activity;sid:84329160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/banksman_hand_signals.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466054/; classtype:trojan-activity;sid:84329154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6cdacb6d-7fbf-4d09-a986-56cdfa4edeb2/downloads/5985868832.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466055/; classtype:trojan-activity;sid:84329155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/99737319160.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466058/; classtype:trojan-activity;sid:84329158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/testing_and_commissioning_of_electrical_equipment.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466047/; classtype:trojan-activity;sid:84329147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/1ffc09a0-c9a4-4762-8145-43798f2fda71/downloads/back_to_work_from_maternity_leave_email.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466048/; classtype:trojan-activity;sid:84329148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/xepaxijaniwitofoxipoja.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466049/; classtype:trojan-activity;sid:84329149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/de43da9e-bc77-4e56-a909-0e72ba746cf9/downloads/electricity_bill_name_change_noc_format.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466051/; classtype:trojan-activity;sid:84329151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2ad58263-1b5c-4da7-bc4a-7b8f99e22218/downloads/formulaire_ordre_de_virement_banque_postale.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466052/; classtype:trojan-activity;sid:84329152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/76135669664.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466053/; classtype:trojan-activity;sid:84329153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/23ec0b56-0ae7-4e41-8565-08e517b0b386/downloads/gatamalepuberik.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466039/; classtype:trojan-activity;sid:84329139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/97106569323.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466040/; classtype:trojan-activity;sid:84329140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466041)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3e3d230e-4918-4f4b-8a10-8ee933aabcaf/downloads/99772344048.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466041/; classtype:trojan-activity;sid:84329141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466037)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/88933df5-ca10-43b5-b140-6aa02868b89c/downloads/wapurexep.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466037/; classtype:trojan-activity;sid:84329137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466032)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/19668bf7-0111-4cbb-8050-06562ac08bba/downloads/steps_to_create_template_instance_in_tosca.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466032/; classtype:trojan-activity;sid:84329132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/bidoxefemoduxunirez.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466033/; classtype:trojan-activity;sid:84329133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/job_work_challan_format_in_excel.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466027/; classtype:trojan-activity;sid:84329127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/resignation_letter_template_family_reasons.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466015/; classtype:trojan-activity;sid:84329115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8c16f145-4fc0-4af7-a4db-de4acd818fe4/downloads/14431999044.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466016/; classtype:trojan-activity;sid:84329116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/minupawuferogu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466018/; classtype:trojan-activity;sid:84329118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b071d266-376f-40c9-bb70-11ca77d8051b/downloads/36008974689.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466020/; classtype:trojan-activity;sid:84329120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/424b0398-579a-4717-a17a-ffb972bf5819/downloads/audit_professional_clearance_letter_template.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466022/; classtype:trojan-activity;sid:84329122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/30072850819.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466023/; classtype:trojan-activity;sid:84329123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/990799bc-d23a-46ce-a09a-3161937bf907/downloads/75213021290.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466024/; classtype:trojan-activity;sid:84329124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/363b8b8c-bdd6-4ad7-ac6c-ba65cd60171b/downloads/abaqus_user_subroutine_reference_guide.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466011/; classtype:trojan-activity;sid:84329111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/85845004614.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466014/; classtype:trojan-activity;sid:84329114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/genuwafazapibiwinowafal.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466005/; classtype:trojan-activity;sid:84329105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/20322886839.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466006/; classtype:trojan-activity;sid:84329106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/gagibipawuzepakan.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466008/; classtype:trojan-activity;sid:84329108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/sample_authorization_letter_to_get_psa_marriage_certificate.pdf"; depth:121; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466002/; classtype:trojan-activity;sid:84329102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/8517821794.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465993/; classtype:trojan-activity;sid:84329093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/padanad.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465994/; classtype:trojan-activity;sid:84329094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9971747c-d991-46ae-b932-5ba73958e604/downloads/fojajexuretimototatoles.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465995/; classtype:trojan-activity;sid:84329095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465996)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/mosodekasaxozebopajebibe.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465996/; classtype:trojan-activity;sid:84329096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3466000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f65856df-6ee2-426f-901a-fbcb5106e767/downloads/22057173676.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3466000/; classtype:trojan-activity;sid:84329100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465984)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/butterfly_roof_construction_detail.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465984/; classtype:trojan-activity;sid:84329084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7ebcf742-ccb2-4edb-bbc1-6f67ead5b604/downloads/baxejatoxenidomixidedax.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465985/; classtype:trojan-activity;sid:84329085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/17465496427.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465986/; classtype:trojan-activity;sid:84329086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465989)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/zabefenakozevopesomewazi.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465989/; classtype:trojan-activity;sid:84329089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/48283c5b-b198-4860-9bf9-7f30a2f8146b/downloads/zoromipubadijivonexon.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465990/; classtype:trojan-activity;sid:84329090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8df58291-e0db-425a-9cda-a9882386ada6/downloads/jaladimurefasetuzukiwaxit.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465991/; classtype:trojan-activity;sid:84329091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465980)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0d21a9d5-01df-4a9e-9327-883996b2f71d/downloads/ansi_electrical_symbols_standards.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465980/; classtype:trojan-activity;sid:84329080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a435afa7-bc93-481f-8a35-ce503cc8a972/downloads/sri_rudram_namakam_chamakam_tamil.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465974/; classtype:trojan-activity;sid:84329074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/tumiwujuluxuwaxi.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465975/; classtype:trojan-activity;sid:84329075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/denutetoraditut.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465977/; classtype:trojan-activity;sid:84329077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9569c183-65dc-4f14-a45e-e7944584cb65/downloads/bifidetogatovotuwideki.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465961/; classtype:trojan-activity;sid:84329061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/baroque_guitar_tab.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465962/; classtype:trojan-activity;sid:84329062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7f34267e-2563-449a-82e3-60f19988c45d/downloads/lic_jeevan_saral_plan_165_chart.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465963/; classtype:trojan-activity;sid:84329063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d551812a-3c47-48f1-bc1d-3ac42c3f246c/downloads/rigumudusogepivana.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465968/; classtype:trojan-activity;sid:84329068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/5528845131.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465969/; classtype:trojan-activity;sid:84329069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/34a417cb-7930-4ae3-8428-8420716ba08a/downloads/74129229699.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465971/; classtype:trojan-activity;sid:84329071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/cancionero_catolico_jesed.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465972/; classtype:trojan-activity;sid:84329072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a3b63b5-3e6a-48ac-8e49-14ed0037cbc4/downloads/historietas_del_medio_ambiente_largas.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465957/; classtype:trojan-activity;sid:84329057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/62049175170.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465955/; classtype:trojan-activity;sid:84329055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465951)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/maxabamuxixotabevifutiw.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465951/; classtype:trojan-activity;sid:84329051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/downgrade_oracle_database_from_19c_to_11g.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465953/; classtype:trojan-activity;sid:84329053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ba9b549d-a804-4d13-a818-3c55b3524acd/downloads/75189909272.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465942/; classtype:trojan-activity;sid:84329042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/individual_development_plan_powerpoint_template.pdf"; depth:109; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465945/; classtype:trojan-activity;sid:84329045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/64954946228.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465946/; classtype:trojan-activity;sid:84329046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/bapozujipo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465939/; classtype:trojan-activity;sid:84329039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4872c6d8-aa46-4e32-b809-43d741337793/downloads/74841624584.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465931/; classtype:trojan-activity;sid:84329031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3a90d4c9-f215-49ec-8178-8e50febf5250/downloads/tedutogonisijetinikiw.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465932/; classtype:trojan-activity;sid:84329032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/wipofuta.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465933/; classtype:trojan-activity;sid:84329033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4cb1e8a7-0f1a-4c3a-ae4d-65ac09f78b80/downloads/fenekipejivatoxeni.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465935/; classtype:trojan-activity;sid:84329035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465937)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/445dfc81-a427-4468-a541-314294ee0cbb/downloads/wolarodipuxusisug.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465937/; classtype:trojan-activity;sid:84329037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465938)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c3be0091-4534-4191-a72e-570acc745d3e/downloads/attestation_de_prise_en_charge_tlscontact.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465938/; classtype:trojan-activity;sid:84329038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fa4295b9-8c98-4187-bbf8-91c9d7ce5f9e/downloads/89606848887.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465924/; classtype:trojan-activity;sid:84329024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465926)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/44d0963d-ba71-4620-abdb-e3c6631b392b/downloads/balance_confirmation_letter_format_in_word.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465926/; classtype:trojan-activity;sid:84329026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/rollo_tomassi_the_rational_male_turkce.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465912/; classtype:trojan-activity;sid:84329012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/86917927693.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465915/; classtype:trojan-activity;sid:84329015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/methodologie_du_commentaire_compose_francais.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465916/; classtype:trojan-activity;sid:84329016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5f03ee03-a319-4a1e-a052-a99710c59365/downloads/bujulodipesotixugakujup.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465910/; classtype:trojan-activity;sid:84329010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/hsbc_bank_statement.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465906/; classtype:trojan-activity;sid:84329006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/94e1955e-c7d2-4e11-a6ac-7a5ec652d6cd/downloads/suzuki_dt4_owners_manual.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465909/; classtype:trojan-activity;sid:84329009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8f5eeb54-04ec-4a30-bb55-41e413d1f3ed/downloads/open_pit_mine_planning_and_design.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465903/; classtype:trojan-activity;sid:84329003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ceb9a026-f6c4-4e26-a968-d8e0e8d06aaa/downloads/tevedowopalugafaxoro.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465904/; classtype:trojan-activity;sid:84329004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465905)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/adb32098-1c7a-4519-9e53-ced990fc5d88/downloads/kuniwuzujujurejovewo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465905/; classtype:trojan-activity;sid:84329005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6ab86f22-a419-4e4f-91d4-5a654823f744/downloads/pamolitix.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465897/; classtype:trojan-activity;sid:84328997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/697088a1-6c9a-496e-9a4d-922308cd97be/downloads/42508658220.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465898/; classtype:trojan-activity;sid:84328998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/sotax_at_xtend_user_manual.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465885/; classtype:trojan-activity;sid:84328985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5d8bfe2e-b91e-431f-9bdc-3f0ea97e388e/downloads/wovivesapo.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465886/; classtype:trojan-activity;sid:84328986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06792788-ebeb-4570-893a-70dafae2a105/downloads/sample_consent_letter_from_husband_for_wife_to_travel.pdf"; depth:115; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465888/; classtype:trojan-activity;sid:84328988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465889)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/formulaire_renouvellement_titre_de_sejour_yvelines.pdf"; depth:112; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465889/; classtype:trojan-activity;sid:84328989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/71d9f42f-0bad-4406-8a48-95c698e57e68/downloads/98599689697.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465891/; classtype:trojan-activity;sid:84328991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/92007305293.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465892/; classtype:trojan-activity;sid:84328992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d07e2353-3643-42fe-ba11-ffa772b1a28d/downloads/duff_phelps_size_premium.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465893/; classtype:trojan-activity;sid:84328993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9213334f-b8c6-41b2-903d-dc8cc5791a0a/downloads/49429599069.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465881/; classtype:trojan-activity;sid:84328981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/22187922858.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465882/; classtype:trojan-activity;sid:84328982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d5e97205-d745-471d-94c2-4bc94f943a29/downloads/nafexasu.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465876/; classtype:trojan-activity;sid:84328976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/99401481523.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465878/; classtype:trojan-activity;sid:84328978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/harry_potter_ea_camara_secreta_ilustrado.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465879/; classtype:trojan-activity;sid:84328979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/34103705134.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465871/; classtype:trojan-activity;sid:84328971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465872)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9a32841c-0d54-4ad0-8acd-a5b15c41cae1/downloads/nagpur_metro_phase_2_dpr.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465872/; classtype:trojan-activity;sid:84328972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/99406712648.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465873/; classtype:trojan-activity;sid:84328973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/96d7062c-715f-4c9e-82c2-ac322bf04d1a/downloads/fawafep.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465874/; classtype:trojan-activity;sid:84328974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/renamotoxuxesike.pdf"; depth:78; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465865/; classtype:trojan-activity;sid:84328965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465866)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/wixutazavadupiruzani.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465866/; classtype:trojan-activity;sid:84328966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465864)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/vixodamev.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465864/; classtype:trojan-activity;sid:84328964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465857)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/citrix_adc_vpx_datasheet.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465857/; classtype:trojan-activity;sid:84328957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cac64821-2205-4248-abd9-55e775312c94/downloads/rosigamosusen.pdf"; depth:75; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465847/; classtype:trojan-activity;sid:84328947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465848)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/fosofiboma.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465848/; classtype:trojan-activity;sid:84328948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/600b6853-9b14-40c4-b9d1-c0a10f9ad1eb/downloads/mathematics_core_topics_sl.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465850/; classtype:trojan-activity;sid:84328950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/6e0acf5f-e652-447e-8a3a-90dcb81c48ee/downloads/loan_cancellation_letter.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465843/; classtype:trojan-activity;sid:84328943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465845)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/zalekebi.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465845/; classtype:trojan-activity;sid:84328945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465835)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/one_of_us_is_lying_character_quotes.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465835/; classtype:trojan-activity;sid:84328935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/58b13a51-176b-4b7e-ab1e-a0c84e7a5487/downloads/currency_market_mechanics_bmc_answers.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465826/; classtype:trojan-activity;sid:84328926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/018aefd4-3541-4598-a5c3-d0911ca60a82/downloads/asce_7-05_espanol_gratis.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465827/; classtype:trojan-activity;sid:84328927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/06a2cc2e-f4bb-4ca4-a0d9-71e2fc8b7812/downloads/molaxoxekex.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465829/; classtype:trojan-activity;sid:84328929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465830)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/iata_airport_handling_manual_2019_full.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465830/; classtype:trojan-activity;sid:84328930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465831)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c1bf3ae2-f6cc-4078-b639-2ff1ca0b62be/downloads/1172286111.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465831/; classtype:trojan-activity;sid:84328931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/euchre_score_sheets_for_16_players.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465832/; classtype:trojan-activity;sid:84328932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/dungeon_crawl_classics.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465820/; classtype:trojan-activity;sid:84328920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465804)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/bb45e14d-29c5-4287-b67f-843105f3b091/downloads/69904656893.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465804/; classtype:trojan-activity;sid:84328904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465806)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/emmaus_walk_letters_of_encouragement.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465806/; classtype:trojan-activity;sid:84328906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fc635392-61de-40bc-86f0-c9844fcf30fd/downloads/gramatica_portugues_brasil.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465809/; classtype:trojan-activity;sid:84328909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/647bfca3-c5f6-48a0-9ec3-35afde17c6e3/downloads/gamokul.pdf"; depth:69; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465814/; classtype:trojan-activity;sid:84328914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fa284320-69aa-45db-92e2-86468d4beaf0/downloads/53174458267.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465815/; classtype:trojan-activity;sid:84328915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/72502959-bd3f-431c-9582-055fb0eb9e9d/downloads/nike_employee_benefits.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465795/; classtype:trojan-activity;sid:84328895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/047c717c-7bd8-4cec-b09f-8a9648ff740c/downloads/97767745983.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465798/; classtype:trojan-activity;sid:84328898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/country_of_origin_letter_template.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465799/; classtype:trojan-activity;sid:84328899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/39834772333.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465802/; classtype:trojan-activity;sid:84328902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/rofaruzev.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465790/; classtype:trojan-activity;sid:84328890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3c8f7a45-f68c-4369-8f63-be6429599400/downloads/butulanimirovubeve.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465785/; classtype:trojan-activity;sid:84328885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d1335ae9-6401-4997-a89d-ffce5d766eb7/downloads/44332900662.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465787/; classtype:trojan-activity;sid:84328887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6f72d87-e560-495a-a5bd-684e976b53e4/downloads/nagano_keiki_km10.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465779/; classtype:trojan-activity;sid:84328879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/76488986948.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465781/; classtype:trojan-activity;sid:84328881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/72445144906.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465772/; classtype:trojan-activity;sid:84328872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0e65d320-97ed-47cb-9ca0-bcd7400824c9/downloads/wrightbus_streetlite_manual.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465773/; classtype:trojan-activity;sid:84328873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5a9e93e0-0f17-4e5e-a00c-88e3958ec770/downloads/waste_management_in_dubai.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465776/; classtype:trojan-activity;sid:84328876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/chevening_scholarship_reference_letter_sample.pdf"; depth:107; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465777/; classtype:trojan-activity;sid:84328877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/14409296375.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465778/; classtype:trojan-activity;sid:84328878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465766)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d128fcda-7fcc-4d89-85b3-e79c54d4414e/downloads/unit_conversion_practice_problems.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465766/; classtype:trojan-activity;sid:84328866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/c7a293a1-0904-42a6-9de6-afc19e585d66/downloads/11197801286.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465768/; classtype:trojan-activity;sid:84328868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/50ab7773-f1d2-4be6-a8e2-1065b2477787/downloads/41229957036.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465769/; classtype:trojan-activity;sid:84328869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/950f7924-fa6b-44be-bda3-22eaf526f43f/downloads/konujidav.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465771/; classtype:trojan-activity;sid:84328871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/burijuterapudupelirebi.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465760/; classtype:trojan-activity;sid:84328860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/acb19439-02ad-48ae-a6e4-8c3bfce04694/downloads/32470708569.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465762/; classtype:trojan-activity;sid:84328862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/xikesoxabafubuwepof.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465763/; classtype:trojan-activity;sid:84328863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/2251478862.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465764/; classtype:trojan-activity;sid:84328864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9d0d7648-4006-4e9a-bf4e-cd4f5c534844/downloads/socomec_ups_service_manual.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465765/; classtype:trojan-activity;sid:84328865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/6098867423.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465757/; classtype:trojan-activity;sid:84328857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2b383d2d-2b5a-4b4f-949f-124c21f71183/downloads/how_to_write_an_introduction_letter_to_an_embassy.pdf"; depth:111; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465758/; classtype:trojan-activity;sid:84328858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/183feb73-c001-4172-a9c4-8aedcbb9c085/downloads/nosasasoxanuxoxazefuz.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465747/; classtype:trojan-activity;sid:84328847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/gibekewelodi.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465749/; classtype:trojan-activity;sid:84328849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/16395777837.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465752/; classtype:trojan-activity;sid:84328852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a0b0ee5f-47ab-407d-8f2e-b86a71eb1b80/downloads/cerere_demisie_fara_preaviz.pdf"; depth:89; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465739/; classtype:trojan-activity;sid:84328839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/0fde6049-38a2-402e-8604-5a56fc977486/downloads/request_letter_for_construction_bond_refund.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465740/; classtype:trojan-activity;sid:84328840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cdd5ea6e-1f6b-4417-9fad-928f6d1c8a68/downloads/50_verbes_irreguliers_en_anglais.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465741/; classtype:trojan-activity;sid:84328841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7a69ed85-566a-4d22-8bd3-47a8a314b3bf/downloads/molecular_mass_of_elements_list.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465742/; classtype:trojan-activity;sid:84328842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465744)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/69278806631.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465744/; classtype:trojan-activity;sid:84328844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e060217f-3d1d-4ed1-921e-8372b49c873f/downloads/nonisenokedevesuxumuk.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465735/; classtype:trojan-activity;sid:84328835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/mesoduwegotujowokikurixo.pdf"; depth:86; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465729/; classtype:trojan-activity;sid:84328829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2b383d2d-2b5a-4b4f-949f-124c21f71183/downloads/how_to_fill_up_deed_of_sale_of_motor_vehicle.pdf"; depth:106; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465731/; classtype:trojan-activity;sid:84328831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/33d2c907-2bf6-4426-875f-30dcfdd2ea6c/downloads/takeshi_amemiya_advanced_econometrics.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465724/; classtype:trojan-activity;sid:84328824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/51d0d552-51a2-4187-835e-597cbad426c9/downloads/astm_e2500.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465715/; classtype:trojan-activity;sid:84328815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/ce6ffbd8-735a-4087-afcd-48ff437b91ba/downloads/16407212514.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465716/; classtype:trojan-activity;sid:84328816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f2215a6c-0436-4d82-8033-c5d079398259/downloads/mewivisonixapolivifit.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465717/; classtype:trojan-activity;sid:84328817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5778216d-14df-4dd7-ac4c-aefbb7c07c24/downloads/kugaduvekujewotaz.pdf"; depth:79; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465718/; classtype:trojan-activity;sid:84328818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5add4dbc-ec7d-4010-9077-0d95eef82ba1/downloads/64293794102.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465722/; classtype:trojan-activity;sid:84328822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a7c970be-6487-407b-ae67-0318aa6bed96/downloads/19932307165.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465723/; classtype:trojan-activity;sid:84328823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465709)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/lowasa.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465709/; classtype:trojan-activity;sid:84328809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/8014aeaa-17b8-4bcd-a9d7-094ad1ff7644/downloads/19999334835.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465710/; classtype:trojan-activity;sid:84328810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/921a43a6-1495-4d95-bdb1-69b79162b826/downloads/13397059696.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465711/; classtype:trojan-activity;sid:84328811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b3cb2fd2-80cf-4497-9966-46f7699e136d/downloads/kovajive.pdf"; depth:70; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465714/; classtype:trojan-activity;sid:84328814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/cdb9e382-acbe-48dd-9722-c531572d81a1/downloads/pugalisamelifakebage.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465704/; classtype:trojan-activity;sid:84328804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465697)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/89463890604.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465697/; classtype:trojan-activity;sid:84328797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/lotumajufinunixine.pdf"; depth:80; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465699/; classtype:trojan-activity;sid:84328799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/kasupobuwomubafujos.pdf"; depth:81; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465702/; classtype:trojan-activity;sid:84328802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e51c42a2-48a1-43ea-b124-a034de3679a6/downloads/83320615193.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465692/; classtype:trojan-activity;sid:84328792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/78c14b69-39ed-4d94-8d63-a7b29776e43c/downloads/radix_temperature_controller_x_48_manual.pdf"; depth:102; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465693/; classtype:trojan-activity;sid:84328793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/24a9af23-a9c8-45b6-80f8-335651f17510/downloads/96094090900.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465694/; classtype:trojan-activity;sid:84328794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/22a15b49-22b8-4edf-a855-4e76194b4aaf/downloads/97812412729.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465695/; classtype:trojan-activity;sid:84328795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0c7674b-f7b5-484b-aa64-84014ad9ac8c/downloads/lizaputasu.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465685/; classtype:trojan-activity;sid:84328785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/boxikijefedajexufesibul.pdf"; depth:85; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465679/; classtype:trojan-activity;sid:84328779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/11012613986.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465680/; classtype:trojan-activity;sid:84328780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/bucharest_grill_nutrition_information.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465682/; classtype:trojan-activity;sid:84328782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e9dc005a-39e6-474d-bf2f-ef67b812a261/downloads/guia_para_ingresar_al_bachillerato_conamat.pdf"; depth:104; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465675/; classtype:trojan-activity;sid:84328775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/robaziromumeborumapix.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465678/; classtype:trojan-activity;sid:84328778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/52e9408f-c536-4a35-bd81-6078a5dce549/downloads/5252998215.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465671/; classtype:trojan-activity;sid:84328771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/36758652154.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465672/; classtype:trojan-activity;sid:84328772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/82f97436-460c-45aa-bd9b-74a87c48e9b0/downloads/73577237968.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465673/; classtype:trojan-activity;sid:84328773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/db112521-e536-400b-b453-631e78951ba0/downloads/louison_et_monsieur_moliere_resume.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465657/; classtype:trojan-activity;sid:84328757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a03fd264-622c-49da-819e-92c49cdd5e2b/downloads/xovifubakuforij.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465660/; classtype:trojan-activity;sid:84328760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/rupesiduvunimekesozo.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465663/; classtype:trojan-activity;sid:84328763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3209f3eb-a43c-41d3-a7ba-73b4af438585/downloads/special_forces_knife_techniques.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465664/; classtype:trojan-activity;sid:84328764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b298ce5b-3c11-48f0-9704-0e059e7cfa1a/downloads/90645579432.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465665/; classtype:trojan-activity;sid:84328765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7eafcf9d-33bd-4fd4-8489-654d240ab2f3/downloads/6130931006.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465666/; classtype:trojan-activity;sid:84328766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/e0319bbe-78e1-4446-90fc-2b4b4cc85a3e/downloads/camp_green_lake.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465667/; classtype:trojan-activity;sid:84328767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/478a916a-56a8-445d-9eb0-b1a280ba537b/downloads/27628335796.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465668/; classtype:trojan-activity;sid:84328768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/eating_questionnaire-_a_ede-a_scoring.pdf"; depth:99; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465655/; classtype:trojan-activity;sid:84328755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/myer_victor_sewing_machine_manual.pdf"; depth:95; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465652/; classtype:trojan-activity;sid:84328752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/3131d044-1bdb-4fdc-8ed0-764e724b86a8/downloads/jorejujavupu.pdf"; depth:74; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465647/; classtype:trojan-activity;sid:84328747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/41fa09f3-79bd-43c0-909a-d1a20c3cb7f6/downloads/attestation_sur_l_honneur_de_non_ressources.pdf"; depth:105; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465648/; classtype:trojan-activity;sid:84328748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/eb7f2f0c-e896-4e47-abeb-a05a47b6dcff/downloads/37569138292.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465649/; classtype:trojan-activity;sid:84328749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f36019eb-f077-446f-b5b6-39b8eacedf97/downloads/98482064700.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465630/; classtype:trojan-activity;sid:84328730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/83364999300.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465631/; classtype:trojan-activity;sid:84328731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f6084bd9-50ce-4d5f-82c5-bb685cd57a0d/downloads/mdsap_audit_checklist.pdf"; depth:83; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465633/; classtype:trojan-activity;sid:84328733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/39892598323.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465640/; classtype:trojan-activity;sid:84328740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/00810c7d-a901-42bd-b2e3-20945a4ad8cb/downloads/wimorawezabizu.pdf"; depth:76; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465641/; classtype:trojan-activity;sid:84328741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/552d21dd-b338-4bf6-8541-a1e81cff5ed8/downloads/viduwe.pdf"; depth:68; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465642/; classtype:trojan-activity;sid:84328742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a1b48068-f219-4487-b633-0ea4f25dfa5f/downloads/57025089155.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465643/; classtype:trojan-activity;sid:84328743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/00490ec0-0f24-4e25-91e3-8e5bedec5e60/downloads/woxudinawonetunogidubi.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465625/; classtype:trojan-activity;sid:84328725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2224247e-29ce-4f8d-b838-abfcbdf269c0/downloads/16984198490.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465626/; classtype:trojan-activity;sid:84328726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/33bb6cfc-294d-4317-8afb-5d34ed60ffe6/downloads/20222176664.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465622/; classtype:trojan-activity;sid:84328722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/72454635563.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465618/; classtype:trojan-activity;sid:84328718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/catastrophic_disaster_area_property_inspection_report.pdf"; depth:115; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465613/; classtype:trojan-activity;sid:84328713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/citadel_document_solutions_lawsuit.pdf"; depth:96; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465615/; classtype:trojan-activity;sid:84328715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/fumaxogufav.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465607/; classtype:trojan-activity;sid:84328707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/kigepobesewizijipakusafal.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465610/; classtype:trojan-activity;sid:84328710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/f7748e26-2d27-4aa6-89fb-b263de90f421/downloads/tabuas_sumerias_traduzidas.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465600/; classtype:trojan-activity;sid:84328700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/17054728623.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465603/; classtype:trojan-activity;sid:84328703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465604)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/678cd2ef-32fa-4621-9c35-e4f34096b4ea/downloads/airbus_cml.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465604/; classtype:trojan-activity;sid:84328704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/4402180a-d4b9-4c2e-b606-353fcb7d5a18/downloads/3730146334.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465605/; classtype:trojan-activity;sid:84328705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/36770579775.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465606/; classtype:trojan-activity;sid:84328706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a0b0ee5f-47ab-407d-8f2e-b86a71eb1b80/downloads/luxodebapiruwuneragomugef.pdf"; depth:87; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465594/; classtype:trojan-activity;sid:84328694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/87554570559.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465598/; classtype:trojan-activity;sid:84328698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/fff11fc4-91ee-4c26-ab94-6b71630d2bb1/downloads/resignation_letter_sample_for_bpo_company.pdf"; depth:103; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465599/; classtype:trojan-activity;sid:84328699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5102464b-373a-4f87-829a-69343208c6ac/downloads/84675915071.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465586/; classtype:trojan-activity;sid:84328686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/17a8127f-1a20-4f1c-a234-ba1b1a8873f5/downloads/90572854820.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465588/; classtype:trojan-activity;sid:84328688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/glassman_high_voltage_series_eq_manual.pdf"; depth:100; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465592/; classtype:trojan-activity;sid:84328692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/57653563602.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465593/; classtype:trojan-activity;sid:84328693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/a8a7b266-73df-492a-af50-f7d9f90e0e6d/downloads/salesforce_community_developer_guide.pdf"; depth:98; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465583/; classtype:trojan-activity;sid:84328683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/2cd8ef37-3f02-4d83-b132-5400b0b21173/downloads/can_sins_be_forgiven_in_hinduism.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465573/; classtype:trojan-activity;sid:84328673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/9390f2de-e8f5-48e5-8f1b-3aa5affb2913/downloads/ra_to_surface_finish.pdf"; depth:82; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465574/; classtype:trojan-activity;sid:84328674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/holman_enterprises_annual_report.pdf"; depth:94; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465577/; classtype:trojan-activity;sid:84328677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d37a9b24-bc42-4cb1-ab3b-3d1b21b01aec/downloads/chiller_factory_acceptance_test_checklist_template.pdf"; depth:112; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465551/; classtype:trojan-activity;sid:84328651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/20a6346a-1701-43f8-be7d-6426912a09c2/downloads/sottoindicato_o_sotto_indicato_treccani.pdf"; depth:101; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465554/; classtype:trojan-activity;sid:84328654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/62fde782-5483-4905-a6da-12e04ab1250b/downloads/38559734752.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465555/; classtype:trojan-activity;sid:84328655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/dfa50dfd-b675-4866-b542-d79684ac1045/downloads/28769720040.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465556/; classtype:trojan-activity;sid:84328656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/formato_st-4_imss_para_imprimir.pdf"; depth:93; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465557/; classtype:trojan-activity;sid:84328657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/adfd48e6-08dc-41dd-a2a1-45489e329c75/downloads/attestation_de_non_affiliation_cnas.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465558/; classtype:trojan-activity;sid:84328658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/tosca_automation_specialist_level_2_certification_questions_.pdf"; depth:122; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465559/; classtype:trojan-activity;sid:84328659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/aabc5eee-c1de-4817-92b9-f9e17352a5c7/downloads/how_to_factory_reset_verifone_mx915.pdf"; depth:97; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465560/; classtype:trojan-activity;sid:84328660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/5e489076-b026-43ca-95da-8c6fe49f6d00/downloads/frm_part_2_schweser_quicksheet.pdf"; depth:92; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465561/; classtype:trojan-activity;sid:84328661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/671d8571-de15-47bb-8cd8-b624751dbe0e/downloads/incucyte_s3_user_guide.pdf"; depth:84; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465562/; classtype:trojan-activity;sid:84328662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465564)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/98e3e4d1-65d1-414f-a2f4-24701527da4a/downloads/1567746722.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465564/; classtype:trojan-activity;sid:84328664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465565)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/b6875802-d83d-45fa-a01c-dd9f30c53739/downloads/xujudodavudejeb.pdf"; depth:77; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465565/; classtype:trojan-activity;sid:84328665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465566)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/59062828-6c5e-403a-ae88-14483438a1b6/downloads/situation_denonciation_coupe_ou_ancre_exercices_corriges.pdf"; depth:118; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465566/; classtype:trojan-activity;sid:84328666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/7c4463e3-109c-48af-b9be-98e22cdf2116/downloads/wikuzidip.pdf"; depth:71; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465567/; classtype:trojan-activity;sid:84328667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/d5e97205-d745-471d-94c2-4bc94f943a29/downloads/87185669225.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465568/; classtype:trojan-activity;sid:84328668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/abfe7a1b-25f4-4ff2-8fb5-155a264c8ce4/downloads/likibixeve.pdf"; depth:72; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465569/; classtype:trojan-activity;sid:84328669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/356923eb-d23c-4b0c-808e-e9b58fb291da/downloads/exsilentia_4._0_user_guide.pdf"; depth:88; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465570/; classtype:trojan-activity;sid:84328670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465571)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blobby/go/586b3ef6-c9db-4d1a-a9eb-303f942e21fa/downloads/55359157176.pdf"; depth:73; endswith; nocase; http.host; content:"img1.wsimg.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_05; reference:url, urlhaus.abuse.ch/url/3465571/; classtype:trojan-activity;sid:84328671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3465210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1kjjvh1muhjrkrzbajjlzjfawyi0zvxc1"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_03_04; reference:url, urlhaus.abuse.ch/url/3465210/; classtype:trojan-activity;sid:84328310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3464706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/wupiao.3987.com.rar"; depth:25; endswith; nocase; http.host; content:"forspeed.onlinedown.net"; depth:23; isdataat:!1,relative; metadata:created_at 2025_03_03; reference:url, urlhaus.abuse.ch/url/3464706/; classtype:trojan-activity;sid:84327806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; endswith; nocase; http.host; content:"blessdayservices.org"; depth:20; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463509/; classtype:trojan-activity;sid:84326609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v/"; depth:3; endswith; nocase; http.host; content:"jessespridecharters.com"; depth:23; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463513/; classtype:trojan-activity;sid:84326613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"cambodiatouristservice.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463490/; classtype:trojan-activity;sid:84326590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"admin.gestroom.it"; depth:17; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463480/; classtype:trojan-activity;sid:84326580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"test.peperoncinochepassione.it"; depth:30; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463481/; classtype:trojan-activity;sid:84326581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"first-security-verden.de"; depth:24; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463482/; classtype:trojan-activity;sid:84326582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.first-security-verden.de"; depth:28; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463470/; classtype:trojan-activity;sid:84326570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463472)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"zamilgroups.com"; depth:15; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463472/; classtype:trojan-activity;sid:84326572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"bmdcompany.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463426/; classtype:trojan-activity;sid:84326526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.zamilgroups.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463430/; classtype:trojan-activity;sid:84326530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3463422)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"www.test.peperoncinochepassione.it"; depth:34; isdataat:!1,relative; metadata:created_at 2025_03_02; reference:url, urlhaus.abuse.ch/url/3463422/; classtype:trojan-activity;sid:84326522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3462411)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl1001"; depth:7; endswith; nocase; http.host; content:"31.170.22.205"; depth:13; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3462411/; classtype:trojan-activity;sid:84325511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin2.plg"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461771/; classtype:trojan-activity;sid:84324871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin1.plg"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461769/; classtype:trojan-activity;sid:84324869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin2.dll"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461770/; classtype:trojan-activity;sid:84324870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin3.plg"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461768/; classtype:trojan-activity;sid:84324868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461767)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin1.dll"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461767/; classtype:trojan-activity;sid:84324867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/plugin3.dll"; depth:16; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461763/; classtype:trojan-activity;sid:84324863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robertdavidgraham/masscan/zip/refs/heads/master"; depth:48; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461663/; classtype:trojan-activity;sid:84324763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3461661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robertdavidgraham/masscan/archive/refs/heads/master.zip"; depth:56; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_03_01; reference:url, urlhaus.abuse.ch/url/3461661/; classtype:trojan-activity;sid:84324761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3460167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.28"; depth:12; isdataat:!1,relative; metadata:created_at 2025_02_27; reference:url, urlhaus.abuse.ch/url/3460167/; classtype:trojan-activity;sid:84323267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3460000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1uxmu02r04iaslsrsh9quahzfsvq3tozm"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_02_27; reference:url, urlhaus.abuse.ch/url/3460000/; classtype:trojan-activity;sid:84323100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3452200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.62.202.150"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_25; reference:url, urlhaus.abuse.ch/url/3452200/; classtype:trojan-activity;sid:84315300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3451827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jqueryui.js"; depth:12; endswith; nocase; http.host; content:"webcstore.pw"; depth:12; isdataat:!1,relative; metadata:created_at 2025_02_25; reference:url, urlhaus.abuse.ch/url/3451827/; classtype:trojan-activity;sid:84314927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3450176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/putty.exe"; depth:15; endswith; nocase; http.host; content:"book.rollingvideogames.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_02_23; reference:url, urlhaus.abuse.ch/url/3450176/; classtype:trojan-activity;sid:84313276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3450147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loveryajenja/lwafmwoafmw11/raw/refs/heads/main/install.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_23; reference:url, urlhaus.abuse.ch/url/3450147/; classtype:trojan-activity;sid:84313247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3450048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/continue/45.ps1"; depth:16; endswith; nocase; http.host; content:"www.benshamcentre.co.uk"; depth:23; isdataat:!1,relative; metadata:created_at 2025_02_23; reference:url, urlhaus.abuse.ch/url/3450048/; classtype:trojan-activity;sid:84313148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.87.42.154"; depth:12; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447681/; classtype:trojan-activity;sid:84310781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/laurenxss/36b18f37163aaa04654bd21e98d1b842/raw/dca82ba88fae8788a48ffb529f9610a0cc209781/x"; depth:90; endswith; nocase; http.host; content:"gist.githubusercontent.com"; depth:26; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447466/; classtype:trojan-activity;sid:84310566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sena1.png"; depth:10; endswith; nocase; http.host; content:"leindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.com"; depth:58; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447458/; classtype:trojan-activity;sid:84310558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manga1.png"; depth:11; endswith; nocase; http.host; content:"leindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.com"; depth:58; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447456/; classtype:trojan-activity;sid:84310556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3447457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/colheita1.png"; depth:14; endswith; nocase; http.host; content:"leindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.com"; depth:58; isdataat:!1,relative; metadata:created_at 2025_02_21; reference:url, urlhaus.abuse.ch/url/3447457/; classtype:trojan-activity;sid:84310557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3446653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info.zip"; depth:9; endswith; nocase; http.host; content:"116.171.106.3"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3446653/; classtype:trojan-activity;sid:84309753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3446415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"206.214.35.106"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3446415/; classtype:trojan-activity;sid:84309515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3445854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/coracion1.png"; depth:14; endswith; nocase; http.host; content:"vaamsmgfreocmroe-1342087530.cos.sa-saopaulo.myqcloud.com"; depth:56; isdataat:!1,relative; metadata:created_at 2025_02_20; reference:url, urlhaus.abuse.ch/url/3445854/; classtype:trojan-activity;sid:84308954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3445431)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/df4a3196-accc-423a-a43b-6768f1aafd3e.pdf"; depth:46; endswith; nocase; http.host; content:"hotelembuguacu.blob.core.windows.net"; depth:36; isdataat:!1,relative; metadata:created_at 2025_02_19; reference:url, urlhaus.abuse.ch/url/3445431/; classtype:trojan-activity;sid:84308531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3444507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leinchchanceleinch/jik/refs/heads/main/d.msi"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_02_18; reference:url, urlhaus.abuse.ch/url/3444507/; classtype:trojan-activity;sid:84307607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3444267)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leinchchanceleinch/jik/raw/refs/heads/main/d.msi"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_18; reference:url, urlhaus.abuse.ch/url/3444267/; classtype:trojan-activity;sid:84307367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"179.248.3.202.ll.sta.mana.pf"; depth:28; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443355/; classtype:trojan-activity;sid:84306455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.248.3.202.ll.sta.mana.pf"; depth:28; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443354/; classtype:trojan-activity;sid:84306454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99-118-215-24.lightspeed.irvnca.sbcglobal.net"; depth:45; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443353/; classtype:trojan-activity;sid:84306453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"host-95-230-215-65.business.telecomitalia.it"; depth:44; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443350/; classtype:trojan-activity;sid:84306450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3443193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"172.250.238.27"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3443193/; classtype:trojan-activity;sid:84306293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output0/client/cabalmain.exe"; depth:29; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3442712/; classtype:trojan-activity;sid:84305812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442701)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output0/client/cabal.exe"; depth:25; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3442701/; classtype:trojan-activity;sid:84305801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output/client/cabalmain.exe"; depth:28; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_17; reference:url, urlhaus.abuse.ch/url/3442616/; classtype:trojan-activity;sid:84305716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.apk"; depth:10; endswith; nocase; http.host; content:"103.146.202.41"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442233/; classtype:trojan-activity;sid:84305333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442198)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxxx"; depth:5; endswith; nocase; http.host; content:"47.89.173.214"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442198/; classtype:trojan-activity;sid:84305298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ffff"; depth:5; endswith; nocase; http.host; content:"47.89.173.214"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442196/; classtype:trojan-activity;sid:84305296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3442197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asdf"; depth:5; endswith; nocase; http.host; content:"47.89.173.214"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3442197/; classtype:trojan-activity;sid:84305297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3441890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.55.122.229"; depth:12; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3441890/; classtype:trojan-activity;sid:84304990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3441868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"123.200.25.54"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3441868/; classtype:trojan-activity;sid:84304968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3441724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/output/client/cabal.exe"; depth:24; endswith; nocase; http.host; content:"168.138.162.78"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_16; reference:url, urlhaus.abuse.ch/url/3441724/; classtype:trojan-activity;sid:84304824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l/rls"; depth:11; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440974/; classtype:trojan-activity;sid:84304074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64/rls"; depth:11; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440971/; classtype:trojan-activity;sid:84304071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64/rld"; depth:11; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440972/; classtype:trojan-activity;sid:84304072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l/kthreadrm"; depth:17; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440969/; classtype:trojan-activity;sid:84304069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440970)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64/kthreadrm"; depth:17; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440970/; classtype:trojan-activity;sid:84304070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aarch64"; depth:8; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440930/; classtype:trojan-activity;sid:84304030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm7"; depth:5; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440931/; classtype:trojan-activity;sid:84304031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86_64"; depth:7; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440932/; classtype:trojan-activity;sid:84304032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3440934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"198.166.72.242"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_15; reference:url, urlhaus.abuse.ch/url/3440934/; classtype:trojan-activity;sid:84304034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3438591)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.11.36.4"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_13; reference:url, urlhaus.abuse.ch/url/3438591/; classtype:trojan-activity;sid:84301691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3438594)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.11.36.4"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_13; reference:url, urlhaus.abuse.ch/url/3438594/; classtype:trojan-activity;sid:84301694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3438572)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.9.25.206"; depth:11; isdataat:!1,relative; metadata:created_at 2025_02_13; reference:url, urlhaus.abuse.ch/url/3438572/; classtype:trojan-activity;sid:84301672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/adonis/pure_adonis"; depth:32; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437118/; classtype:trojan-activity;sid:84300218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/jnd/pure_jnd"; depth:26; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437119/; classtype:trojan-activity;sid:84300219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/adonis/all_adonis"; depth:31; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437116/; classtype:trojan-activity;sid:84300216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437117)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/pure_bean"; depth:31; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437117/; classtype:trojan-activity;sid:84300217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/all_bean"; depth:30; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437115/; classtype:trojan-activity;sid:84300215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3437114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/jnd/jnd_all"; depth:25; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_12; reference:url, urlhaus.abuse.ch/url/3437114/; classtype:trojan-activity;sid:84300214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3435167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iluxa94/-3-/refs/heads/main/%d0%a4%d0%be%d1%80%d0%bc%d0%b0%203%d0%9e%d0%a8%d0%91%d0%a0.exe"; depth:91; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_02_10; reference:url, urlhaus.abuse.ch/url/3435167/; classtype:trojan-activity;sid:84298267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3435170)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neo23x0/signature-base/archive/master.zip"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_02_10; reference:url, urlhaus.abuse.ch/url/3435170/; classtype:trojan-activity;sid:84298270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3435075)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.158.88.156"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_10; reference:url, urlhaus.abuse.ch/url/3435075/; classtype:trojan-activity;sid:84298175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3432127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.136.145.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3432127/; classtype:trojan-activity;sid:84295227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/all_bean"; depth:30; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3431851/; classtype:trojan-activity;sid:84294951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/cgi-bin/mr_bean/pure_bean"; depth:31; endswith; nocase; http.host; content:"upchemicals.co.in"; depth:17; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3431850/; classtype:trojan-activity;sid:84294950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bljysvhw/info.zip"; depth:18; endswith; nocase; http.host; content:"200.14.250.72"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_08; reference:url, urlhaus.abuse.ch/url/3431687/; classtype:trojan-activity;sid:84294787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3431378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.136.145.238"; depth:13; isdataat:!1,relative; metadata:created_at 2025_02_07; reference:url, urlhaus.abuse.ch/url/3431378/; classtype:trojan-activity;sid:84294478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3429885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/test.jpg"; depth:11; endswith; nocase; http.host; content:"ofice365.github.io"; depth:18; isdataat:!1,relative; metadata:created_at 2025_02_06; reference:url, urlhaus.abuse.ch/url/3429885/; classtype:trojan-activity;sid:84292985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3429793)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"d2314eac.solaraweb-alj.pages.dev"; depth:32; isdataat:!1,relative; metadata:created_at 2025_02_06; reference:url, urlhaus.abuse.ch/url/3429793/; classtype:trojan-activity;sid:84292893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3429311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.159.221.33"; depth:14; isdataat:!1,relative; metadata:created_at 2025_02_05; reference:url, urlhaus.abuse.ch/url/3429311/; classtype:trojan-activity;sid:84292411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsh/xsh.exe"; depth:12; endswith; nocase; http.host; content:"101.126.11.168"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421183/; classtype:trojan-activity;sid:84284283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sigmaplus/4.exe"; depth:16; endswith; nocase; http.host; content:"ny.lshdw.cc"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421027/; classtype:trojan-activity;sid:84284127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assignment.exe"; depth:15; endswith; nocase; http.host; content:"210.125.101.75"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421014/; classtype:trojan-activity;sid:84284114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3421020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ftp/emmetprod.exe"; depth:18; endswith; nocase; http.host; content:"141.147.43.219"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_31; reference:url, urlhaus.abuse.ch/url/3421020/; classtype:trojan-activity;sid:84284120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3419560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff245185/payload/raw/refs/heads/main/fast%20download.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3419560/; classtype:trojan-activity;sid:84282660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3419477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xevioo/xeviohub/raw/refs/heads/main/critscript.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3419477/; classtype:trojan-activity;sid:84282577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3419368)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/17793058/lg246dre.txt"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_30; reference:url, urlhaus.abuse.ch/url/3419368/; classtype:trojan-activity;sid:84282468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3417858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.32.249.165"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_28; reference:url, urlhaus.abuse.ch/url/3417858/; classtype:trojan-activity;sid:84280958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3417095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1t9mwfr1azhmksosp19tomch5dyi3hb2n"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2025_01_28; reference:url, urlhaus.abuse.ch/url/3417095/; classtype:trojan-activity;sid:84280195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3416671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.62"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_27; reference:url, urlhaus.abuse.ch/url/3416671/; classtype:trojan-activity;sid:84279771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3416673)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.61"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_27; reference:url, urlhaus.abuse.ch/url/3416673/; classtype:trojan-activity;sid:84279773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3416674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.60"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_27; reference:url, urlhaus.abuse.ch/url/3416674/; classtype:trojan-activity;sid:84279774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3415308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.59"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_26; reference:url, urlhaus.abuse.ch/url/3415308/; classtype:trojan-activity;sid:84278408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3415209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loginanticheat.dll"; depth:19; endswith; nocase; http.host; content:"43.226.39.44"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_26; reference:url, urlhaus.abuse.ch/url/3415209/; classtype:trojan-activity;sid:84278309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3415207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loginanticheat4.dll"; depth:20; endswith; nocase; http.host; content:"43.226.39.44"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_26; reference:url, urlhaus.abuse.ch/url/3415207/; classtype:trojan-activity;sid:84278307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3412918)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"119.206.216.132"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_24; reference:url, urlhaus.abuse.ch/url/3412918/; classtype:trojan-activity;sid:84276018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3412921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"222.165.237.58"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_24; reference:url, urlhaus.abuse.ch/url/3412921/; classtype:trojan-activity;sid:84276021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3410865)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blackhatethicalhacking/fud/raw/refs/heads/master/access.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_23; reference:url, urlhaus.abuse.ch/url/3410865/; classtype:trojan-activity;sid:84273965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3410375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.11.36.4"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_22; reference:url, urlhaus.abuse.ch/url/3410375/; classtype:trojan-activity;sid:84273475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3407374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"121.167.209.164"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_20; reference:url, urlhaus.abuse.ch/url/3407374/; classtype:trojan-activity;sid:84270474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3406818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%eb%a7%ac%ec%9b%a8%ec%96%b4.hta"; depth:32; endswith; nocase; http.host; content:"hobobot.net"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_20; reference:url, urlhaus.abuse.ch/url/3406818/; classtype:trojan-activity;sid:84269918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3406822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%eb%b9%8c%ec%96%b4%20%eb%a8%b9%ec%9d%84.hta"; depth:44; endswith; nocase; http.host; content:"hobobot.net"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_20; reference:url, urlhaus.abuse.ch/url/3406822/; classtype:trojan-activity;sid:84269922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"182.109.0.22"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405330/; classtype:trojan-activity;sid:84268430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405320/; classtype:trojan-activity;sid:84268420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405323/; classtype:trojan-activity;sid:84268423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405324/; classtype:trojan-activity;sid:84268424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405329)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"14.54.96.182"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405329/; classtype:trojan-activity;sid:84268429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3405134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"84.15.147.5"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_18; reference:url, urlhaus.abuse.ch/url/3405134/; classtype:trojan-activity;sid:84268234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3403380)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lehila05/pdc/refs/heads/main/payload.bin"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_17; reference:url, urlhaus.abuse.ch/url/3403380/; classtype:trojan-activity;sid:84266480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3402741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adobepdf-reader/pdf-reader/raw/refs/heads/main/pdf%20reader.exe"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_16; reference:url, urlhaus.abuse.ch/url/3402741/; classtype:trojan-activity;sid:84265841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3402154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.6.203"; depth:11; isdataat:!1,relative; metadata:created_at 2025_01_16; reference:url, urlhaus.abuse.ch/url/3402154/; classtype:trojan-activity;sid:84265254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3401644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/wpr-addons/forms/code1.png"; depth:46; endswith; nocase; http.host; content:"107.180.89.159"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_15; reference:url, urlhaus.abuse.ch/url/3401644/; classtype:trojan-activity;sid:84264744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3401362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fxserver.exe"; depth:13; endswith; nocase; http.host; content:"198.50.242.157"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_15; reference:url, urlhaus.abuse.ch/url/3401362/; classtype:trojan-activity;sid:84264462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3398629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ox2fa/justnow/refs/heads/main/1.sh"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_13; reference:url, urlhaus.abuse.ch/url/3398629/; classtype:trojan-activity;sid:84261729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3398195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.121.239.114"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_12; reference:url, urlhaus.abuse.ch/url/3398195/; classtype:trojan-activity;sid:84261295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3397531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.168.227.130"; depth:15; isdataat:!1,relative; metadata:created_at 2025_01_11; reference:url, urlhaus.abuse.ch/url/3397531/; classtype:trojan-activity;sid:84260631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3395055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arvendrachhonkar/todo/releases/download/macosandwindows/install_setup_v1.2.0.dmg"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_09; reference:url, urlhaus.abuse.ch/url/3395055/; classtype:trojan-activity;sid:84258155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3394121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.56.225.99"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3394121/; classtype:trojan-activity;sid:84257221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3394115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"62.56.225.99"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3394115/; classtype:trojan-activity;sid:84257215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roukistl/ud/refs/heads/main/ud.bat"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3393662/; classtype:trojan-activity;sid:84256762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thomson101/xhp/releases/download/release/steanings.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_08; reference:url, urlhaus.abuse.ch/url/3393596/; classtype:trojan-activity;sid:84256696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thomson101/xhp/releases/download/release/steanings.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_07; reference:url, urlhaus.abuse.ch/url/3393047/; classtype:trojan-activity;sid:84256147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.8.112.156"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_07; reference:url, urlhaus.abuse.ch/url/3393011/; classtype:trojan-activity;sid:84256111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3393013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.8.112.155"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_07; reference:url, urlhaus.abuse.ch/url/3393013/; classtype:trojan-activity;sid:84256113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3391819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"41.32.249.165"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_06; reference:url, urlhaus.abuse.ch/url/3391819/; classtype:trojan-activity;sid:84254919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3391592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.8.112.154"; depth:13; isdataat:!1,relative; metadata:created_at 2025_01_06; reference:url, urlhaus.abuse.ch/url/3391592/; classtype:trojan-activity;sid:84254692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3390789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kusaka.php|3f|call=av"; depth:22; endswith; nocase; http.host; content:"cpofficial.com"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_05; reference:url, urlhaus.abuse.ch/url/3390789/; classtype:trojan-activity;sid:84253889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3390749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kusaka.php|3f|call=smp"; depth:23; endswith; nocase; http.host; content:"mx9x.com"; depth:8; isdataat:!1,relative; metadata:created_at 2025_01_05; reference:url, urlhaus.abuse.ch/url/3390749/; classtype:trojan-activity;sid:84253849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3389403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngrokc/ctc/raw/main/ctc64.dll"; depth:30; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3389403/; classtype:trojan-activity;sid:84252503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3389404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngrokc/ctc/main/ctc64.dll"; depth:26; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3389404/; classtype:trojan-activity;sid:84252504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3388907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.83.78"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3388907/; classtype:trojan-activity;sid:84252007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3388858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/solara.dir.zip"; depth:37; endswith; nocase; http.host; content:"c0e5b87c.solaraweb-alj.pages.dev"; depth:32; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3388858/; classtype:trojan-activity;sid:84251958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3388859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/static/files/bootstrappernew.exe"; depth:42; endswith; nocase; http.host; content:"c0e5b87c.solaraweb-alj.pages.dev"; depth:32; isdataat:!1,relative; metadata:created_at 2025_01_04; reference:url, urlhaus.abuse.ch/url/3388859/; classtype:trojan-activity;sid:84251959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3387720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/raw/refs/heads/main/prueba.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2025_01_03; reference:url, urlhaus.abuse.ch/url/3387720/; classtype:trojan-activity;sid:84250820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file-32bit.elf"; depth:15; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386507/; classtype:trojan-activity;sid:84249607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.elf"; depth:9; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386508/; classtype:trojan-activity;sid:84249608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file-arm.elf"; depth:13; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386509/; classtype:trojan-activity;sid:84249609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3386510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file-64bit.elf"; depth:15; endswith; nocase; http.host; content:"34.45.47.180"; depth:12; isdataat:!1,relative; metadata:created_at 2025_01_02; reference:url, urlhaus.abuse.ch/url/3386510/; classtype:trojan-activity;sid:84249610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3385167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft_hair/ultravnc.ini"; depth:23; endswith; nocase; http.host; content:"support.clz.kr"; depth:14; isdataat:!1,relative; metadata:created_at 2025_01_01; reference:url, urlhaus.abuse.ch/url/3385167/; classtype:trojan-activity;sid:84248267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3378974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.142.63.8"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_28; reference:url, urlhaus.abuse.ch/url/3378974/; classtype:trojan-activity;sid:84242074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.45.15.114"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_23; reference:url, urlhaus.abuse.ch/url/3373486/; classtype:trojan-activity;sid:84236586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373487)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"90.45.15.114"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_23; reference:url, urlhaus.abuse.ch/url/3373487/; classtype:trojan-activity;sid:84236587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373080)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.160.109.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373080/; classtype:trojan-activity;sid:84236180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373057)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.236.135.177"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373057/; classtype:trojan-activity;sid:84236157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.136.225.254"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373063/; classtype:trojan-activity;sid:84236163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.244.113.217"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373067/; classtype:trojan-activity;sid:84236167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.179.160"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373048/; classtype:trojan-activity;sid:84236148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3373009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"111.185.23.52"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3373009/; classtype:trojan-activity;sid:84236109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.93.83.124"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372979/; classtype:trojan-activity;sid:84236079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"59.27.224.90"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372992/; classtype:trojan-activity;sid:84236092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.236.133.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372995/; classtype:trojan-activity;sid:84236095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372968)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.85.166.12"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372968/; classtype:trojan-activity;sid:84236068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372953)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"47.49.114.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372953/; classtype:trojan-activity;sid:84236053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.125.133.244"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372944/; classtype:trojan-activity;sid:84236044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"111.74.21.155"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372903/; classtype:trojan-activity;sid:84236003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372902/; classtype:trojan-activity;sid:84236002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372900)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372900/; classtype:trojan-activity;sid:84236000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372891)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372891/; classtype:trojan-activity;sid:84235991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372892/; classtype:trojan-activity;sid:84235992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372893)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372893/; classtype:trojan-activity;sid:84235993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372896/; classtype:trojan-activity;sid:84235996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372898/; classtype:trojan-activity;sid:84235998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372883/; classtype:trojan-activity;sid:84235983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372884/; classtype:trojan-activity;sid:84235984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372886/; classtype:trojan-activity;sid:84235986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.141.62.238"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372887/; classtype:trojan-activity;sid:84235987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372890/; classtype:trojan-activity;sid:84235990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.247.101.63"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372876/; classtype:trojan-activity;sid:84235976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372878/; classtype:trojan-activity;sid:84235978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372879/; classtype:trojan-activity;sid:84235979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"117.240.155.245"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372880/; classtype:trojan-activity;sid:84235980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372704/; classtype:trojan-activity;sid:84235804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372705/; classtype:trojan-activity;sid:84235805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.190"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372657/; classtype:trojan-activity;sid:84235757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.216"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372658/; classtype:trojan-activity;sid:84235758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372654/; classtype:trojan-activity;sid:84235754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372651/; classtype:trojan-activity;sid:84235751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372645)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"79.124.72.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372645/; classtype:trojan-activity;sid:84235745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.189"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372625/; classtype:trojan-activity;sid:84235725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"2.54.88.115"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372627/; classtype:trojan-activity;sid:84235727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372639/; classtype:trojan-activity;sid:84235739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.210.109.1"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372621/; classtype:trojan-activity;sid:84235721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3372615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"195.34.102.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_22; reference:url, urlhaus.abuse.ch/url/3372615/; classtype:trojan-activity;sid:84235715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3366263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"93.87.31.84"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_19; reference:url, urlhaus.abuse.ch/url/3366263/; classtype:trojan-activity;sid:84229363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef/ef.bin"; depth:10; endswith; nocase; http.host; content:"www.tdejb.com"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356912/; classtype:trojan-activity;sid:84220012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ef/ef.vbs"; depth:10; endswith; nocase; http.host; content:"www.astenterprises.com.pk"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356909/; classtype:trojan-activity;sid:84220009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agent.exe"; depth:10; endswith; nocase; http.host; content:"210.125.101.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356783/; classtype:trojan-activity;sid:84219883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/futon"; depth:6; endswith; nocase; http.host; content:"weco2.oss-me-east-1.aliyuncs.com"; depth:32; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356768/; classtype:trojan-activity;sid:84219868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356769)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qq%e5%8d%8e%e5%a4%8f%e6%9b%b4%e6%96%b0%e6%96%87%e4%bb%b6/%e8%87%aa%e5%8a%a8%e6%9b%b4%e6%96%b0%e8%be%85%e5%8a%a9%e7%a8%8b%e5%ba%8f.exe"; depth:134; endswith; nocase; http.host; content:"kuakuawenjian.oss-cn-hangzhou.aliyuncs.com"; depth:42; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356769/; classtype:trojan-activity;sid:84219869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/smiple_4yue"; depth:12; endswith; nocase; http.host; content:"weco2.oss-me-east-1.aliyuncs.com"; depth:32; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356761/; classtype:trojan-activity;sid:84219861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/36hg-04ik6-9j4-9h5.html"; depth:24; endswith; nocase; http.host; content:"f3i5-0g49bgn-3h95-1324992141.cos.ap-jakarta.myqcloud.com"; depth:56; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356758/; classtype:trojan-activity;sid:84219858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/35-0350gh9v-39yh5g.html"; depth:24; endswith; nocase; http.host; content:"j-0-09g-9bh-h-ggf-1324992141.cos.ap-bangkok.myqcloud.com"; depth:56; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356750/; classtype:trojan-activity;sid:84219850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff245185/payload/refs/heads/main/fast%20download.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356145/; classtype:trojan-activity;sid:84219245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356134)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr0xylife/asyncrat/refs/heads/main/asyncrat_09.02.2022.txt"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356134/; classtype:trojan-activity;sid:84219234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3356133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grozniy1/folder/refs/heads/main/444.exe"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_18; reference:url, urlhaus.abuse.ch/url/3356133/; classtype:trojan-activity;sid:84219233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rookievip/xx/main/loader.exe"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353957/; classtype:trojan-activity;sid:84217057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353403)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/refs/heads/main/prueba.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353403/; classtype:trojan-activity;sid:84216503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fengjixuchui/cve-2022-26810/refs/heads/main/shellcode.bin"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353372/; classtype:trojan-activity;sid:84216472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353348)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deroxs/powerrat-leak/raw/refs/heads/main/powerrat.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353348/; classtype:trojan-activity;sid:84216448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resources/js/info2r.txt/"; depth:25; endswith; nocase; http.host; content:"188.81.134.196"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353349/; classtype:trojan-activity;sid:84216449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353345)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr0xylife/asyncrat/raw/refs/heads/main/asyncrat_09.02.2022.txt"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353345/; classtype:trojan-activity;sid:84216445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dlc_update.data"; depth:16; endswith; nocase; http.host; content:"8.138.96.41"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353333/; classtype:trojan-activity;sid:84216433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353251)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/master.exe"; depth:11; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353251/; classtype:trojan-activity;sid:84216351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe.dom_1.exe"; depth:57; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353242/; classtype:trojan-activity;sid:84216342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimispool.dll"; depth:24; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353243/; classtype:trojan-activity;sid:84216343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe.dom_2.exe"; depth:57; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353244/; classtype:trojan-activity;sid:84216344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353246)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//google.exe"; depth:12; endswith; nocase; http.host; content:"85.25.72.70"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353246/; classtype:trojan-activity;sid:84216346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe"; depth:55; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353238/; classtype:trojan-activity;sid:84216338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimikatz.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353234/; classtype:trojan-activity;sid:84216334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilib.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353235/; classtype:trojan-activity;sid:84216335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//chromesetup.exe"; depth:17; endswith; nocase; http.host; content:"85.25.72.70"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353216/; classtype:trojan-activity;sid:84216316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353204)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp.ps1"; depth:7; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353204/; classtype:trojan-activity;sid:84216304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilove.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353189/; classtype:trojan-activity;sid:84216289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimidrv.sys"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353190/; classtype:trojan-activity;sid:84216290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3353192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimispool.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_17; reference:url, urlhaus.abuse.ch/url/3353192/; classtype:trojan-activity;sid:84216292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3352821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaijiorder/cert/2a.hta"; depth:23; endswith; nocase; http.host; content:"182.92.99.95"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3352821/; classtype:trojan-activity;sid:84215921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351932)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=12jgde-soib4liipbdhs55vkz7ek8_ua6"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351932/; classtype:trojan-activity;sid:84215032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ijeuwaesika/nna/raw/refs/heads/main/ifiinms.txt"; depth:48; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351478/; classtype:trojan-activity;sid:84214578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fsabxh/sfdawsdawdaw/raw/refs/heads/main/serials_checker.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351477/; classtype:trojan-activity;sid:84214577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xevioo/xeviohub/raw/refs/heads/main/critscript.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351430/; classtype:trojan-activity;sid:84214530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/grozniy1/folder/raw/refs/heads/main/444.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351428/; classtype:trojan-activity;sid:84214528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3351320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/raw/refs/heads/main/prueba.exe"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_16; reference:url, urlhaus.abuse.ch/url/3351320/; classtype:trojan-activity;sid:84214420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3347308)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/component/vc2005sp1redist_x86.exe"; depth:34; endswith; nocase; http.host; content:"windriversfiles.imeitools.com"; depth:29; isdataat:!1,relative; metadata:created_at 2024_12_13; reference:url, urlhaus.abuse.ch/url/3347308/; classtype:trojan-activity;sid:84210408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3346530)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whoafg/problemonfmech/refs/heads/main/client.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_12; reference:url, urlhaus.abuse.ch/url/3346530/; classtype:trojan-activity;sid:84209630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3346026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaijiorder/cert/41a1111.hta"; depth:28; endswith; nocase; http.host; content:"182.92.99.95"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_12; reference:url, urlhaus.abuse.ch/url/3346026/; classtype:trojan-activity;sid:84209126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3345089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n00b69/woasetup/releases/download/installers/dxwebsetup.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_11; reference:url, urlhaus.abuse.ch/url/3345089/; classtype:trojan-activity;sid:84208189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3345076)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaijiorder/cert/2a.hta"; depth:23; endswith; nocase; http.host; content:"182.92.99.95"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_11; reference:url, urlhaus.abuse.ch/url/3345076/; classtype:trojan-activity;sid:84208176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.x86"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344216/; classtype:trojan-activity;sid:84207316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm5"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344177/; classtype:trojan-activity;sid:84207277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm7"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344172/; classtype:trojan-activity;sid:84207272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.ppc"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344116/; classtype:trojan-activity;sid:84207216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mpsl"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344054/; classtype:trojan-activity;sid:84207154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3344015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.sh4"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3344015/; classtype:trojan-activity;sid:84207115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm6"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343939/; classtype:trojan-activity;sid:84207039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.arm"; depth:16; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343827/; classtype:trojan-activity;sid:84206927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.m68k"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343814/; classtype:trojan-activity;sid:84206914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3343669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab4g5/josho.mips"; depth:17; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3343669/; classtype:trojan-activity;sid:84206769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340608)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anydesk.exe"; depth:12; endswith; nocase; http.host; content:"195.230.23.72"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340608/; classtype:trojan-activity;sid:84203708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340580/; classtype:trojan-activity;sid:84203680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.spc"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340578/; classtype:trojan-activity;sid:84203678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340577)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.m68k"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340577/; classtype:trojan-activity;sid:84203677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm7"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340567/; classtype:trojan-activity;sid:84203667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.x86"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340568/; classtype:trojan-activity;sid:84203668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.mips"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340569/; classtype:trojan-activity;sid:84203669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm5"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340570/; classtype:trojan-activity;sid:84203670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.arm6"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340574/; classtype:trojan-activity;sid:84203674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.sh4"; depth:13; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340575/; classtype:trojan-activity;sid:84203675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins/hax.mpsl"; depth:14; endswith; nocase; http.host; content:"74.48.34.10"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340576/; classtype:trojan-activity;sid:84203676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dis3j/wagnerhook/releases/download/release/loader.exe"; depth:54; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340440/; classtype:trojan-activity;sid:84203540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/xbest%20v1.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340399/; classtype:trojan-activity;sid:84203499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/complexo%20v4.exe"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340398/; classtype:trojan-activity;sid:84203498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/box3d.dll"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340395/; classtype:trojan-activity;sid:84203495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/lkwan.dll"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340396/; classtype:trojan-activity;sid:84203496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/flunix9.dll"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340397/; classtype:trojan-activity;sid:84203497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340392)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/elzhas%20pannel.dll"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340392/; classtype:trojan-activity;sid:84203492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/morovip.dll"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340393/; classtype:trojan-activity;sid:84203493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/hazaxd.dll"; depth:29; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340394/; classtype:trojan-activity;sid:84203494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/xbest.dll"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340391/; classtype:trojan-activity;sid:84203491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3340390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xbest11/ddl1/main/blue_and_white.dll"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_10; reference:url, urlhaus.abuse.ch/url/3340390/; classtype:trojan-activity;sid:84203490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"117.20.27.25"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339219/; classtype:trojan-activity;sid:84202319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"182.93.83.124"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339221/; classtype:trojan-activity;sid:84202321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.236.133.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339181/; classtype:trojan-activity;sid:84202281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339179)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"47.49.114.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339179/; classtype:trojan-activity;sid:84202279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.110.204.150"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339168/; classtype:trojan-activity;sid:84202268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339161)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"37.220.123.125"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339161/; classtype:trojan-activity;sid:84202261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.233.125.238"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339162/; classtype:trojan-activity;sid:84202262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"216.155.92.203"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339119/; classtype:trojan-activity;sid:84202219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.236.135.177"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339126/; classtype:trojan-activity;sid:84202226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339116)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.225.179.160"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339116/; classtype:trojan-activity;sid:84202216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"186.125.133.244"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339100/; classtype:trojan-activity;sid:84202200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3339090)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"186.46.58.174"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3339090/; classtype:trojan-activity;sid:84202190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kabot/unix-privilege-escalation-exploits-pack/master/2012/vmsplice-local-root-exploit"; depth:86; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338656/; classtype:trojan-activity;sid:84201756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aissardp/payload/main/payload.exe"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338507/; classtype:trojan-activity;sid:84201607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cracker1337uwu/rrr/main/bypass.exe"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338505/; classtype:trojan-activity;sid:84201605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g1vi/cve-2023-2640-cve-2023-32629/main/exploit.sh"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338499/; classtype:trojan-activity;sid:84201599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nguyenmanmkt/repo1/main/exploit-2"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338493/; classtype:trojan-activity;sid:84201593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leetcipher/malware.development/main/self-injection/self-injection.exe"; depth:70; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338492/; classtype:trojan-activity;sid:84201592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cocomelonc/2022-01-14-malware-injection-13/master/hack.exe"; depth:59; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338475/; classtype:trojan-activity;sid:84201575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leetcipher/malware.development/main/process-injection/process-injection.exe"; depth:76; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338471/; classtype:trojan-activity;sid:84201571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sixaknow/uac_bypass_/main/module_377498327498dcxvc32434.dll"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338451/; classtype:trojan-activity;sid:84201551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3338443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pistacchietto/win-python-backdoor/master/standalone_payload.exe"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3338443/; classtype:trojan-activity;sid:84201543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/f/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337794/; classtype:trojan-activity;sid:84200894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/c/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337795/; classtype:trojan-activity;sid:84200895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/u/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337796/; classtype:trojan-activity;sid:84200896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ty9989/i/zip/refs/heads/main"; depth:29; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_09; reference:url, urlhaus.abuse.ch/url/3337797/; classtype:trojan-activity;sid:84200897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rahmoundll/kak/main/glew64.dll"; depth:31; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337035/; classtype:trojan-activity;sid:84200135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337026)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nkaslq1/ankrnl/refs/heads/main/alphatweaks.exe"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337026/; classtype:trojan-activity;sid:84200126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0lt/virtualdub2/releases/download/2.1.3/virtualdub2_v2.1.3.667_win32.7z"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337015/; classtype:trojan-activity;sid:84200115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337012)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgmb/update.exe"; depth:16; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337012/; classtype:trojan-activity;sid:84200112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3337004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/skibidixelaina/wuselaina/raw/refs/heads/main/build.exe"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3337004/; classtype:trojan-activity;sid:84200104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336992)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygroup777-ransomware/downloader/refs/heads/main/taskmoder.exe"; depth:64; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336992/; classtype:trojan-activity;sid:84200092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336993)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z-beam/movaflag/releases/download/1.0.2/mova.exe"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336993/; classtype:trojan-activity;sid:84200093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygroup777-ransomware/downloader/refs/heads/main/cssgo.exe"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336990/; classtype:trojan-activity;sid:84200090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygroup777-ransomware/downloader/raw/refs/heads/main/black.exe"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336983/; classtype:trojan-activity;sid:84200083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336095)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stubgenerator/stub/main/stub.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336095/; classtype:trojan-activity;sid:84199195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nikolaevich23/make-pkg-bat/master/setup.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336077/; classtype:trojan-activity;sid:84199177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eirxne/valorant-axeprime/main/axeprime.dll"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336072/; classtype:trojan-activity;sid:84199172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stephenfewer/reflectivedllinjection/refs/heads/master/bin/reflective_dll.dll"; depth:77; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336068/; classtype:trojan-activity;sid:84199168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336058)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anessdev/talha/main/talha.dll"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336058/; classtype:trojan-activity;sid:84199158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3336049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqrtzeroknowledge/xworm-trojan/zip/refs/heads/main"; depth:51; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_08; reference:url, urlhaus.abuse.ch/url/3336049/; classtype:trojan-activity;sid:84199149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335208)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barrigudinha157/barrigudinha/master/rage.dll"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335208/; classtype:trojan-activity;sid:84198308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infectsocks32_sql_antivirus.vmp.dll"; depth:36; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335175/; classtype:trojan-activity;sid:84198275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shadowforce2008_64_add.vmp.dll"; depth:31; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335174/; classtype:trojan-activity;sid:84198274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infectsocks64_sql_antivirus.vmp.dll"; depth:36; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335173/; classtype:trojan-activity;sid:84198273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ndisinstaller3.2.32.1.exe"; depth:26; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335156/; classtype:trojan-activity;sid:84198256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs/2018-11/20181122103207926164.doc"; depth:38; endswith; nocase; http.host; content:"xww.bucea.edu.cn"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335149/; classtype:trojan-activity;sid:84198249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/statement/ul397wfyb/"; depth:29; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335154/; classtype:trojan-activity;sid:84198254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335147)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iatinfect2008_64.exe"; depth:21; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335147/; classtype:trojan-activity;sid:84198247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335141)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winsetaccess64.exe"; depth:19; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335141/; classtype:trojan-activity;sid:84198241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/writedat.exe"; depth:13; endswith; nocase; http.host; content:"211.204.100.20"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335135/; classtype:trojan-activity;sid:84198235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/hl8-8w4cs-6325/"; depth:24; endswith; nocase; http.host; content:"reifenquick.de"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335132/; classtype:trojan-activity;sid:84198232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335119)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mytime/files/3.3.7.0/mytime.exe"; depth:32; endswith; nocase; http.host; content:"down.ruanmei.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335119/; classtype:trojan-activity;sid:84198219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cg70/update.exe"; depth:16; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335118/; classtype:trojan-activity;sid:84198218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3335096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/closed_957176_mxqsdoj6a4iz/close_warehouse/ql55hnq09iyn6lm_334stxvw03wyv/"; depth:82; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2024_12_07; reference:url, urlhaus.abuse.ch/url/3335096/; classtype:trojan-activity;sid:84198196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.dbg"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333897/; classtype:trojan-activity;sid:84196997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.sh4"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333896/; classtype:trojan-activity;sid:84196996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333895)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.x86_64"; depth:12; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333895/; classtype:trojan-activity;sid:84196995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namblack666/zxqqw/refs/heads/main/main.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333657/; classtype:trojan-activity;sid:84196757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/namblack666/zxqqw/refs/heads/main/main1.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333658/; classtype:trojan-activity;sid:84196758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nam-black/moneyandbitch/refs/heads/main/main1.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333656/; classtype:trojan-activity;sid:84196756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apk/pthlearning.apk"; depth:20; endswith; nocase; http.host; content:"chinaapper.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333527/; classtype:trojan-activity;sid:84196627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azertyuiopexe/fud-crypter/zip/refs/heads/main"; depth:46; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333522/; classtype:trojan-activity;sid:84196622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joh81/exploi01/main/document.zip"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333521/; classtype:trojan-activity;sid:84196621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.8"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333518/; classtype:trojan-activity;sid:84196618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.10"; depth:50; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333513/; classtype:trojan-activity;sid:84196613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333514)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.3"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333514/; classtype:trojan-activity;sid:84196614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hwangyounggul33/windows10/refs/heads/main/privacypolicy.exe"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333511/; classtype:trojan-activity;sid:84196611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/caocaocc/yacd/zip/refs/heads/gh-pages"; depth:38; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333509/; classtype:trojan-activity;sid:84196609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.11"; depth:50; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333508/; classtype:trojan-activity;sid:84196608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333499)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fericarr/newky/refs/heads/main/agentnov.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333499/; classtype:trojan-activity;sid:84196599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.zip/refs/tags/0.8.1"; depth:48; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333503/; classtype:trojan-activity;sid:84196603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333495)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.5"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333495/; classtype:trojan-activity;sid:84196595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d-7uble/invoke-phant0m/zip/refs/heads/master"; depth:45; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333493/; classtype:trojan-activity;sid:84196593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333494)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.zip/refs/tags/0.7.1"; depth:48; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333494/; classtype:trojan-activity;sid:84196594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/54n4l/mimikatzwindows/zip/refs/heads/master"; depth:44; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333489/; classtype:trojan-activity;sid:84196589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333485)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.9"; depth:49; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333485/; classtype:trojan-activity;sid:84196585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daneeltrevize/tabsat/legacy.tar.gz/refs/tags/0.9.1"; depth:51; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333482/; classtype:trojan-activity;sid:84196582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333481)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crowly-ai/hello-world/refs/heads/main/zubovlekciya.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333481/; classtype:trojan-activity;sid:84196581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heresfilly09-9/fornova/main/svchost.exe"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333479/; classtype:trojan-activity;sid:84196579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/calendar/setup.exe"; depth:33; endswith; nocase; http.host; content:"ojang.pe.kr"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333458/; classtype:trojan-activity;sid:84196558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/calendar.exe"; depth:27; endswith; nocase; http.host; content:"ojang.pe.kr"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333457/; classtype:trojan-activity;sid:84196557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/jeditor/jeditor.exe"; depth:34; endswith; nocase; http.host; content:"ojang.pe.kr"; depth:11; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333456/; classtype:trojan-activity;sid:84196556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytisf/thezoo/refs/heads/master/malware/binaries/ransomware.wannacry/ransomware.wannacry.zip"; depth:92; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333439/; classtype:trojan-activity;sid:84196539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/master/donut.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333369/; classtype:trojan-activity;sid:84196469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333359)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.mpsl"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333359/; classtype:trojan-activity;sid:84196459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.i686"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333355/; classtype:trojan-activity;sid:84196455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.x86"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333357/; classtype:trojan-activity;sid:84196457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getrektboy724/sementara/raw/master/donut.exe"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333350/; classtype:trojan-activity;sid:84196450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm7"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333351/; classtype:trojan-activity;sid:84196451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333352)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.m68k"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333352/; classtype:trojan-activity;sid:84196452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm4"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333353/; classtype:trojan-activity;sid:84196453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333343)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.mips"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333343/; classtype:trojan-activity;sid:84196443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm6"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333322/; classtype:trojan-activity;sid:84196422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/17793058/lg246dre.txt"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333321/; classtype:trojan-activity;sid:84196421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.arm5"; depth:10; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333316/; classtype:trojan-activity;sid:84196416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aqua.ppc"; depth:9; endswith; nocase; http.host; content:"103.163.119.220"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333317/; classtype:trojan-activity;sid:84196417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3333279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jtdamhd5"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3333279/; classtype:trojan-activity;sid:84196379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/files/9/%e2%98%85%ec%a0%9c%ed%92%88%ec%82%ac%ec%9a%a9%ec%a0%84%20%ed%95%84%ec%88%98%ec%85%8b%ed%8c%85%e2%98%85.zip"; depth:123; endswith; nocase; http.host; content:"xn--yh4bx88a.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332955/; classtype:trojan-activity;sid:84196055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/files/9/%e2%ab%b8%ec%a0%9c%ed%92%88%ec%82%ac%ec%9a%a9%ec%a0%84%20%ed%95%84%ec%88%98%ec%85%8b%ed%8c%85%e2%ab%b7.zip"; depth:123; endswith; nocase; http.host; content:"xn--yh4bx88a.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332954/; classtype:trojan-activity;sid:84196054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noccenter/noccenter/refs/heads/main/huong%20dan%20xu%20ly%20tai%20khoan%20mail%20noi%20bo.zip"; depth:94; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332792/; classtype:trojan-activity;sid:84195892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noccenter/noccenter/raw/refs/heads/main/huong%20dan%20xu%20ly%20tai%20khoan%20mail%20noi%20bo.zip"; depth:98; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332783/; classtype:trojan-activity;sid:84195883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baksvoronov/testingflrplgpreg/raw/refs/heads/main/connector1.exe"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332780/; classtype:trojan-activity;sid:84195880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xevioo/xeviohub/main/critscript.exe"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332771/; classtype:trojan-activity;sid:84195871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332764)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mae-luadev/mae-tests/main/system.exe"; depth:37; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332764/; classtype:trojan-activity;sid:84195864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3332757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mae-luadev/mae-tests/raw/main/system.exe"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_06; reference:url, urlhaus.abuse.ch/url/3332757/; classtype:trojan-activity;sid:84195857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/opyhjdase.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331919/; classtype:trojan-activity;sid:84195019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/popapoers.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331862/; classtype:trojan-activity;sid:84194962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331850)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/presema/kersal/refs/heads/main/pfntjejghjsdkr.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331850/; classtype:trojan-activity;sid:84194950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frenzy-zwaake/discordrat-2.0/main/client-built.exe"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331699/; classtype:trojan-activity;sid:84194799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fofit-rater/1/refs/heads/main/xclient.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331669/; classtype:trojan-activity;sid:84194769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331670)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/efedursun125/xfakeplayers/master/xclient.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331670/; classtype:trojan-activity;sid:84194770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331664)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2/long-glade-33dc08/original//rump_img.jpeg"; depth:45; endswith; nocase; http.host; content:"cdn.pixelbin.io"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331664/; classtype:trojan-activity;sid:84194764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abhidadatg/worm/refs/heads/main/xclient.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331665/; classtype:trojan-activity;sid:84194765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jikoos/rrr/main/xclient.exe"; depth:28; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331648/; classtype:trojan-activity;sid:84194748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/debug2.ps1"; depth:30; endswith; nocase; http.host; content:"www.drgenov.com"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331649/; classtype:trojan-activity;sid:84194749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lvlh01am/wrwrwr/main/xclient.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331644/; classtype:trojan-activity;sid:84194744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lvlh01am/adad/main/xclient.exe"; depth:31; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331643/; classtype:trojan-activity;sid:84194743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frenzy-zwaake/discordrat-2.0/deferred-metadata/main/client-built.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331639/; classtype:trojan-activity;sid:84194739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whois-black/qew123/main/xclient.exe"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331640/; classtype:trojan-activity;sid:84194740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paco321312312/cautious-sniffle/main/xclient.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331636/; classtype:trojan-activity;sid:84194736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joeljosephpajeet/testexe/refs/heads/main/xclient.exe"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331633/; classtype:trojan-activity;sid:84194733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/debug4.ps1"; depth:30; endswith; nocase; http.host; content:"www.drgenov.com"; depth:15; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331626/; classtype:trojan-activity;sid:84194726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cheetz/nishang/master/gather/keylogger.ps1"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331630/; classtype:trojan-activity;sid:84194730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331588)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cookieskush/pip-package-template/master/client-built.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331588/; classtype:trojan-activity;sid:84194688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331574)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/efedursun125/xfakeplayers/refs/heads/master/xclient.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331574/; classtype:trojan-activity;sid:84194674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cidadejunina/js/vendor/debug2.ps1"; depth:34; endswith; nocase; http.host; content:"transparenciacanaa.com.br"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331534/; classtype:trojan-activity;sid:84194634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_-w5me4evtzbdzix_v_ymzdelazhrv5z"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331498/; classtype:trojan-activity;sid:84194598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331500)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1nskagzrswpttoue3wbrhdqpyzlyve4tg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331500/; classtype:trojan-activity;sid:84194600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3331490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1o3zw7sodji4uk954kngkdyshyl37gozq"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_12_05; reference:url, urlhaus.abuse.ch/url/3331490/; classtype:trojan-activity;sid:84194590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3318580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.39.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_12_03; reference:url, urlhaus.abuse.ch/url/3318580/; classtype:trojan-activity;sid:84181680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3318309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khangdz1801/raw/refs/heads/main/sound.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_12_03; reference:url, urlhaus.abuse.ch/url/3318309/; classtype:trojan-activity;sid:84181409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2/plugin2.dll"; depth:15; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317713/; classtype:trojan-activity;sid:84180813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2/plugin1.dll"; depth:15; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317712/; classtype:trojan-activity;sid:84180812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2/plugin3.dll"; depth:15; endswith; nocase; http.host; content:"165.154.184.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317707/; classtype:trojan-activity;sid:84180807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3317497)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/images/media/thing2"; depth:32; endswith; nocase; http.host; content:"divvanews.com"; depth:13; isdataat:!1,relative; metadata:created_at 2024_12_02; reference:url, urlhaus.abuse.ch/url/3317497/; classtype:trojan-activity;sid:84180597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3315253)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/purchaseorder.exe"; depth:24; endswith; nocase; http.host; content:"csg-app.com"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_30; reference:url, urlhaus.abuse.ch/url/3315253/; classtype:trojan-activity;sid:84178353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3315254)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/putty.exe"; depth:16; endswith; nocase; http.host; content:"csg-app.com"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_30; reference:url, urlhaus.abuse.ch/url/3315254/; classtype:trojan-activity;sid:84178354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308912)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"75.18.210.21"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308912/; classtype:trojan-activity;sid:84172012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308894)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"218.155.74.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308894/; classtype:trojan-activity;sid:84171994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"189.61.50.98"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308883/; classtype:trojan-activity;sid:84171983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"141.155.36.213"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308875/; classtype:trojan-activity;sid:84171975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"5.26.174.234"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308847/; classtype:trojan-activity;sid:84171947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1idr9p3dgxkblhu7h4jckclzmtlibwsiw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308798/; classtype:trojan-activity;sid:84171898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3308797)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1c2pnucvma1shu90mnauhef6shildth-s"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_27; reference:url, urlhaus.abuse.ch/url/3308797/; classtype:trojan-activity;sid:84171897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3305535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"111.185.23.52"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_26; reference:url, urlhaus.abuse.ch/url/3305535/; classtype:trojan-activity;sid:84168635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3303817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1jbzzntbk1kuszoofww7hsqfdh066ontf"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_25; reference:url, urlhaus.abuse.ch/url/3303817/; classtype:trojan-activity;sid:84166917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3303818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hkvynldkcbdd50_bsw3s9tk5elbduxtg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_25; reference:url, urlhaus.abuse.ch/url/3303818/; classtype:trojan-activity;sid:84166918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/dcm/refs/heads/main/document.zip"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300394/; classtype:trojan-activity;sid:84163494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/test.xll"; depth:46; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300382/; classtype:trojan-activity;sid:84163482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/refs/heads/main/ud.bat"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300387/; classtype:trojan-activity;sid:84163487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/refs/heads/main/t.png"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300377/; classtype:trojan-activity;sid:84163477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/template.dotm"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300378/; classtype:trojan-activity;sid:84163478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/doadmin.png"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300374/; classtype:trojan-activity;sid:84163474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300375)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/steamerx.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300375/; classtype:trojan-activity;sid:84163475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/justpoc.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300376/; classtype:trojan-activity;sid:84163476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steamer/malwerjobs/refs/heads/master/scriptlet"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_23; reference:url, urlhaus.abuse.ch/url/3300372/; classtype:trojan-activity;sid:84163472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3300068)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/es.hta"; depth:7; endswith; nocase; http.host; content:"pub-cdd0dd27ae6a4aee9841d397e0496374.r2.dev"; depth:43; isdataat:!1,relative; metadata:created_at 2024_11_22; reference:url, urlhaus.abuse.ch/url/3300068/; classtype:trojan-activity;sid:84163168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298219)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saked018/rivada/raw/refs/heads/main/mis_file_9888123_received_xsls.zip"; depth:71; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298219/; classtype:trojan-activity;sid:84161319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/dcm/raw/refs/heads/main/document.zip"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298207/; classtype:trojan-activity;sid:84161307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/ud/raw/refs/heads/main/ud.bat"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298202/; classtype:trojan-activity;sid:84161302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298205)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/raw/refs/heads/main/u.xls"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298205/; classtype:trojan-activity;sid:84161305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3298201)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rouki555/lnk/raw/refs/heads/main/ud.bat"; depth:40; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_21; reference:url, urlhaus.abuse.ch/url/3298201/; classtype:trojan-activity;sid:84161301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3296209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crm/exe/update.exe"; depth:19; endswith; nocase; http.host; content:"www.zhikey.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_19; reference:url, urlhaus.abuse.ch/url/3296209/; classtype:trojan-activity;sid:84159309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3294913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledshow1.exe"; depth:13; endswith; nocase; http.host; content:"101.200.220.118"; depth:15; isdataat:!1,relative; metadata:created_at 2024_11_18; reference:url, urlhaus.abuse.ch/url/3294913/; classtype:trojan-activity;sid:84158013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3294619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noureddine-nt9/rgsdr/raw/refs/heads/main/cheet.exe"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_18; reference:url, urlhaus.abuse.ch/url/3294619/; classtype:trojan-activity;sid:84157719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3292014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n/tui/mininews/mininewsplus/3.0.0.26165/mininewsplus-2.exe"; depth:59; endswith; nocase; http.host; content:"mininews.kpzip.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_11_15; reference:url, urlhaus.abuse.ch/url/3292014/; classtype:trojan-activity;sid:84155114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3291869)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/stories/guides/guide2018.exe"; depth:36; endswith; nocase; http.host; content:"dcwblida.dz"; depth:11; isdataat:!1,relative; metadata:created_at 2024_11_15; reference:url, urlhaus.abuse.ch/url/3291869/; classtype:trojan-activity;sid:84154969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3290573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.44.144.198"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_14; reference:url, urlhaus.abuse.ch/url/3290573/; classtype:trojan-activity;sid:84153673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3289875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r00ts3c/ddos-rootsec/refs/heads/master/ddos%20scripts/l4/udp/10gbpsudp.py"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_14; reference:url, urlhaus.abuse.ch/url/3289875/; classtype:trojan-activity;sid:84152975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3289466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.255.216.26"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_13; reference:url, urlhaus.abuse.ch/url/3289466/; classtype:trojan-activity;sid:84152566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3288915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"220.118.75.244"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_13; reference:url, urlhaus.abuse.ch/url/3288915/; classtype:trojan-activity;sid:84152015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3287640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.171.188.254"; depth:15; isdataat:!1,relative; metadata:created_at 2024_11_12; reference:url, urlhaus.abuse.ch/url/3287640/; classtype:trojan-activity;sid:84150740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.73.64.24"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286828/; classtype:trojan-activity;sid:84149928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.77.228.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286821/; classtype:trojan-activity;sid:84149921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.70.244.17"; depth:13; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286371/; classtype:trojan-activity;sid:84149471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3286067)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/erez-goldberg/rust-reverse-shell/main/shellcode.bin"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_11; reference:url, urlhaus.abuse.ch/url/3286067/; classtype:trojan-activity;sid:84149167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3281714)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3cur3th1ssh1t/creds/master/obfuscatedps/dccuac.ps1"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_08; reference:url, urlhaus.abuse.ch/url/3281714/; classtype:trojan-activity;sid:84144814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3281085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/barrigudinha157/barrigudinha/raw/master/rage.dll"; depth:49; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_07; reference:url, urlhaus.abuse.ch/url/3281085/; classtype:trojan-activity;sid:84144185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3280990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/2d424qwn"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_11_07; reference:url, urlhaus.abuse.ch/url/3280990/; classtype:trojan-activity;sid:84144090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3279353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xavieprowel/crispy-palm-tree/releases/download/1/3e3ev3.exe"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3279353/; classtype:trojan-activity;sid:84142453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/txdown_disk/%e8%bd%af%e4%bb%b6%e4%bd%bf%e7%94%a8/%e7%bc%ba%e5%a4%b1%e4%b8%8b%e8%bd%bd/plugin.dll"; depth:97; endswith; nocase; http.host; content:"disk.accord1key.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278669/; classtype:trojan-activity;sid:84141769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ciphershld/ms-p-1a/master/setup%20ms%20p-1a.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278573/; classtype:trojan-activity;sid:84141673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minecradt/regdelete/readme-edits/hell9o.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278576/; classtype:trojan-activity;sid:84141676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openpeach/dotnetfx_cleanup_tool/refs/heads/master/cleanup_tool.exe"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278567/; classtype:trojan-activity;sid:84141667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278362)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1las2cmd3reobg45qhkqhawi90h4_u0kd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278362/; classtype:trojan-activity;sid:84141462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3278361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=17hv9-3t2ilikbmcfql2z66ipd72x4mz7"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_06; reference:url, urlhaus.abuse.ch/url/3278361/; classtype:trojan-activity;sid:84141461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3276956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mig"; depth:4; endswith; nocase; http.host; content:"216.201.80.197"; depth:14; isdataat:!1,relative; metadata:created_at 2024_11_05; reference:url, urlhaus.abuse.ch/url/3276956/; classtype:trojan-activity;sid:84140056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3276896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loistupidpet/sfdawsdawdaw/main/serials_checker.exe"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_05; reference:url, urlhaus.abuse.ch/url/3276896/; classtype:trojan-activity;sid:84139996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1kc4fdseohzqymz2x0ncqswph66uxdb1z"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275669/; classtype:trojan-activity;sid:84138769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1u_rahqbks7vd7qqc6wx3gxnjxtfqrzbp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275667/; classtype:trojan-activity;sid:84138767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1-8qpzgr4-iis53p1-kr2-o6prrjmnksk"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275658/; classtype:trojan-activity;sid:84138758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275656)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ubqrhziusgl-cn_nie2_udj4qi6qrqsw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275656/; classtype:trojan-activity;sid:84138756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ikoxnnlvglh6jhnfqkrsihss_p2dqkyp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275240/; classtype:trojan-activity;sid:84138340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1r7oi2jekx0ks1wqpt0ms3_kqvukzy3dv"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275241/; classtype:trojan-activity;sid:84138341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3275242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gmzqsemymffka4lve0jkwa06sklk7xhu"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_11_04; reference:url, urlhaus.abuse.ch/url/3275242/; classtype:trojan-activity;sid:84138342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/borisizdabezt/exitlag-hwid-spoofer/main/drv64.dll"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274064/; classtype:trojan-activity;sid:84137164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realstrings/lydian-spoofer/raw/main/spoofy.sys"; depth:47; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274049/; classtype:trojan-activity;sid:84137149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realstrings/lydian-spoofer/refs/heads/main/spoofy.sys"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274047/; classtype:trojan-activity;sid:84137147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3274048)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/realstrings/lydian-spoofer/raw/refs/heads/main/spoofy.sys"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_03; reference:url, urlhaus.abuse.ch/url/3274048/; classtype:trojan-activity;sid:84137148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3272092)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ordogos2/g575/releases/download/download/setup.7.0.zip"; depth:55; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3272092/; classtype:trojan-activity;sid:84135192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271922)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/injector.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271922/; classtype:trojan-activity;sid:84135022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271925)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/loader.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271925/; classtype:trojan-activity;sid:84135025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/ogfn%20updater.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271919/; classtype:trojan-activity;sid:84135019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leakerbydragon1/leakerbydragon1/main/pclient.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271920/; classtype:trojan-activity;sid:84135020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sdifru877234/ilu123g5/main/svchost.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271624/; classtype:trojan-activity;sid:84134724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/regolx1/hadb/refs/heads/main/svchost.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271617/; classtype:trojan-activity;sid:84134717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chokopie333/doom/main/svchost.exe"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271614/; classtype:trojan-activity;sid:84134714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/morgantaraum/automatic-octo-barnacle/refs/heads/main/svchost.exe"; depth:65; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271609/; classtype:trojan-activity;sid:84134709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/media/furystorage/api/main/svchost.exe"; depth:39; endswith; nocase; http.host; content:"media.githubusercontent.com"; depth:27; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271610/; classtype:trojan-activity;sid:84134710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271611)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zodiac1616/test/refs/heads/main/svchost.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271611/; classtype:trojan-activity;sid:84134711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271596)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heresfilly09-9/fornova/raw/main/svchost.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271596/; classtype:trojan-activity;sid:84134696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chokopie333/doom/raw/main/svchost.exe"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271586/; classtype:trojan-activity;sid:84134686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/morgantaraum/automatic-octo-barnacle/raw/refs/heads/main/svchost.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271587/; classtype:trojan-activity;sid:84134687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271366)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzrevva1/osu-maple/refs/heads/main/extremeinjector.exe"; depth:55; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271366/; classtype:trojan-activity;sid:84134466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3271369)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzrevva1/osu-maple/raw/refs/heads/main/extremeinjector.exe"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_02; reference:url, urlhaus.abuse.ch/url/3271369/; classtype:trojan-activity;sid:84134469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/novocrm/static/winring0x64.sys"; depth:31; endswith; nocase; http.host; content:"118.189.172.141"; depth:15; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270196/; classtype:trojan-activity;sid:84133296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270195)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ggassistant/update/2.3.11.29/tool/winring0x64.sys|3f|skq=1701042218"; depth:68; endswith; nocase; http.host; content:"shqdown.ggzuhao.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270195/; classtype:trojan-activity;sid:84133295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270193)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miguel-b-p/..../raw/main/winring0x64.sys"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270193/; classtype:trojan-activity;sid:84133293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/silenthashik/winring/raw/main/winring0x64.sys"; depth:46; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270185/; classtype:trojan-activity;sid:84133285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270186)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hak333444/xmrig/raw/main/winring0x64.sys"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270186/; classtype:trojan-activity;sid:84133286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270188)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/blob/master/bin/winring0/winring0x64.sys|3f|raw=true"; depth:65; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270188/; classtype:trojan-activity;sid:84133288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so251/olaquerida/releases/download/1releasae/winring0x64.sys"; depth:61; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270189/; classtype:trojan-activity;sid:84133289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsjsjsc79/advsd/raw/main/winring0x64.sys"; depth:41; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270191/; classtype:trojan-activity;sid:84133291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270192)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stickmengamer/idk/raw/main/winring0x64.sys"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270192/; classtype:trojan-activity;sid:84133292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sopranotech/dimeo/main/winring0x64.sys"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270183/; classtype:trojan-activity;sid:84133283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3270184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abrissyy/min/main/winring0x64.sys"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3270184/; classtype:trojan-activity;sid:84133284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3269715)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqrtzeroknowledge/xworm-trojan/archive/refs/heads/main.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_11_01; reference:url, urlhaus.abuse.ch/url/3269715/; classtype:trojan-activity;sid:84132815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3265959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ygqwpvxadhjsxskr3u3tdw2u5dnzv0pp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_30; reference:url, urlhaus.abuse.ch/url/3265959/; classtype:trojan-activity;sid:84129059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3265958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1uzjwtbh4hcs9i060hwf08hrnymnodugn"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_30; reference:url, urlhaus.abuse.ch/url/3265958/; classtype:trojan-activity;sid:84129058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3258033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ijeuwaesika/nna/refs/heads/main/ifiinms.txt"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3258033/; classtype:trojan-activity;sid:84121133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networks.ps1"; depth:13; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257486/; classtype:trojan-activity;sid:84120586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257470)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netstat.ps1"; depth:12; endswith; nocase; http.host; content:"cat.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257470/; classtype:trojan-activity;sid:84120570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257473)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/net/net.xsl"; depth:19; endswith; nocase; http.host; content:"sec.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257473/; classtype:trojan-activity;sid:84120573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/instance.ps1"; depth:20; endswith; nocase; http.host; content:"sec.xiaoshabi.nl"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257477/; classtype:trojan-activity;sid:84120577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257451)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/winring0x64.sys"; depth:23; endswith; nocase; http.host; content:"sec.dashabi.in"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257451/; classtype:trojan-activity;sid:84120551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/javaw"; depth:13; endswith; nocase; http.host; content:"sec.dashabi.in"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257457/; classtype:trojan-activity;sid:84120557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javaw2/instance.ps1"; depth:20; endswith; nocase; http.host; content:"sec.xiaojiji.nl"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257464/; classtype:trojan-activity;sid:84120564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3257465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netstat.ps1"; depth:12; endswith; nocase; http.host; content:"cat.xiaojiji.nl"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_27; reference:url, urlhaus.abuse.ch/url/3257465/; classtype:trojan-activity;sid:84120565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3254228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kdot227/somalifuscator/archive/refs/heads/main.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_26; reference:url, urlhaus.abuse.ch/url/3254228/; classtype:trojan-activity;sid:84117328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3254226)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proxyonly/www/raw/main/security.exe"; depth:36; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_26; reference:url, urlhaus.abuse.ch/url/3254226/; classtype:trojan-activity;sid:84117326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3254222)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/robloxdev1223/requirements/raw/main/requirements.exe"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_26; reference:url, urlhaus.abuse.ch/url/3254222/; classtype:trojan-activity;sid:84117322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3249735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; endswith; nocase; http.host; content:"119.193.158.215"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_23; reference:url, urlhaus.abuse.ch/url/3249735/; classtype:trojan-activity;sid:84112835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3249675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quasar/quasar/releases/download/v1.4.1/quasar.v1.4.1.zip"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_23; reference:url, urlhaus.abuse.ch/url/3249675/; classtype:trojan-activity;sid:84112775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3249662)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/refs/heads/master/rat/njrat.exe"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_23; reference:url, urlhaus.abuse.ch/url/3249662/; classtype:trojan-activity;sid:84112762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3246018)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mestalic/site/refs/heads/main/file.exe"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3246018/; classtype:trojan-activity;sid:84109118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"185.152.219.150"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245733/; classtype:trojan-activity;sid:84108833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vz.txt"; depth:7; endswith; nocase; http.host; content:"51.79.124.111"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245732/; classtype:trojan-activity;sid:84108832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chinese.txt"; depth:12; endswith; nocase; http.host; content:"202.129.16.172"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245730/; classtype:trojan-activity;sid:84108830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kg.exe"; depth:7; endswith; nocase; http.host; content:"146.0.42.82"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245459/; classtype:trojan-activity;sid:84108559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3245458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen.exe"; depth:11; endswith; nocase; http.host; content:"146.0.42.82"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_20; reference:url, urlhaus.abuse.ch/url/3245458/; classtype:trojan-activity;sid:84108558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3243086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/data/update.exe"; depth:23; endswith; nocase; http.host; content:"114.55.106.136"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3243086/; classtype:trojan-activity;sid:84106186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3243082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysupdate/ckbgd/2.3.0624.zip"; depth:29; endswith; nocase; http.host; content:"8.131.63.6"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3243082/; classtype:trojan-activity;sid:84106182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3243077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sysupdate/ckbgd/2.3.0703.zip"; depth:29; endswith; nocase; http.host; content:"8.131.63.6"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3243077/; classtype:trojan-activity;sid:84106177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3242983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowseal/zapret-discord-youtube/releases/download/1.1.1/zapret-discord-youtube-1.1.1.rar"; depth:89; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3242983/; classtype:trojan-activity;sid:84106083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3242663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmatrix/data/hack0832.zip"; depth:26; endswith; nocase; http.host; content:"cd.textfiles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3242663/; classtype:trojan-activity;sid:84105763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3242642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rishabhkumardeveloper/malware_analysis_using_ml/main/wildfire-test-pe-file.exe"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_19; reference:url, urlhaus.abuse.ch/url/3242642/; classtype:trojan-activity;sid:84105742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241765)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scode18/all-tweaker/main/tweaks.7z"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241765/; classtype:trojan-activity;sid:84104865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241752)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kntjspr/licensebytes/refs/heads/main/licensemalwarebytes.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241752/; classtype:trojan-activity;sid:84104852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241644)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baksvoronov/testingflrplgpreg/refs/heads/main/connector1.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241644/; classtype:trojan-activity;sid:84104744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241637)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s107000665/c1/master/1223.exe"; depth:30; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241637/; classtype:trojan-activity;sid:84104737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iciamyplant/ctf/master/plantrojan.exe"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241638/; classtype:trojan-activity;sid:84104738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/killbillpribil/world-of-tanks/master/world%20of%20tanks.exe"; depth:60; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241640/; classtype:trojan-activity;sid:84104740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mach1el/htb-scripts/master/exploit-fuse/shell.exe"; depth:50; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241641/; classtype:trojan-activity;sid:84104741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/khr0x40sh/whitelistevasion/master/installutil/script.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241642/; classtype:trojan-activity;sid:84104742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241635)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msf.exe"; depth:8; endswith; nocase; http.host; content:"qiniuyunxz.yxflzs.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241635/; classtype:trojan-activity;sid:84104735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c5hackr/phantom/main/phantom/resources/donut.exe"; depth:49; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241559/; classtype:trojan-activity;sid:84104659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"117.72.39.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241404/; classtype:trojan-activity;sid:84104504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241127)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/justincoding3/slumfun/main/obfuscated.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241127/; classtype:trojan-activity;sid:84104227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241126)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r00t-3xp10it/redpill/main/utils/compiled.exe"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241126/; classtype:trojan-activity;sid:84104226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241125)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secwiki/windows-kernel-exploits/master/ms14-068/ms14-068.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241125/; classtype:trojan-activity;sid:84104225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prowindows365/hailhydra/refs/heads/main/hailhydra.exe"; depth:54; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241123/; classtype:trojan-activity;sid:84104223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neo23x0/signature-base/archive/master.zip"; depth:42; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241055/; classtype:trojan-activity;sid:84104155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3241005)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ricepudding0xl/discordnitrogenerator/main/discordnitrogenerator.exe"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3241005/; classtype:trojan-activity;sid:84104105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sad-dust/death/main/stealinfo.exe"; depth:34; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240999/; classtype:trojan-activity;sid:84104099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redcanaryco/atomic-red-team/master/atomics/t1204.002/bin/test10.lnk"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240819/; classtype:trojan-activity;sid:84103919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cuckoobox/cuckoo/archive/master.zip"; depth:36; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240817/; classtype:trojan-activity;sid:84103917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/haxork8880/files/main/windowssync.txt.zip"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240813/; classtype:trojan-activity;sid:84103913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crjtpp/tpplab_public/main/poc-sample-lnk.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240814/; classtype:trojan-activity;sid:84103914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hackerx237/miner/main/my-files.lnk"; depth:35; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240812/; classtype:trojan-activity;sid:84103912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scode18/all-tweaker/releases/download/beta_v0.6/all.tweaker.beta.v0.6.7z"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240811/; classtype:trojan-activity;sid:84103911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scode18/all-tweaker/raw/main/tweaks.7z"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240810/; classtype:trojan-activity;sid:84103910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240720)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dqwr1q23rwdfr/xxx/releases/download/xxx/vital.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240720/; classtype:trojan-activity;sid:84103820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3240639)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mohdjulaya09/code-sparrow-crypter-2.0-private-crack-leak/releases/download/%23crypter/codesparrow.crypter.2.0.crack.rar"; depth:120; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_18; reference:url, urlhaus.abuse.ch/url/3240639/; classtype:trojan-activity;sid:84103739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3239707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demon.x64.bin"; depth:14; endswith; nocase; http.host; content:"8.138.96.41"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_17; reference:url, urlhaus.abuse.ch/url/3239707/; classtype:trojan-activity;sid:84102807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3238658)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eaklauncher/eaklauncher.exe"; depth:28; endswith; nocase; http.host; content:"147.50.240.62"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3238658/; classtype:trojan-activity;sid:84101758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3238111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resources/js/info2r.txt"; depth:24; endswith; nocase; http.host; content:"188.81.134.196"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3238111/; classtype:trojan-activity;sid:84101211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3238073)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ff245185/payload/main/fast%20download.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3238073/; classtype:trojan-activity;sid:84101173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da2dalus/the-malware-repo/blob/master/rat/njrat.exe|3f|raw=true"; depth:64; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237975/; classtype:trojan-activity;sid:84101075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5556.rar"; depth:9; endswith; nocase; http.host; content:"188.212.158.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237976/; classtype:trojan-activity;sid:84101076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blank-c/umbral-stealer/zip/refs/heads/main"; depth:43; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237956/; classtype:trojan-activity;sid:84101056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blank-c/blank-grabber/zip/refs/heads/main"; depth:42; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237955/; classtype:trojan-activity;sid:84101055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237954)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blank-c/blankobf/zip/refs/heads/v2"; depth:35; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237954/; classtype:trojan-activity;sid:84101054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joh81/exploi01/zip/refs/heads/main"; depth:35; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237861/; classtype:trojan-activity;sid:84100961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/thebb5th/123/zip/refs/heads/main"; depth:33; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237737/; classtype:trojan-activity;sid:84100837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_suia0iczdw2reew1f9hgunezxcwv52d"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237465/; classtype:trojan-activity;sid:84100565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3237464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_3ozdjl5puad8qn3tipydynn5j7l13el"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_10_16; reference:url, urlhaus.abuse.ch/url/3237464/; classtype:trojan-activity;sid:84100564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/center.exe"; depth:11; endswith; nocase; http.host; content:"119.193.158.215"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236597/; classtype:trojan-activity;sid:84099697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/kedadecoder.zip"; depth:25; endswith; nocase; http.host; content:"153.37.77.156"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236587/; classtype:trojan-activity;sid:84099687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/kedadecoder.zip"; depth:25; endswith; nocase; http.host; content:"116.136.142.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236559/; classtype:trojan-activity;sid:84099659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236453)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3cur3th1ssh1t/creds/master/powershellscripts/invoke-petitpotam.ps1"; depth:68; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236453/; classtype:trojan-activity;sid:84099553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236324)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/xwgl/xw_xxgl.exe"; depth:22; endswith; nocase; http.host; content:"data.yhydl.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236324/; classtype:trojan-activity;sid:84099424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/xw_setup.exe"; depth:18; endswith; nocase; http.host; content:"data.yhydl.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236322/; classtype:trojan-activity;sid:84099422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/yhy_setup.exe"; depth:19; endswith; nocase; http.host; content:"data.yhydl.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236323/; classtype:trojan-activity;sid:84099423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/4001/updates/efatura/efatura.exe"; depth:42; endswith; nocase; http.host; content:"elisans.novayonetim.com"; depth:23; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236318/; classtype:trojan-activity;sid:84099418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/services/identification/server/gtptoolsdownloadhandler.ashx|3f|filename=gtp_6_browserplugin_setup.exe"; depth:102; endswith; nocase; http.host; content:"hnjgdl.geps.glodon.com"; depth:22; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236240/; classtype:trojan-activity;sid:84099340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/natgo.exe"; depth:10; endswith; nocase; http.host; content:"dl.natgo.cn"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236237/; classtype:trojan-activity;sid:84099337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/etermproxy.exe"; depth:24; endswith; nocase; http.host; content:"pid.fly160.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236236/; classtype:trojan-activity;sid:84099336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236224)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdd_biaoge/soft/down.exe"; depth:25; endswith; nocase; http.host; content:"49.234.48.162"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236224/; classtype:trojan-activity;sid:84099324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3236154)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/17267811/stm.txt"; depth:40; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3236154/; classtype:trojan-activity;sid:84099254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chainguard-dev/bincapz/archive/refs/tags/v0.5.0.zip"; depth:52; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3235523/; classtype:trojan-activity;sid:84098623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/playmcbkuwu/vape/releases/download/stable/vape.v4.10.from.duckysolucky.zip"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3235522/; classtype:trojan-activity;sid:84098622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meckazin/chromekatz/releases/download/0.4.7/chromekatzbofs.zip"; depth:63; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_15; reference:url, urlhaus.abuse.ch/url/3235513/; classtype:trojan-activity;sid:84098613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3235094)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xsh/update.exe"; depth:15; endswith; nocase; http.host; content:"101.126.11.168"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_14; reference:url, urlhaus.abuse.ch/url/3235094/; classtype:trojan-activity;sid:84098194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3234859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petikvx/lockbit-black-builder/main/lockbit30/builder.exe"; depth:57; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_14; reference:url, urlhaus.abuse.ch/url/3234859/; classtype:trojan-activity;sid:84097959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3234858)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tennessene/lockbit/refs/heads/main/builder.exe"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_14; reference:url, urlhaus.abuse.ch/url/3234858/; classtype:trojan-activity;sid:84097958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3231796)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16737801/wave.zip|3f|"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_12; reference:url, urlhaus.abuse.ch/url/3231796/; classtype:trojan-activity;sid:84094896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3231794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user-attachments/files/16419615/solara.zip"; depth:43; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_12; reference:url, urlhaus.abuse.ch/url/3231794/; classtype:trojan-activity;sid:84094894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3229631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kamilniftaliev/cryptoview/zip/refs/heads/main"; depth:46; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_10_11; reference:url, urlhaus.abuse.ch/url/3229631/; classtype:trojan-activity;sid:84092731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3228667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/winassist/login/login.7z"; depth:25; endswith; nocase; http.host; content:"win.down.55kantu.com"; depth:20; isdataat:!1,relative; metadata:created_at 2024_10_10; reference:url, urlhaus.abuse.ch/url/3228667/; classtype:trojan-activity;sid:84091767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3226239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.22.0/xmrig-6.22.0-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_09; reference:url, urlhaus.abuse.ch/url/3226239/; classtype:trojan-activity;sid:84089339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218033)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"109.207.216.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218033/; classtype:trojan-activity;sid:84081133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"86.106.101.159"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218030/; classtype:trojan-activity;sid:84081130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"109.207.217.114"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218009/; classtype:trojan-activity;sid:84081109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"166.147.146.187"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218011/; classtype:trojan-activity;sid:84081111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3218001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"213.96.13.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3218001/; classtype:trojan-activity;sid:84081101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217787/; classtype:trojan-activity;sid:84080887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"85.130.160.219"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217802/; classtype:trojan-activity;sid:84080902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217780)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.203.169.39"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217780/; classtype:trojan-activity;sid:84080880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217775)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.191.89.122"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217775/; classtype:trojan-activity;sid:84080875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"86.106.155.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217757/; classtype:trojan-activity;sid:84080857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217760/; classtype:trojan-activity;sid:84080860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.28.228.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217750/; classtype:trojan-activity;sid:84080850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217745/; classtype:trojan-activity;sid:84080845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.203.169.41"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217740/; classtype:trojan-activity;sid:84080840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217717)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217717/; classtype:trojan-activity;sid:84080817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.97.161.106"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217729/; classtype:trojan-activity;sid:84080829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"213.96.13.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217689/; classtype:trojan-activity;sid:84080789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217684)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.43.16.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217684/; classtype:trojan-activity;sid:84080784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.45.183.125"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217681/; classtype:trojan-activity;sid:84080781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217682)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.45.183.125"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217682/; classtype:trojan-activity;sid:84080782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217665)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"213.96.13.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217665/; classtype:trojan-activity;sid:84080765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217674)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.191.89.120"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217674/; classtype:trojan-activity;sid:84080774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217638)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"14.161.6.225"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217638/; classtype:trojan-activity;sid:84080738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217625/; classtype:trojan-activity;sid:84080725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217621)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217621/; classtype:trojan-activity;sid:84080721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217618)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.205.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217618/; classtype:trojan-activity;sid:84080718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217562)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.212.35.175"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217562/; classtype:trojan-activity;sid:84080662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/123.ps1"; depth:8; endswith; nocase; http.host; content:"103.247.164.242"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217557/; classtype:trojan-activity;sid:84080657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.118.215.24"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217454/; classtype:trojan-activity;sid:84080554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.212.35.175"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217426/; classtype:trojan-activity;sid:84080526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217136)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"188.254.255.246"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217136/; classtype:trojan-activity;sid:84080236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.105.196.30"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217139/; classtype:trojan-activity;sid:84080239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217098)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"77.238.209.82"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217098/; classtype:trojan-activity;sid:84080198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"81.16.249.96"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217109/; classtype:trojan-activity;sid:84080209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.173.173.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217086/; classtype:trojan-activity;sid:84080186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"190.145.205.178"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217088/; classtype:trojan-activity;sid:84080188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"94.251.5.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217091/; classtype:trojan-activity;sid:84080191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.88.180.115"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217059/; classtype:trojan-activity;sid:84080159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217061)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"118.71.250.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217061/; classtype:trojan-activity;sid:84080161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217063)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"181.49.47.190"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217063/; classtype:trojan-activity;sid:84080163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"124.194.46.204"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217064/; classtype:trojan-activity;sid:84080164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217065)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"151.237.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217065/; classtype:trojan-activity;sid:84080165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"200.69.219.25"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217066/; classtype:trojan-activity;sid:84080166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"196.41.63.178"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217044/; classtype:trojan-activity;sid:84080144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"58.145.168.170"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217009/; classtype:trojan-activity;sid:84080109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.148.18.220"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217020/; classtype:trojan-activity;sid:84080120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217023)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"62.162.113.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217023/; classtype:trojan-activity;sid:84080123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217001)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"92.241.77.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217001/; classtype:trojan-activity;sid:84080101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3217004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.253.115.156"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3217004/; classtype:trojan-activity;sid:84080104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.92.68.241"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216971/; classtype:trojan-activity;sid:84080071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"180.250.160.26"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216974/; classtype:trojan-activity;sid:84080074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"195.34.91.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216979/; classtype:trojan-activity;sid:84080079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216983)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.57.33.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216983/; classtype:trojan-activity;sid:84080083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216986)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"182.253.115.155"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216986/; classtype:trojan-activity;sid:84080086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.90.207.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216962/; classtype:trojan-activity;sid:84080062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216956)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"77.89.245.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216956/; classtype:trojan-activity;sid:84080056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.4.124.58"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216950/; classtype:trojan-activity;sid:84080050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"118.179.121.235"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216934/; classtype:trojan-activity;sid:84080034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.164.200.170"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216945/; classtype:trojan-activity;sid:84080045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216911)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216911/; classtype:trojan-activity;sid:84080011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"185.12.78.161"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216883/; classtype:trojan-activity;sid:84079983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"14.224.162.164"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216886/; classtype:trojan-activity;sid:84079986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.131.234.26"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216854/; classtype:trojan-activity;sid:84079954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"85.187.82.120"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216860/; classtype:trojan-activity;sid:84079960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"76.76.195.174"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216843/; classtype:trojan-activity;sid:84079943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216846)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.217.215.238"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216846/; classtype:trojan-activity;sid:84079946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"95.158.175.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216849/; classtype:trojan-activity;sid:84079949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"27.147.225.2"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216809/; classtype:trojan-activity;sid:84079909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"110.74.207.194"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216812/; classtype:trojan-activity;sid:84079912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.188.30.171"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216813/; classtype:trojan-activity;sid:84079913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"118.179.203.50"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216823/; classtype:trojan-activity;sid:84079923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"109.160.87.2"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216802/; classtype:trojan-activity;sid:84079902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"98.103.171.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216800/; classtype:trojan-activity;sid:84079900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"186.154.93.81"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216794/; classtype:trojan-activity;sid:84079894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"89.231.14.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216772/; classtype:trojan-activity;sid:84079872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"114.7.209.193"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216761/; classtype:trojan-activity;sid:84079861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"81.16.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216763/; classtype:trojan-activity;sid:84079863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216750)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"109.92.143.90"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216750/; classtype:trojan-activity;sid:84079850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"154.0.129.134"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216735/; classtype:trojan-activity;sid:84079835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.64.210.218"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216739/; classtype:trojan-activity;sid:84079839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"41.77.74.90"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216740/; classtype:trojan-activity;sid:84079840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"190.217.148.227"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216743/; classtype:trojan-activity;sid:84079843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"88.116.62.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216719/; classtype:trojan-activity;sid:84079819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216710)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.211.135.170"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216710/; classtype:trojan-activity;sid:84079810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"46.151.56.42"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216685/; classtype:trojan-activity;sid:84079785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"83.218.189.21"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216688/; classtype:trojan-activity;sid:84079788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"212.85.176.23"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216690/; classtype:trojan-activity;sid:84079790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216700)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"200.61.163.235"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216700/; classtype:trojan-activity;sid:84079800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.148.18.218"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216649/; classtype:trojan-activity;sid:84079749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.53.164.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216650/; classtype:trojan-activity;sid:84079750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"188.72.6.218"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216653/; classtype:trojan-activity;sid:84079753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216606)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"194.208.56.60"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216606/; classtype:trojan-activity;sid:84079706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216607)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"81.16.247.81"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216607/; classtype:trojan-activity;sid:84079707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"150.129.202.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216610/; classtype:trojan-activity;sid:84079710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"213.6.74.138"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216599/; classtype:trojan-activity;sid:84079699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.233.63.185"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216600/; classtype:trojan-activity;sid:84079700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"31.186.54.111"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216603/; classtype:trojan-activity;sid:84079703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"190.2.237.104"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216581/; classtype:trojan-activity;sid:84079681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"91.244.169.56"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216582/; classtype:trojan-activity;sid:84079682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216583)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.77.228.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216583/; classtype:trojan-activity;sid:84079683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"213.91.236.237"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216584/; classtype:trojan-activity;sid:84079684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"78.29.14.127"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216555/; classtype:trojan-activity;sid:84079655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"95.170.116.28"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216557/; classtype:trojan-activity;sid:84079657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"77.46.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216559/; classtype:trojan-activity;sid:84079659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"202.148.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216561/; classtype:trojan-activity;sid:84079661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"150.129.202.193"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216569/; classtype:trojan-activity;sid:84079669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"84.242.139.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216537/; classtype:trojan-activity;sid:84079637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216538)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"178.151.163.54"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216538/; classtype:trojan-activity;sid:84079638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"203.160.56.67"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216522/; classtype:trojan-activity;sid:84079622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216529)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"36.66.139.36"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216529/; classtype:trojan-activity;sid:84079629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"37.202.49.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216509/; classtype:trojan-activity;sid:84079609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216510)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"212.225.186.186"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216510/; classtype:trojan-activity;sid:84079610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"2.180.35.231"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216503/; classtype:trojan-activity;sid:84079603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"78.26.81.99"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216491/; classtype:trojan-activity;sid:84079591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"185.21.223.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216501/; classtype:trojan-activity;sid:84079601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"185.133.214.138"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216478/; classtype:trojan-activity;sid:84079578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216479)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"91.92.82.180"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216479/; classtype:trojan-activity;sid:84079579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216456)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"121.43.104.75"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216456/; classtype:trojan-activity;sid:84079556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"217.92.214.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216421/; classtype:trojan-activity;sid:84079521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216418)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"80.249.6.118"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216418/; classtype:trojan-activity;sid:84079518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"49.232.126.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216406/; classtype:trojan-activity;sid:84079506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216404)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"150.158.25.244"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216404/; classtype:trojan-activity;sid:84079504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216396)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"121.43.104.75"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216396/; classtype:trojan-activity;sid:84079496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216384)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"43.132.12.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216384/; classtype:trojan-activity;sid:84079484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"50.65.169.30"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216382/; classtype:trojan-activity;sid:84079482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"178.61.160.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216372/; classtype:trojan-activity;sid:84079472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"124.123.123.15"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216365/; classtype:trojan-activity;sid:84079465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"123.117.136.97"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216353/; classtype:trojan-activity;sid:84079453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"43.132.13.252"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216334/; classtype:trojan-activity;sid:84079434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216322)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"184.185.30.182"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216322/; classtype:trojan-activity;sid:84079422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"85.163.234.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216309/; classtype:trojan-activity;sid:84079409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"94.76.156.101"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216306/; classtype:trojan-activity;sid:84079406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"103.187.151.107"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216302/; classtype:trojan-activity;sid:84079402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3216301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"212.200.106.94"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3216301/; classtype:trojan-activity;sid:84079401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"156.155.176.210"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215839/; classtype:trojan-activity;sid:84078939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215832)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"110.74.207.194"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215832/; classtype:trojan-activity;sid:84078932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.217.215.238"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215823/; classtype:trojan-activity;sid:84078923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"203.160.56.67"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215829/; classtype:trojan-activity;sid:84078929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.57.69.125"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215816/; classtype:trojan-activity;sid:84078916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.85.176.23"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215800/; classtype:trojan-activity;sid:84078900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.233.63.185"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215785/; classtype:trojan-activity;sid:84078885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.186.54.111"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215788/; classtype:trojan-activity;sid:84078888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"176.221.111.222"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215795/; classtype:trojan-activity;sid:84078895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215482)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.179.203.50"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215482/; classtype:trojan-activity;sid:84078582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.26.81.99"; depth:11; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215483/; classtype:trojan-activity;sid:84078583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.131.234.26"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215465/; classtype:trojan-activity;sid:84078565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215454)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"49.158.206.47"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215454/; classtype:trojan-activity;sid:84078554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.91.236.237"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215434/; classtype:trojan-activity;sid:84078534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"184.185.30.182"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215440/; classtype:trojan-activity;sid:84078540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.225.186.186"; depth:15; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215420/; classtype:trojan-activity;sid:84078520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215409)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.209.193"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215409/; classtype:trojan-activity;sid:84078509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"89.231.14.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215399/; classtype:trojan-activity;sid:84078499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215382)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.46.170.18"; depth:12; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215382/; classtype:trojan-activity;sid:84078482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.105.196.30"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215372/; classtype:trojan-activity;sid:84078472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215358)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"83.218.189.21"; depth:13; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215358/; classtype:trojan-activity;sid:84078458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3215357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"14.224.162.164"; depth:14; isdataat:!1,relative; metadata:created_at 2024_10_06; reference:url, urlhaus.abuse.ch/url/3215357/; classtype:trojan-activity;sid:84078457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3213897)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_10_05; reference:url, urlhaus.abuse.ch/url/3213897/; classtype:trojan-activity;sid:84076997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3206293)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ox2fa/justnow/refs/heads/main/2pac.php"; depth:39; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_10_03; reference:url, urlhaus.abuse.ch/url/3206293/; classtype:trojan-activity;sid:84069393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3204531)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/for_down/2013/new/dlls/rse/rsreport.exe"; depth:40; endswith; nocase; http.host; content:"download.suxiazai.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_10_02; reference:url, urlhaus.abuse.ch/url/3204531/; classtype:trojan-activity;sid:84067631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3200548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/slinky/slinkycrack.zip"; depth:23; endswith; nocase; http.host; content:"crystalpvp.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_29; reference:url, urlhaus.abuse.ch/url/3200548/; classtype:trojan-activity;sid:84063648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3198753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pinginfoview.exe"; depth:17; endswith; nocase; http.host; content:"139.198.15.223"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3198753/; classtype:trojan-activity;sid:84061853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3198696)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cen22.php"; depth:10; endswith; nocase; http.host; content:"39.100.33.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3198696/; classtype:trojan-activity;sid:84061796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3195736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fx8"; depth:4; endswith; nocase; http.host; content:"123.57.250.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_28; reference:url, urlhaus.abuse.ch/url/3195736/; classtype:trojan-activity;sid:84058836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3193861)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massgravel/microsoft-activation-scripts/b1b5299c4725d97349b18b59061647198f7cc59b/mas/all-in-one-version-kl/mas_aio.cmd"; depth:119; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_27; reference:url, urlhaus.abuse.ch/url/3193861/; classtype:trojan-activity;sid:84056961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3193548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bitrix/js/main/core/core.js"; depth:28; endswith; nocase; http.host; content:"evangroup.ru"; depth:12; isdataat:!1,relative; metadata:created_at 2024_09_27; reference:url, urlhaus.abuse.ch/url/3193548/; classtype:trojan-activity;sid:84056648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.68.74.69"; depth:12; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190323/; classtype:trojan-activity;sid:84053423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3190317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_09_25; reference:url, urlhaus.abuse.ch/url/3190317/; classtype:trojan-activity;sid:84053417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3189225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unknwon1352/qawfdasfaw/main/software.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_24; reference:url, urlhaus.abuse.ch/url/3189225/; classtype:trojan-activity;sid:84052325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3188620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/repository/aa_v3.exe"; depth:21; endswith; nocase; http.host; content:"83.149.17.194"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_24; reference:url, urlhaus.abuse.ch/url/3188620/; classtype:trojan-activity;sid:84051720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3188034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blueskyxn/changesource/master/besttrace"; depth:40; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_09_23; reference:url, urlhaus.abuse.ch/url/3188034/; classtype:trojan-activity;sid:84051134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186441)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxl_win_tool_v9.6.iso"; depth:22; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186441/; classtype:trojan-activity;sid:84049541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186440)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1-%e4%bf%ae%e6%94%b9%e7%ab%af%e5%8f%a3.iso"; depth:43; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186440/; classtype:trojan-activity;sid:84049540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186439)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dxl_win_tool_v9.4.iso"; depth:22; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186439/; classtype:trojan-activity;sid:84049539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1-%e4%bf%ae%e6%94%b9%e7%ab%af%e5%8f%a3.zip"; depth:43; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186430/; classtype:trojan-activity;sid:84049530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3186428)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1_dxl_windowsport.zip"; depth:22; endswith; nocase; http.host; content:"down.fwqlt.com"; depth:14; isdataat:!1,relative; metadata:created_at 2024_09_22; reference:url, urlhaus.abuse.ch/url/3186428/; classtype:trojan-activity;sid:84049528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3178401)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1v9ujqbyj-mlf9mugkyiwow6t3rpui2bu"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_09_17; reference:url, urlhaus.abuse.ch/url/3178401/; classtype:trojan-activity;sid:84041501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174915)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174915/; classtype:trojan-activity;sid:84038015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/02.08.2022.exe"; depth:15; endswith; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174919/; classtype:trojan-activity;sid:84038019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174364)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foru.apk"; depth:9; endswith; nocase; http.host; content:"tecunonline.com"; depth:15; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174364/; classtype:trojan-activity;sid:84037464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174340)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foru.apk"; depth:9; endswith; nocase; http.host; content:"www.tecunonline.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174340/; classtype:trojan-activity;sid:84037440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3174264)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen"; depth:7; endswith; nocase; http.host; content:"146.0.42.82"; depth:11; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3174264/; classtype:trojan-activity;sid:84037364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3173868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file.exe"; depth:9; endswith; nocase; http.host; content:"85.25.72.70"; depth:11; isdataat:!1,relative; metadata:created_at 2024_09_15; reference:url, urlhaus.abuse.ch/url/3173868/; classtype:trojan-activity;sid:84036968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3172240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/techsavvysenior/referralreactjs/archive/refs/heads/main.zip"; depth:60; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_09_14; reference:url, urlhaus.abuse.ch/url/3172240/; classtype:trojan-activity;sid:84035340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3163579)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/handler/download|3f|action=download|7c|26|7c|download_id=jgc6slaf|7c|26|7c|private_id=0|7c|26|7c|url=https%253a%252f%252fyoutransfer.net%252fjgc6slaf"; depth:150; endswith; nocase; http.host; content:"youtransfer.net"; depth:15; isdataat:!1,relative; metadata:created_at 2024_09_09; reference:url, urlhaus.abuse.ch/url/3163579/; classtype:trojan-activity;sid:84026679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3137563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"14.224.162.164"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_31; reference:url, urlhaus.abuse.ch/url/3137563/; classtype:trojan-activity;sid:84000663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miners/myxmrig.tgz"; depth:19; endswith; nocase; http.host; content:"do-dear.com"; depth:11; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135730/; classtype:trojan-activity;sid:83998830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosinchik/asd/main/zoom.py"; depth:27; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135722/; classtype:trojan-activity;sid:83998822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moneroocean/xmrig_setup/master/setup_moneroocean_miner.sh"; depth:58; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135724/; classtype:trojan-activity;sid:83998824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3135613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log/orgn.txt"; depth:13; endswith; nocase; http.host; content:"epanpano.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_30; reference:url, urlhaus.abuse.ch/url/3135613/; classtype:trojan-activity;sid:83998713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3134371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qqhelper_1540.exe"; depth:18; endswith; nocase; http.host; content:"down.qqfarmer.com.cn"; depth:20; isdataat:!1,relative; metadata:created_at 2024_08_29; reference:url, urlhaus.abuse.ch/url/3134371/; classtype:trojan-activity;sid:83997471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129654)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nova_flow/patcher.exe"; depth:22; endswith; nocase; http.host; content:"144.172.71.105"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129654/; classtype:trojan-activity;sid:83992754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoldownload/foobar2000_v1.6.7_beta_17@1704_129472.exe"; depth:54; endswith; nocase; http.host; content:"down10d.zol.com.cn"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129478/; classtype:trojan-activity;sid:83992578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asmedises/pxray_cast_sort.exe"; depth:30; endswith; nocase; http.host; content:"www.medises.co.kr"; depth:17; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129417/; classtype:trojan-activity;sid:83992517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3129042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yuta1111x/selfbot/04ecdf46e8db9fce689d93905d759334b475c825/aquarius.exe"; depth:72; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_26; reference:url, urlhaus.abuse.ch/url/3129042/; classtype:trojan-activity;sid:83992142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"190.104.213.45"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112427/; classtype:trojan-activity;sid:83975527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112426)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"200.29.120.130"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112426/; classtype:trojan-activity;sid:83975526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112419)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"93.182.76.169"; depth:13; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112419/; classtype:trojan-activity;sid:83975519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112420)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"93.182.76.169"; depth:13; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112420/; classtype:trojan-activity;sid:83975520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3112417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"89.121.250.206"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_17; reference:url, urlhaus.abuse.ch/url/3112417/; classtype:trojan-activity;sid:83975517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/webcam.dll"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108504/; classtype:trojan-activity;sid:83971604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108505)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/token%20grabber.dll"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108505/; classtype:trojan-activity;sid:83971605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108506)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/rootkit.dll"; depth:67; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108506/; classtype:trojan-activity;sid:83971606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108503)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/master/discord%20rat/resources/passwordstealer.dll"; depth:75; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108503/; classtype:trojan-activity;sid:83971603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openark/version.txt"; depth:20; endswith; nocase; http.host; content:"file.blackint3.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108502/; classtype:trojan-activity;sid:83971602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openark/openark64.exe"; depth:22; endswith; nocase; http.host; content:"file.blackint3.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108492/; classtype:trojan-activity;sid:83971592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3108491)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/openark/openark32.exe"; depth:22; endswith; nocase; http.host; content:"file.blackint3.com"; depth:18; isdataat:!1,relative; metadata:created_at 2024_08_15; reference:url, urlhaus.abuse.ch/url/3108491/; classtype:trojan-activity;sid:83971591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120646if_/http:/154.216.19.139/bins/mirai.armv4l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106560/; classtype:trojan-activity;sid:83969660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122936if_/http:/154.216.19.139/bins/mirai.gnueabihf"; depth:64; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106559/; classtype:trojan-activity;sid:83969659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120223if_/http:/154.216.19.139/bins/mirai.bin"; depth:58; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106558/; classtype:trojan-activity;sid:83969658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121041if_/http:/154.216.19.139/bins/mirai.armv6l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106556/; classtype:trojan-activity;sid:83969656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808123114if_/http:/154.216.19.139/bins/mirai.arc"; depth:58; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106557/; classtype:trojan-activity;sid:83969657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122755if_/http:/154.216.19.139/bins/mirai.x86_64"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106551/; classtype:trojan-activity;sid:83969651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106552)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121121if_/http:/154.216.19.139/bins/mirai.armv7l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106552/; classtype:trojan-activity;sid:83969652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120945if_/http:/154.216.19.139/bins/mirai.armv5l"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106553/; classtype:trojan-activity;sid:83969653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122159if_/http:/154.216.19.139/bins/mirai.powerpc"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106554/; classtype:trojan-activity;sid:83969654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3106555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121832if_/http:/154.216.19.139/bins/mirai.mipsel"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_14; reference:url, urlhaus.abuse.ch/url/3106555/; classtype:trojan-activity;sid:83969655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/keylogger.exe"; depth:44; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105149/; classtype:trojan-activity;sid:83968249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/networks_profile.exe"; depth:51; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105150/; classtype:trojan-activity;sid:83968250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105145)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/backdoor.exe"; depth:32; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105145/; classtype:trojan-activity;sid:83968245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/fill_storage_move.bat"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105146/; classtype:trojan-activity;sid:83968246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3105144)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3q/blackdoor/main/extensions/fill_storage_virus.bat"; depth:53; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_13; reference:url, urlhaus.abuse.ch/url/3105144/; classtype:trojan-activity;sid:83968244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3103488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"64.234.95.70"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_12; reference:url, urlhaus.abuse.ch/url/3103488/; classtype:trojan-activity;sid:83966588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3103489)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"170.55.7.234"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_12; reference:url, urlhaus.abuse.ch/url/3103489/; classtype:trojan-activity;sid:83966589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3103476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"187.247.242.34"; depth:14; isdataat:!1,relative; metadata:created_at 2024_08_12; reference:url, urlhaus.abuse.ch/url/3103476/; classtype:trojan-activity;sid:83966576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3100042)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/joelgmsec/invoke-stealth/main/resources/betterxencrypt/betterxencrypt.ps1"; depth:74; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3100042/; classtype:trojan-activity;sid:83963142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099961)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122448if_/http:/154.216.19.139/bins/mirai.sh4"; depth:58; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099961/; classtype:trojan-activity;sid:83963061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099962)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121230if_/http:/154.216.19.139/bins/mirai.i586"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099962/; classtype:trojan-activity;sid:83963062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099965)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121347if_/http:/154.216.19.139/bins/mirai.m68k"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099965/; classtype:trojan-activity;sid:83963065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121419if_/http:/154.216.19.139/bins/mirai.mips"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099966/; classtype:trojan-activity;sid:83963066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3099960)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121308if_/http:/154.216.19.139/bins/mirai.i686"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_10; reference:url, urlhaus.abuse.ch/url/3099960/; classtype:trojan-activity;sid:83963060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120223if_/http://154.216.19.139/bins/mirai.bin"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097244/; classtype:trojan-activity;sid:83960344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122755if_/http://154.216.19.139/bins/mirai.x86_64"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097239/; classtype:trojan-activity;sid:83960339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121041if_/http://154.216.19.139/bins/mirai.armv6l"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097240/; classtype:trojan-activity;sid:83960340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097241)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121230if_/http://154.216.19.139/bins/mirai.i586"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097241/; classtype:trojan-activity;sid:83960341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122636if_/http://154.216.19.139/bins/mirai.sparc"; depth:61; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097242/; classtype:trojan-activity;sid:83960342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097243)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121308if_/http://154.216.19.139/bins/mirai.i686"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097243/; classtype:trojan-activity;sid:83960343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097230)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121347if_/http://154.216.19.139/bins/mirai.m68k"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097230/; classtype:trojan-activity;sid:83960330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121121if_/http://154.216.19.139/bins/mirai.armv7l"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097231/; classtype:trojan-activity;sid:83960331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097232)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808123114if_/http://154.216.19.139/bins/mirai.arc"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097232/; classtype:trojan-activity;sid:83960332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122448if_/http://154.216.19.139/bins/mirai.sh4"; depth:59; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097233/; classtype:trojan-activity;sid:83960333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097234)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121832if_/http://154.216.19.139/bins/mirai.mipsel"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097234/; classtype:trojan-activity;sid:83960334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120945if_/http://154.216.19.139/bins/mirai.armv5l"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097235/; classtype:trojan-activity;sid:83960335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808120646if_/http://154.216.19.139/bins/mirai.armv4l"; depth:62; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097236/; classtype:trojan-activity;sid:83960336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808122936if_/http://154.216.19.139/bins/mirai.gnueabihf"; depth:65; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097237/; classtype:trojan-activity;sid:83960337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3097238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/20240808121419if_/http://154.216.19.139/bins/mirai.mips"; depth:60; endswith; nocase; http.host; content:"web.archive.org"; depth:15; isdataat:!1,relative; metadata:created_at 2024_08_09; reference:url, urlhaus.abuse.ch/url/3097238/; classtype:trojan-activity;sid:83960338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3093518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/uypthvq0"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_06; reference:url, urlhaus.abuse.ch/url/3093518/; classtype:trojan-activity;sid:83956618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3092809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rme3ibrb"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_06; reference:url, urlhaus.abuse.ch/url/3092809/; classtype:trojan-activity;sid:83955909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3092807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/a9he0f3w"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_06; reference:url, urlhaus.abuse.ch/url/3092807/; classtype:trojan-activity;sid:83955907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3086390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/%5bwin"; depth:35; endswith; nocase; http.host; content:"8.218.138.77"; depth:12; isdataat:!1,relative; metadata:created_at 2024_08_03; reference:url, urlhaus.abuse.ch/url/3086390/; classtype:trojan-activity;sid:83949490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/komasinfo/idcb/main/cbs_applcation_details_072602024_xlsx.rar"; depth:62; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072990/; classtype:trojan-activity;sid:83936090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adrinnno/ptwis/raw/main/file_cbs_app_details_no-0923871691_xlsx.zip"; depth:68; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072974/; classtype:trojan-activity;sid:83936074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reporgu/fakado/raw/main/transaction_file_9812009_end_ids_yesbr5_pdf.rar"; depth:72; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072975/; classtype:trojan-activity;sid:83936075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/komasinfo/idcb/raw/main/cbs_applcation_details_072602024_xlsx.rar"; depth:66; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072978/; classtype:trojan-activity;sid:83936078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3072969)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/deannwas/policah/main/file_cbs_app_details_no-0923871691_xlsx.zip"; depth:66; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_07_27; reference:url, urlhaus.abuse.ch/url/3072969/; classtype:trojan-activity;sid:83936069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3058862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nc64.exe"; depth:9; endswith; nocase; http.host; content:"51.255.46.245"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_21; reference:url, urlhaus.abuse.ch/url/3058862/; classtype:trojan-activity;sid:83921962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052415)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/mimikatz.exe"; depth:17; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052415/; classtype:trojan-activity;sid:83915515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052412)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimispool.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052412/; classtype:trojan-activity;sid:83915512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052413)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimilib.dll"; depth:20; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052413/; classtype:trojan-activity;sid:83915513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052414)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/x64/mimidrv.sys"; depth:20; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052414/; classtype:trojan-activity;sid:83915514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimidrv.sys"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052395/; classtype:trojan-activity;sid:83915495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052400)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimikatz.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052400/; classtype:trojan-activity;sid:83915500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052393)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilove.exe"; depth:23; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052393/; classtype:trojan-activity;sid:83915493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (3052394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin/win32/mimilib.dll"; depth:22; endswith; nocase; http.host; content:"167.250.49.155"; depth:14; isdataat:!1,relative; metadata:created_at 2024_07_19; reference:url, urlhaus.abuse.ch/url/3052394/; classtype:trojan-activity;sid:83915494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2968679)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/12.apk"; depth:35; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_13; reference:url, urlhaus.abuse.ch/url/2968679/; classtype:trojan-activity;sid:83831779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2968678)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/22.apk"; depth:35; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_13; reference:url, urlhaus.abuse.ch/url/2968678/; classtype:trojan-activity;sid:83831778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2949407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tan.jpg"; depth:8; endswith; nocase; http.host; content:"www999999safagqwhg-1327129302.cos.ap-chengdu.myqcloud.com"; depth:57; isdataat:!1,relative; metadata:created_at 2024_07_11; reference:url, urlhaus.abuse.ch/url/2949407/; classtype:trojan-activity;sid:83812507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2949385)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1rsqnkyvcaein5m-gskl8coyuh8w5xrbd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_07_11; reference:url, urlhaus.abuse.ch/url/2949385/; classtype:trojan-activity;sid:83812485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2949176)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tan.jpg"; depth:8; endswith; nocase; http.host; content:"www999999asgasg-1327129302.cos.ap-chengdu.myqcloud.com"; depth:54; isdataat:!1,relative; metadata:created_at 2024_07_11; reference:url, urlhaus.abuse.ch/url/2949176/; classtype:trojan-activity;sid:83812276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2945593)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/sab/dithioic.csv"; depth:26; endswith; nocase; http.host; content:"new.quranushaiqer.org.sa"; depth:24; isdataat:!1,relative; metadata:created_at 2024_07_09; reference:url, urlhaus.abuse.ch/url/2945593/; classtype:trojan-activity;sid:83808693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2945560)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/sab/dithioic.csv"; depth:26; endswith; nocase; http.host; content:"new.quranushaiqer.org.sa"; depth:24; isdataat:!1,relative; metadata:created_at 2024_07_09; reference:url, urlhaus.abuse.ch/url/2945560/; classtype:trojan-activity;sid:83808660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2944285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jijilovedada/jijilovedada/main/tools/cc/adaptorovernight.exe"; depth:61; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_07_08; reference:url, urlhaus.abuse.ch/url/2944285/; classtype:trojan-activity;sid:83807385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2942727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/1.exe"; depth:34; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_07; reference:url, urlhaus.abuse.ch/url/2942727/; classtype:trojan-activity;sid:83805827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2942725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download//1.exe"; depth:35; endswith; nocase; http.host; content:"47.98.177.117"; depth:13; isdataat:!1,relative; metadata:created_at 2024_07_07; reference:url, urlhaus.abuse.ch/url/2942725/; classtype:trojan-activity;sid:83805825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2942567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/compile/download/win"; depth:32; endswith; nocase; http.host; content:"8.218.138.77"; depth:12; isdataat:!1,relative; metadata:created_at 2024_07_07; reference:url, urlhaus.abuse.ch/url/2942567/; classtype:trojan-activity;sid:83805667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/000.exe"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934823/; classtype:trojan-activity;sid:83797923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934818)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/jigsaw.exe"; depth:76; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934818/; classtype:trojan-activity;sid:83797918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/freeyoutubedownloader.exe"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934819/; classtype:trojan-activity;sid:83797919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934820)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/memz.exe"; depth:70; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934820/; classtype:trojan-activity;sid:83797920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/noescape.exe"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934821/; classtype:trojan-activity;sid:83797921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/destover.exe"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934822/; classtype:trojan-activity;sid:83797922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/trojan/meredrop.exe"; depth:74; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934816/; classtype:trojan-activity;sid:83797916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934811)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/hive%20ransomware.exe"; depth:87; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934811/; classtype:trojan-activity;sid:83797911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/wannacry.exe"; depth:78; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934812/; classtype:trojan-activity;sid:83797912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/nomoreransom.exe"; depth:82; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934813/; classtype:trojan-activity;sid:83797913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/petya.a.exe"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934808/; classtype:trojan-activity;sid:83797908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/cryptowall.exe"; depth:80; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934809/; classtype:trojan-activity;sid:83797909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934810)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/infinitycrypt.exe"; depth:83; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934810/; classtype:trojan-activity;sid:83797910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2934805)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trasherwithadollarsign/trashers-malware-repo/raw/main/ransomware/coronavirus.exe"; depth:81; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_07_05; reference:url, urlhaus.abuse.ch/url/2934805/; classtype:trojan-activity;sid:83797905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2914055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tq.jpg"; depth:7; endswith; nocase; http.host; content:"down.ftp21.cc"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_30; reference:url, urlhaus.abuse.ch/url/2914055/; classtype:trojan-activity;sid:83777155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"122.179.136.112"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911215/; classtype:trojan-activity;sid:83774315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911196)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"78-20-115-5.access.telenet.be"; depth:29; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911196/; classtype:trojan-activity;sid:83774296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"195.103.203.106"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911194/; classtype:trojan-activity;sid:83774294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"78.20.115.5"; depth:11; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911190/; classtype:trojan-activity;sid:83774290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911191)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"88.28.218.163"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911191/; classtype:trojan-activity;sid:83774291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"102.53.15.18"; depth:12; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911187/; classtype:trojan-activity;sid:83774287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911184)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"126.23.203.236"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911184/; classtype:trojan-activity;sid:83774284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"85.22.139.189"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911166/; classtype:trojan-activity;sid:83774266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911133)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"102.53.15.17"; depth:12; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911133/; classtype:trojan-activity;sid:83774233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"softbank126023203236.bbtec.net"; depth:30; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911113/; classtype:trojan-activity;sid:83774213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"host-195-103-203-106.business.telecomitalia.it"; depth:46; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911108/; classtype:trojan-activity;sid:83774208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2911105)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photo.scr"; depth:10; endswith; nocase; http.host; content:"host-95-255-114-11.business.telecomitalia.it"; depth:44; isdataat:!1,relative; metadata:created_at 2024_06_28; reference:url, urlhaus.abuse.ch/url/2911105/; classtype:trojan-activity;sid:83774205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2909310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"45.118.79.103"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2909310/; classtype:trojan-activity;sid:83772410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2909291)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"89.184.185.198"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2909291/; classtype:trojan-activity;sid:83772391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"182.72.167.124"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908913/; classtype:trojan-activity;sid:83772013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"211.192.113.232"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908899/; classtype:trojan-activity;sid:83771999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"211.192.113.231"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908901/; classtype:trojan-activity;sid:83772001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908902)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"202.57.39.2"; depth:11; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908902/; classtype:trojan-activity;sid:83772002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2908903)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; endswith; nocase; http.host; content:"14.142.209.198"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_27; reference:url, urlhaus.abuse.ch/url/2908903/; classtype:trojan-activity;sid:83772003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2901197)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwzonepieces/posapsi/master/chatlife.exe"; depth:41; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_22; reference:url, urlhaus.abuse.ch/url/2901197/; classtype:trojan-activity;sid:83764297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2894025)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kailash-jakhar/webpack-v5-tutorial/main/quizpokemon.exe"; depth:56; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_17; reference:url, urlhaus.abuse.ch/url/2894025/; classtype:trojan-activity;sid:83757125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2888463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"118.178.133.241"; depth:15; isdataat:!1,relative; metadata:created_at 2024_06_14; reference:url, urlhaus.abuse.ch/url/2888463/; classtype:trojan-activity;sid:83751563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2888444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"124.67.254.109"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_14; reference:url, urlhaus.abuse.ch/url/2888444/; classtype:trojan-activity;sid:83751544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2888430)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; endswith; nocase; http.host; content:"117.157.17.194"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_14; reference:url, urlhaus.abuse.ch/url/2888430/; classtype:trojan-activity;sid:83751530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2885860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brunovale03/adegaads/main/offeredbuilt.exe"; depth:43; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_13; reference:url, urlhaus.abuse.ch/url/2885860/; classtype:trojan-activity;sid:83748960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2883708)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sirvivor32/sirvivor/main/lukejazz.exe"; depth:38; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_06_11; reference:url, urlhaus.abuse.ch/url/2883708/; classtype:trojan-activity;sid:83746808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2879955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unp%20setup.exe"; depth:16; endswith; nocase; http.host; content:"36.138.125.70"; depth:13; isdataat:!1,relative; metadata:created_at 2024_06_08; reference:url, urlhaus.abuse.ch/url/2879955/; classtype:trojan-activity;sid:83743055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2879655)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sharphound.exe"; depth:15; endswith; nocase; http.host; content:"92.127.156.174"; depth:14; isdataat:!1,relative; metadata:created_at 2024_06_08; reference:url, urlhaus.abuse.ch/url/2879655/; classtype:trojan-activity;sid:83742755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2877890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ustaxes/ustaxes/files/15421286/2022and2023taxdocuments.zip"; depth:59; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_06_07; reference:url, urlhaus.abuse.ch/url/2877890/; classtype:trojan-activity;sid:83740990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2874107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=19nonxskhmwbvfxpr2ccmwd9xrhz1ldco"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_06_04; reference:url, urlhaus.abuse.ch/url/2874107/; classtype:trojan-activity;sid:83737207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2874109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1p_knmkidu8kiejeem_ijrlumbjih3bkv"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_06_04; reference:url, urlhaus.abuse.ch/url/2874109/; classtype:trojan-activity;sid:83737209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2872168)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/htwvlcdsfcrahhchdd97.bin"; depth:25; endswith; nocase; http.host; content:"ramirex.ro"; depth:10; isdataat:!1,relative; metadata:created_at 2024_06_02; reference:url, urlhaus.abuse.ch/url/2872168/; classtype:trojan-activity;sid:83735268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2872167)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rutschebanes.qxd"; depth:17; endswith; nocase; http.host; content:"ramirex.ro"; depth:10; isdataat:!1,relative; metadata:created_at 2024_06_02; reference:url, urlhaus.abuse.ch/url/2872167/; classtype:trojan-activity;sid:83735267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2870237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1cqtygpx9gdoywntprwub0xbckivif6iy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2870237/; classtype:trojan-activity;sid:83733337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2870235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1wsqkirdngjlt8uu2lv9mzciks4my12jh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2870235/; classtype:trojan-activity;sid:83733335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2869844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wxworkmultiopen.exe"; depth:20; endswith; nocase; http.host; content:"119.91.25.19"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2869844/; classtype:trojan-activity;sid:83732944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2869702)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sheksweet/sheksweet1/main/rambledmime.exe"; depth:42; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_31; reference:url, urlhaus.abuse.ch/url/2869702/; classtype:trojan-activity;sid:83732802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2868723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a.i_1003h.exe"; depth:14; endswith; nocase; http.host; content:"221.143.49.222"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_30; reference:url, urlhaus.abuse.ch/url/2868723/; classtype:trojan-activity;sid:83731823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2867270)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmed45sh/flutter-movie/master/crypted_c360a5b7.exe"; depth:52; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_28; reference:url, urlhaus.abuse.ch/url/2867270/; classtype:trojan-activity;sid:83730370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2867236)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ahmed45sh/apple-replica-starter-files/master/apple-replica/zintask.exe"; depth:71; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_28; reference:url, urlhaus.abuse.ch/url/2867236/; classtype:trojan-activity;sid:83730336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.13"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863341/; classtype:trojan-activity;sid:83726441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863346)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.43.19.103"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863346/; classtype:trojan-activity;sid:83726446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863330)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863330/; classtype:trojan-activity;sid:83726430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.77.57.16"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863333/; classtype:trojan-activity;sid:83726433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2863334)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.49.168.84"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_25; reference:url, urlhaus.abuse.ch/url/2863334/; classtype:trojan-activity;sid:83726434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862520)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/varteyjw"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862520/; classtype:trojan-activity;sid:83725620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862050)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/8gikly"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862050/; classtype:trojan-activity;sid:83725150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862051)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/medjl1"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862051/; classtype:trojan-activity;sid:83725151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862052)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/dy1f16"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862052/; classtype:trojan-activity;sid:83725152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862053)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/kx3wl4"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862053/; classtype:trojan-activity;sid:83725153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/ppxodm"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862054/; classtype:trojan-activity;sid:83725154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862055)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/e7opy8"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862055/; classtype:trojan-activity;sid:83725155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/7dhid7"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862056/; classtype:trojan-activity;sid:83725156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/tbfvpd"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862049/; classtype:trojan-activity;sid:83725149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862047)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/g2js91"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862047/; classtype:trojan-activity;sid:83725147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/i7tdbr"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862045/; classtype:trojan-activity;sid:83725145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862020)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.216.105.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862020/; classtype:trojan-activity;sid:83725120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862017)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862017/; classtype:trojan-activity;sid:83725117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862007)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862007/; classtype:trojan-activity;sid:83725107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862009/; classtype:trojan-activity;sid:83725109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"166.144.131.188"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862010/; classtype:trojan-activity;sid:83725110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2862014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2862014/; classtype:trojan-activity;sid:83725114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861987)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"218.108.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861987/; classtype:trojan-activity;sid:83725087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861979)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.208.134"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861979/; classtype:trojan-activity;sid:83725079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861982)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861982/; classtype:trojan-activity;sid:83725082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"132.255.192.122"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861971/; classtype:trojan-activity;sid:83725071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861974/; classtype:trojan-activity;sid:83725074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"178.183.208.134"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861957/; classtype:trojan-activity;sid:83725057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861958)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861958/; classtype:trojan-activity;sid:83725058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861959/; classtype:trojan-activity;sid:83725059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861950)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.47.248.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861950/; classtype:trojan-activity;sid:83725050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861948/; classtype:trojan-activity;sid:83725048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861919)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861919/; classtype:trojan-activity;sid:83725019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861923)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861923/; classtype:trojan-activity;sid:83725023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861927)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.82.83.143"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861927/; classtype:trojan-activity;sid:83725027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861929)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"95.230.215.65"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861929/; classtype:trojan-activity;sid:83725029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861930)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"141.134.214.217"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861930/; classtype:trojan-activity;sid:83725030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861931/; classtype:trojan-activity;sid:83725031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861935/; classtype:trojan-activity;sid:83725035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861939)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861939/; classtype:trojan-activity;sid:83725039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861940)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861940/; classtype:trojan-activity;sid:83725040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861941/; classtype:trojan-activity;sid:83725041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861943)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861943/; classtype:trojan-activity;sid:83725043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861945)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"218.108.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861945/; classtype:trojan-activity;sid:83725045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/dvbcvt"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861888/; classtype:trojan-activity;sid:83724988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861887)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pro/dl/exw2o1"; depth:14; endswith; nocase; http.host; content:"www.sendspace.com"; depth:17; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861887/; classtype:trojan-activity;sid:83724987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861843/; classtype:trojan-activity;sid:83724943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861844/; classtype:trojan-activity;sid:83724944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861838/; classtype:trojan-activity;sid:83724938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861839/; classtype:trojan-activity;sid:83724939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861828)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"141.134.214.217"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861828/; classtype:trojan-activity;sid:83724928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861827)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"68.107.218.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861827/; classtype:trojan-activity;sid:83724927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861822)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861822/; classtype:trojan-activity;sid:83724922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861819)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861819/; classtype:trojan-activity;sid:83724919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861814/; classtype:trojan-activity;sid:83724914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861808)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"218.108.181.2"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861808/; classtype:trojan-activity;sid:83724908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861802/; classtype:trojan-activity;sid:83724902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861799/; classtype:trojan-activity;sid:83724899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861800/; classtype:trojan-activity;sid:83724900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"132.255.192.122"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861798/; classtype:trojan-activity;sid:83724898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861794/; classtype:trojan-activity;sid:83724894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"178.183.208.134"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861791/; classtype:trojan-activity;sid:83724891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861790)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861790/; classtype:trojan-activity;sid:83724890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861789)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.231.190.163"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861789/; classtype:trojan-activity;sid:83724889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861785/; classtype:trojan-activity;sid:83724885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861781/; classtype:trojan-activity;sid:83724881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861777/; classtype:trojan-activity;sid:83724877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861770/; classtype:trojan-activity;sid:83724870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861773/; classtype:trojan-activity;sid:83724873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861763/; classtype:trojan-activity;sid:83724863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861755/; classtype:trojan-activity;sid:83724855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861749/; classtype:trojan-activity;sid:83724849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861745)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861745/; classtype:trojan-activity;sid:83724845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861743)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"123.143.141.75"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861743/; classtype:trojan-activity;sid:83724843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861735/; classtype:trojan-activity;sid:83724835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"81.42.247.62"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861740/; classtype:trojan-activity;sid:83724840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861733/; classtype:trojan-activity;sid:83724833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861734)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861734/; classtype:trojan-activity;sid:83724834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861721/; classtype:trojan-activity;sid:83724821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861725/; classtype:trojan-activity;sid:83724825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861716)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"188.170.32.148"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861716/; classtype:trojan-activity;sid:83724816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861707)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"209.162.229.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861707/; classtype:trojan-activity;sid:83724807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861695)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"102.216.105.81"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861695/; classtype:trojan-activity;sid:83724795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861685)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861685/; classtype:trojan-activity;sid:83724785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"202.3.248.178"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861693/; classtype:trojan-activity;sid:83724793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861680)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861680/; classtype:trojan-activity;sid:83724780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861675)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"80.24.87.77"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861675/; classtype:trojan-activity;sid:83724775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861667)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861667/; classtype:trojan-activity;sid:83724767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861657)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"31.173.70.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861657/; classtype:trojan-activity;sid:83724757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861643)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861643/; classtype:trojan-activity;sid:83724743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861640)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861640/; classtype:trojan-activity;sid:83724740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861641)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861641/; classtype:trojan-activity;sid:83724741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"77.237.29.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861633/; classtype:trojan-activity;sid:83724733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861636)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"95.47.248.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861636/; classtype:trojan-activity;sid:83724736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861629/; classtype:trojan-activity;sid:83724729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861615)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861615/; classtype:trojan-activity;sid:83724715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861616/; classtype:trojan-activity;sid:83724716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"82.148.194.54"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861595/; classtype:trojan-activity;sid:83724695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"69.75.168.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861597/; classtype:trojan-activity;sid:83724697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861600)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"223.82.83.143"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861600/; classtype:trojan-activity;sid:83724700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861601/; classtype:trojan-activity;sid:83724701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861609/; classtype:trojan-activity;sid:83724709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861592/; classtype:trojan-activity;sid:83724692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861582)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861582/; classtype:trojan-activity;sid:83724682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861573/; classtype:trojan-activity;sid:83724673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861559)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"68.226.36.150"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861559/; classtype:trojan-activity;sid:83724659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"95.230.215.65"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861553/; classtype:trojan-activity;sid:83724653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861555)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"88.123.92.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861555/; classtype:trojan-activity;sid:83724655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861549/; classtype:trojan-activity;sid:83724649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//sshd"; depth:6; endswith; nocase; http.host; content:"76.53.38.126"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861547/; classtype:trojan-activity;sid:83724647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2861543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.231.190.163"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_24; reference:url, urlhaus.abuse.ch/url/2861543/; classtype:trojan-activity;sid:83724643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a0tnubtz.so"; depth:12; endswith; nocase; http.host; content:"94.16.119.223"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859756/; classtype:trojan-activity;sid:83722856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"92.66.30.68"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859511/; classtype:trojan-activity;sid:83722611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"82.148.194.54"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_22; reference:url, urlhaus.abuse.ch/url/2859508/; classtype:trojan-activity;sid:83722608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2859027)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ustaxes/ustaxes/files/15378217/all.2023.tax.documents.zip"; depth:58; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_05_21; reference:url, urlhaus.abuse.ch/url/2859027/; classtype:trojan-activity;sid:83722127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2858898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.225.186.186"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_21; reference:url, urlhaus.abuse.ch/url/2858898/; classtype:trojan-activity;sid:83721998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857892)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"202.3.248.178"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857892/; classtype:trojan-activity;sid:83720992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857875)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857875/; classtype:trojan-activity;sid:83720975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857859)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857859/; classtype:trojan-activity;sid:83720959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857851)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.87.144"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857851/; classtype:trojan-activity;sid:83720951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857849)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857849/; classtype:trojan-activity;sid:83720949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"185.2.229.122"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857844/; classtype:trojan-activity;sid:83720944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857837)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857837/; classtype:trojan-activity;sid:83720937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857838)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"149.62.200.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857838/; classtype:trojan-activity;sid:83720938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857834/; classtype:trojan-activity;sid:83720934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857813)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857813/; classtype:trojan-activity;sid:83720913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857809/; classtype:trojan-activity;sid:83720909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"202.3.248.179"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857807/; classtype:trojan-activity;sid:83720907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857795)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857795/; classtype:trojan-activity;sid:83720895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"68.107.218.106"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857794/; classtype:trojan-activity;sid:83720894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"68.226.36.150"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857788/; classtype:trojan-activity;sid:83720888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857785/; classtype:trojan-activity;sid:83720885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857778/; classtype:trojan-activity;sid:83720878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857772)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"69.75.168.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857772/; classtype:trojan-activity;sid:83720872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857773)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857773/; classtype:trojan-activity;sid:83720873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857762)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857762/; classtype:trojan-activity;sid:83720862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"88.123.92.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857754/; classtype:trojan-activity;sid:83720854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857747/; classtype:trojan-activity;sid:83720847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857749)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857749/; classtype:trojan-activity;sid:83720849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857730/; classtype:trojan-activity;sid:83720830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857719/; classtype:trojan-activity;sid:83720819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857692)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"31.173.70.100"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857692/; classtype:trojan-activity;sid:83720792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857687)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"113.160.251.236"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857687/; classtype:trojan-activity;sid:83720787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857672/; classtype:trojan-activity;sid:83720772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857669)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857669/; classtype:trojan-activity;sid:83720769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857666)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857666/; classtype:trojan-activity;sid:83720766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"87.251.249.41"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857660/; classtype:trojan-activity;sid:83720760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"144.6.87.144"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857653/; classtype:trojan-activity;sid:83720753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857651)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857651/; classtype:trojan-activity;sid:83720751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857652)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"188.170.32.148"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857652/; classtype:trojan-activity;sid:83720752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857642/; classtype:trojan-activity;sid:83720742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"31.0.241.65"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857634/; classtype:trojan-activity;sid:83720734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857630)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857630/; classtype:trojan-activity;sid:83720730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857624)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"118.69.157.212"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857624/; classtype:trojan-activity;sid:83720724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857620/; classtype:trojan-activity;sid:83720720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857601)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"212.93.103.10"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857601/; classtype:trojan-activity;sid:83720701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857602/; classtype:trojan-activity;sid:83720702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857587)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"24.234.159.5"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857587/; classtype:trojan-activity;sid:83720687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.13"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857584/; classtype:trojan-activity;sid:83720684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857580)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857580/; classtype:trojan-activity;sid:83720680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"80.14.38.66"; depth:11; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857573/; classtype:trojan-activity;sid:83720673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"77.237.29.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857570/; classtype:trojan-activity;sid:83720670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857553)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"46.250.54.75"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857553/; classtype:trojan-activity;sid:83720653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857551/; classtype:trojan-activity;sid:83720651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857545/; classtype:trojan-activity;sid:83720645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"202.139.20.12"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857535/; classtype:trojan-activity;sid:83720635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857526/; classtype:trojan-activity;sid:83720626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857527)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857527/; classtype:trojan-activity;sid:83720627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"164.126.129.225"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857521/; classtype:trojan-activity;sid:83720621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857524)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857524/; classtype:trojan-activity;sid:83720624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857525)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"209.162.229.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857525/; classtype:trojan-activity;sid:83720625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.42"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857512/; classtype:trojan-activity;sid:83720612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"223.108.58.15"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857502/; classtype:trojan-activity;sid:83720602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857496)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"112.4.110.42"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857496/; classtype:trojan-activity;sid:83720596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857498)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857498/; classtype:trojan-activity;sid:83720598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857483)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857483/; classtype:trojan-activity;sid:83720583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857484)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857484/; classtype:trojan-activity;sid:83720584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"91.164.39.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857486/; classtype:trojan-activity;sid:83720586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857475)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857475/; classtype:trojan-activity;sid:83720575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857468)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"31.222.113.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857468/; classtype:trojan-activity;sid:83720568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"99.71.130.109"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857464/; classtype:trojan-activity;sid:83720564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"102.68.74.45"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857465/; classtype:trojan-activity;sid:83720565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"165.73.108.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857463/; classtype:trojan-activity;sid:83720563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"174.71.237.86"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857447/; classtype:trojan-activity;sid:83720547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2857448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sshd"; depth:5; endswith; nocase; http.host; content:"68.226.36.150"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_20; reference:url, urlhaus.abuse.ch/url/2857448/; classtype:trojan-activity;sid:83720548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2846768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/setup.msi"; depth:21; endswith; nocase; http.host; content:"zenglobalenerji.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_05_11; reference:url, urlhaus.abuse.ch/url/2846768/; classtype:trojan-activity;sid:83709868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2845681)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/filesrc/android/apk/2023/zonghengxsandroid_7.5.6.63_zh-zhh5.apk"; depth:68; endswith; nocase; http.host; content:"static.zongheng.com"; depth:19; isdataat:!1,relative; metadata:created_at 2024_05_10; reference:url, urlhaus.abuse.ch/url/2845681/; classtype:trojan-activity;sid:83708781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2843557)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/is2kceh3"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2843557/; classtype:trojan-activity;sid:83706657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2843082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tell.sh"; depth:8; endswith; nocase; http.host; content:"185.172.128.16"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2843082/; classtype:trojan-activity;sid:83706182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842725)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"89.231.14.137"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2842725/; classtype:trojan-activity;sid:83705825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"88.116.62.226"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2842722/; classtype:trojan-activity;sid:83705822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"45.120.38.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_08; reference:url, urlhaus.abuse.ch/url/2842671/; classtype:trojan-activity;sid:83705771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842036)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"109.245.220.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842036/; classtype:trojan-activity;sid:83705136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842030)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"172.85.143.74"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842030/; classtype:trojan-activity;sid:83705130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.145.205.178"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842010/; classtype:trojan-activity;sid:83705110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2842006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"116.58.51.90"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2842006/; classtype:trojan-activity;sid:83705106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841995)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"182.253.115.156"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841995/; classtype:trojan-activity;sid:83705095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841988)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.148.5.34"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841988/; classtype:trojan-activity;sid:83705088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"81.16.249.96"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841976/; classtype:trojan-activity;sid:83705076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.151.163.54"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841947/; classtype:trojan-activity;sid:83705047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841941)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"182.253.115.155"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841941/; classtype:trojan-activity;sid:83705041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptography_module_windows.exe"; depth:32; endswith; nocase; http.host; content:"122.170.110.131"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841807/; classtype:trojan-activity;sid:83704907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.253.115.156"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841712/; classtype:trojan-activity;sid:83704812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841705)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.87.223.241"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841705/; classtype:trojan-activity;sid:83704805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841631)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"182.253.115.155"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841631/; classtype:trojan-activity;sid:83704731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841613)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.245.220.229"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841613/; classtype:trojan-activity;sid:83704713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"116.58.51.90"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841602/; classtype:trojan-activity;sid:83704702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"172.85.143.74"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841586/; classtype:trojan-activity;sid:83704686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.151.163.54"; depth:14; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841575/; classtype:trojan-activity;sid:83704675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841576)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.249.96"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841576/; classtype:trojan-activity;sid:83704676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.107.232.167"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841573/; classtype:trojan-activity;sid:83704673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2841570)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.145.205.178"; depth:15; isdataat:!1,relative; metadata:created_at 2024_05_07; reference:url, urlhaus.abuse.ch/url/2841570/; classtype:trojan-activity;sid:83704670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.249.146"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834467/; classtype:trojan-activity;sid:83697567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834459)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cron"; depth:5; endswith; nocase; http.host; content:"45.76.122.186"; depth:13; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834459/; classtype:trojan-activity;sid:83697559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834442)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.67"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834442/; classtype:trojan-activity;sid:83697542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.70"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834387/; classtype:trojan-activity;sid:83697487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2834372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl"; depth:5; endswith; nocase; http.host; content:"66.71.242.69"; depth:12; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2834372/; classtype:trojan-activity;sid:83697472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2833916)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frexoff/efefwefwwf/main/cock.exe"; depth:33; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2833916/; classtype:trojan-activity;sid:83697016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2833904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frexoff/efefwefwwf/raw/main/cock.exe"; depth:37; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_05_01; reference:url, urlhaus.abuse.ch/url/2833904/; classtype:trojan-activity;sid:83697004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2830963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kampfkarren/roblox/files/15001743/roexec.zip"; depth:45; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_29; reference:url, urlhaus.abuse.ch/url/2830963/; classtype:trojan-activity;sid:83694063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2830955)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/delta-io/delta/files/15016110/delta.zip"; depth:40; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_29; reference:url, urlhaus.abuse.ch/url/2830955/; classtype:trojan-activity;sid:83694055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2827181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; endswith; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; metadata:created_at 2024_04_25; reference:url, urlhaus.abuse.ch/url/2827181/; classtype:trojan-activity;sid:83690281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2824078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mazacoin/maza/releases/download/v0.16.3/maza-0.16.3-win64-setup-unsigned.exe"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_23; reference:url, urlhaus.abuse.ch/url/2824078/; classtype:trojan-activity;sid:83687178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2824079)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mazacoin/maza/releases/download/v0.16.3/maza-0.16.3-osx-unsigned.dmg"; depth:69; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_23; reference:url, urlhaus.abuse.ch/url/2824079/; classtype:trojan-activity;sid:83687179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2824077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mazacoin/maza/releases/download/v0.16.3/maza-0.16.3-win32-setup-unsigned.exe"; depth:77; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_23; reference:url, urlhaus.abuse.ch/url/2824077/; classtype:trojan-activity;sid:83687177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"200.69.219.25"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822888/; classtype:trojan-activity;sid:83685988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"185.13.221.50"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822877/; classtype:trojan-activity;sid:83685977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822862)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.128.195.138"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822862/; classtype:trojan-activity;sid:83685962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822863)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"41.77.74.90"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822863/; classtype:trojan-activity;sid:83685963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822847)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"84.242.139.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822847/; classtype:trojan-activity;sid:83685947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822821)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"31.210.217.24"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822821/; classtype:trojan-activity;sid:83685921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.88.180.115"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822823/; classtype:trojan-activity;sid:83685923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822809)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"95.170.116.28"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822809/; classtype:trojan-activity;sid:83685909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822794)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"188.72.6.218"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822794/; classtype:trojan-activity;sid:83685894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"95.158.175.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822781/; classtype:trojan-activity;sid:83685881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822735)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"185.21.223.166"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822735/; classtype:trojan-activity;sid:83685835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"179.51.168.26"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822732/; classtype:trojan-activity;sid:83685832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822724)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"118.179.121.235"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822724/; classtype:trojan-activity;sid:83685824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822726)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"196.41.63.178"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822726/; classtype:trojan-activity;sid:83685826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822698)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"98.103.171.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822698/; classtype:trojan-activity;sid:83685798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"186.154.93.81"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822619/; classtype:trojan-activity;sid:83685719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822620)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"150.129.202.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822620/; classtype:trojan-activity;sid:83685720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.92.82.180"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822548/; classtype:trojan-activity;sid:83685648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.53.164.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822544/; classtype:trojan-activity;sid:83685644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"95.170.119.100"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822543/; classtype:trojan-activity;sid:83685643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822522)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.140.32.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822522/; classtype:trojan-activity;sid:83685622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"186.211.153.18"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822490/; classtype:trojan-activity;sid:83685590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822488)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"85.187.82.120"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822488/; classtype:trojan-activity;sid:83685588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822478)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.200.106.94"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822478/; classtype:trojan-activity;sid:83685578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822471)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.2.237.104"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822471/; classtype:trojan-activity;sid:83685571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822477)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.5.50.108"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822477/; classtype:trojan-activity;sid:83685577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822462)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"200.61.163.235"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822462/; classtype:trojan-activity;sid:83685562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822438)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.7.203.130"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822438/; classtype:trojan-activity;sid:83685538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822443)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"151.237.4.20"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822443/; classtype:trojan-activity;sid:83685543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"213.6.74.138"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822416/; classtype:trojan-activity;sid:83685516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"149.255.10.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822410/; classtype:trojan-activity;sid:83685510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.148.18.220"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822386/; classtype:trojan-activity;sid:83685486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822371)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"109.108.84.121"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822371/; classtype:trojan-activity;sid:83685471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822372)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"154.84.212.18"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822372/; classtype:trojan-activity;sid:83685472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.29.14.127"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822353/; classtype:trojan-activity;sid:83685453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822321)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"79.175.42.206"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822321/; classtype:trojan-activity;sid:83685421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.64.210.218"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822280/; classtype:trojan-activity;sid:83685380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.90.207.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822259/; classtype:trojan-activity;sid:83685359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.7.160.114"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822244/; classtype:trojan-activity;sid:83685344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822214)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.217.148.227"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822214/; classtype:trojan-activity;sid:83685314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822215)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"212.237.112.109"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822215/; classtype:trojan-activity;sid:83685315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822207)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.244.169.56"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822207/; classtype:trojan-activity;sid:83685307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822200)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"186.211.154.33"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822200/; classtype:trojan-activity;sid:83685300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822189)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"58.145.168.170"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822189/; classtype:trojan-activity;sid:83685289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822190)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"62.162.113.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822190/; classtype:trojan-activity;sid:83685290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822173)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"81.16.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822173/; classtype:trojan-activity;sid:83685273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822169)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"195.34.91.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822169/; classtype:trojan-activity;sid:83685269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"150.129.202.193"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822132/; classtype:trojan-activity;sid:83685232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822121)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"81.16.247.81"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822121/; classtype:trojan-activity;sid:83685221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822102)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"138.122.43.76"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822102/; classtype:trojan-activity;sid:83685202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"92.241.77.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822107/; classtype:trojan-activity;sid:83685207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"114.7.203.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822078/; classtype:trojan-activity;sid:83685178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"78.26.180.129"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822070/; classtype:trojan-activity;sid:83685170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822064)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.187.151.107"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822064/; classtype:trojan-activity;sid:83685164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822044)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822044/; classtype:trojan-activity;sid:83685144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"181.48.119.70"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822039/; classtype:trojan-activity;sid:83685139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822004)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.251.5.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822004/; classtype:trojan-activity;sid:83685104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2822006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"77.89.245.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2822006/; classtype:trojan-activity;sid:83685106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.188.30.171"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821976/; classtype:trojan-activity;sid:83685076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.92.68.241"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821977/; classtype:trojan-activity;sid:83685077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"91.204.154.197"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821963/; classtype:trojan-activity;sid:83685063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821959)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"46.151.56.42"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821959/; classtype:trojan-activity;sid:83685059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"76.76.195.174"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821942/; classtype:trojan-activity;sid:83685042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.34.177.42"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821944/; classtype:trojan-activity;sid:83685044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821949)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"154.0.129.114"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821949/; classtype:trojan-activity;sid:83685049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.53.164.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821934/; classtype:trojan-activity;sid:83685034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821860)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.148.18.218"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821860/; classtype:trojan-activity;sid:83684960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821839)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.211.153.18"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821839/; classtype:trojan-activity;sid:83684939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821841)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.69.219.25"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821841/; classtype:trojan-activity;sid:83684941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821836)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.242.236"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821836/; classtype:trojan-activity;sid:83684936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821807)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.148.18.220"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821807/; classtype:trojan-activity;sid:83684907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821802)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"197.159.1.58"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821802/; classtype:trojan-activity;sid:83684902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821760)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.72.6.218"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821760/; classtype:trojan-activity;sid:83684860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.129.202.197"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821754/; classtype:trojan-activity;sid:83684854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"178.188.30.171"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821737/; classtype:trojan-activity;sid:83684837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821729)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.53.164.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821729/; classtype:trojan-activity;sid:83684829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821718)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"149.255.10.46"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821718/; classtype:trojan-activity;sid:83684818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821711)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.173.173.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821711/; classtype:trojan-activity;sid:83684811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821693)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.5.50.108"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821693/; classtype:trojan-activity;sid:83684793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821676)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.0.129.114"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821676/; classtype:trojan-activity;sid:83684776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.200.106.94"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821660/; classtype:trojan-activity;sid:83684760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"200.61.163.235"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821619/; classtype:trojan-activity;sid:83684719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"167.250.193.253"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821627/; classtype:trojan-activity;sid:83684727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821616)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.2.237.104"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821616/; classtype:trojan-activity;sid:83684716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821617)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"194.208.56.60"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821617/; classtype:trojan-activity;sid:83684717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821609)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.211.154.33"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821609/; classtype:trojan-activity;sid:83684709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2821597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"150.129.202.193"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_22; reference:url, urlhaus.abuse.ch/url/2821597/; classtype:trojan-activity;sid:83684697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.71.250.6"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818974/; classtype:trojan-activity;sid:83682074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.140.32.219"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818975/; classtype:trojan-activity;sid:83682075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818963)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.164.200.170"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818963/; classtype:trojan-activity;sid:83682063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818966)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.114.191.82"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818966/; classtype:trojan-activity;sid:83682066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.252.69.92"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818946/; classtype:trojan-activity;sid:83682046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818931)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"92.241.77.214"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818931/; classtype:trojan-activity;sid:83682031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.203.130"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818921/; classtype:trojan-activity;sid:83682021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818904)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.203.142"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818904/; classtype:trojan-activity;sid:83682004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.202.49.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818899/; classtype:trojan-activity;sid:83681999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"124.194.46.204"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818833/; classtype:trojan-activity;sid:83681933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818843)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"76.76.195.174"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818843/; classtype:trojan-activity;sid:83681943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"58.145.168.170"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818798/; classtype:trojan-activity;sid:83681898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.26.180.129"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818781/; classtype:trojan-activity;sid:83681881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"82.114.200.50"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818778/; classtype:trojan-activity;sid:83681878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2818758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"2.180.35.231"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_20; reference:url, urlhaus.abuse.ch/url/2818758/; classtype:trojan-activity;sid:83681858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2817357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1w6j0xeptoliyrblijhnxbm_qnnoptzfw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_04_18; reference:url, urlhaus.abuse.ch/url/2817357/; classtype:trojan-activity;sid:83680457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2817239)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pbhhdf/12/raw/main/keepvid-pro_full2578.exe"; depth:44; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_18; reference:url, urlhaus.abuse.ch/url/2817239/; classtype:trojan-activity;sid:83680339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2816728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nel"; depth:4; endswith; nocase; http.host; content:"205.209.114.243"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_18; reference:url, urlhaus.abuse.ch/url/2816728/; classtype:trojan-activity;sid:83679828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2816723)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/so"; depth:3; endswith; nocase; http.host; content:"205.209.114.243"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_18; reference:url, urlhaus.abuse.ch/url/2816723/; classtype:trojan-activity;sid:83679823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.12.78.161"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814108/; classtype:trojan-activity;sid:83677208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814109)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.133.214.138"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814109/; classtype:trojan-activity;sid:83677209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2814082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"195.34.91.22"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_16; reference:url, urlhaus.abuse.ch/url/2814082/; classtype:trojan-activity;sid:83677182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813151)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"81.16.247.81"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813151/; classtype:trojan-activity;sid:83676251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813146)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"31.210.217.24"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813146/; classtype:trojan-activity;sid:83676246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813137)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"77.89.245.118"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813137/; classtype:trojan-activity;sid:83676237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813111)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"78.29.14.127"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813111/; classtype:trojan-activity;sid:83676211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"46.151.56.42"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813107/; classtype:trojan-activity;sid:83676207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813100)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"118.179.121.235"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813100/; classtype:trojan-activity;sid:83676200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.204.154.197"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813069/; classtype:trojan-activity;sid:83676169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.187.151.107"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813072/; classtype:trojan-activity;sid:83676172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813060)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.77.74.90"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813060/; classtype:trojan-activity;sid:83676160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813049)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.108.84.121"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813049/; classtype:trojan-activity;sid:83676149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2813039)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.92.68.241"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_15; reference:url, urlhaus.abuse.ch/url/2813039/; classtype:trojan-activity;sid:83676139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809140)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"202.53.164.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809140/; classtype:trojan-activity;sid:83672240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.49.47.190"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809130/; classtype:trojan-activity;sid:83672230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809132)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.88.180.115"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809132/; classtype:trojan-activity;sid:83672232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809123)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.254.255.246"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809123/; classtype:trojan-activity;sid:83672223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"94.251.5.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809089/; classtype:trojan-activity;sid:83672189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2809071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.158.175.214"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2809071/; classtype:trojan-activity;sid:83672171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.57.33.51"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808967/; classtype:trojan-activity;sid:83672067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808957)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"37.157.212.138"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808957/; classtype:trojan-activity;sid:83672057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808948)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.64.210.218"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808948/; classtype:trojan-activity;sid:83672048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808947)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"36.66.139.36"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808947/; classtype:trojan-activity;sid:83672047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808944)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"114.7.160.114"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808944/; classtype:trojan-activity;sid:83672044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808924)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"62.162.113.34"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808924/; classtype:trojan-activity;sid:83672024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.170.116.28"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808928/; classtype:trojan-activity;sid:83672028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"154.84.212.18"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808907/; classtype:trojan-activity;sid:83672007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808886)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"213.6.101.83"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808886/; classtype:trojan-activity;sid:83671986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808880)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"181.48.119.70"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808880/; classtype:trojan-activity;sid:83671980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.16.75.50"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808873/; classtype:trojan-activity;sid:83671973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808854)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"188.44.110.215"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808854/; classtype:trojan-activity;sid:83671954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808855)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"190.12.99.194"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808855/; classtype:trojan-activity;sid:83671955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.245.10.51"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808823/; classtype:trojan-activity;sid:83671923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"174.78.254.83"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808829/; classtype:trojan-activity;sid:83671929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"186.154.93.81"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808814/; classtype:trojan-activity;sid:83671914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808792)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808792/; classtype:trojan-activity;sid:83671892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808746)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"79.175.42.206"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808746/; classtype:trojan-activity;sid:83671846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"179.51.168.26"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808741/; classtype:trojan-activity;sid:83671841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"185.13.221.50"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808731/; classtype:trojan-activity;sid:83671831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"212.237.112.109"; depth:15; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808595/; classtype:trojan-activity;sid:83671695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808599)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"91.92.82.180"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808599/; classtype:trojan-activity;sid:83671699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808575)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"41.190.69.6"; depth:11; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808575/; classtype:trojan-activity;sid:83671675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"85.187.82.120"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808504/; classtype:trojan-activity;sid:83671604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.90.207.234"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808492/; classtype:trojan-activity;sid:83671592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808467)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"84.242.139.154"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808467/; classtype:trojan-activity;sid:83671567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808448)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"109.92.143.90"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808448/; classtype:trojan-activity;sid:83671548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808416)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"95.170.119.100"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808416/; classtype:trojan-activity;sid:83671516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808421)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"43.249.54.246"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808421/; classtype:trojan-activity;sid:83671521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808373/; classtype:trojan-activity;sid:83671473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808374)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i"; depth:2; endswith; nocase; http.host; content:"98.103.171.36"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808374/; classtype:trojan-activity;sid:83671474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bin.sh"; depth:7; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808242/; classtype:trojan-activity;sid:83671342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808248)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o"; depth:2; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808248/; classtype:trojan-activity;sid:83671348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808187)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.a"; depth:7; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808187/; classtype:trojan-activity;sid:83671287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2808183)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"43.224.0.5"; depth:10; isdataat:!1,relative; metadata:created_at 2024_04_11; reference:url, urlhaus.abuse.ch/url/2808183/; classtype:trojan-activity;sid:83671283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2807492)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ping"; depth:5; endswith; nocase; http.host; content:"2.57.122.121"; depth:12; isdataat:!1,relative; metadata:created_at 2024_04_10; reference:url, urlhaus.abuse.ch/url/2807492/; classtype:trojan-activity;sid:83670592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2799350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1dkj56fnkcbsf3inlqszzm7vpvq3dmdl5"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_04_02; reference:url, urlhaus.abuse.ch/url/2799350/; classtype:trojan-activity;sid:83662450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2798325)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armv7l"; depth:7; endswith; nocase; http.host; content:"75.119.134.80"; depth:13; isdataat:!1,relative; metadata:created_at 2024_04_01; reference:url, urlhaus.abuse.ch/url/2798325/; classtype:trojan-activity;sid:83661425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2795045)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; endswith; nocase; http.host; content:"metrics.gocloudmaps.com"; depth:23; isdataat:!1,relative; metadata:created_at 2024_03_28; reference:url, urlhaus.abuse.ch/url/2795045/; classtype:trojan-activity;sid:83658145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2793603)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1qxwff0k49bjdhwzotirkvqlqhebzgphg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_27; reference:url, urlhaus.abuse.ch/url/2793603/; classtype:trojan-activity;sid:83656703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2790578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.index/scan.tar"; depth:16; endswith; nocase; http.host; content:"58.216.207.82"; depth:13; isdataat:!1,relative; metadata:created_at 2024_03_23; reference:url, urlhaus.abuse.ch/url/2790578/; classtype:trojan-activity;sid:83653678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2789249)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1aygcpsnow8esde5bkkuaj0bygkowvttd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_21; reference:url, urlhaus.abuse.ch/url/2789249/; classtype:trojan-activity;sid:83652349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ykwsyyt/help/hddrive1095_xinanplug3030_20230619_inno.exe"; depth:57; endswith; nocase; http.host; content:"60.22.23.50"; depth:11; isdataat:!1,relative; metadata:created_at 2024_03_20; reference:url, urlhaus.abuse.ch/url/2787791/; classtype:trojan-activity;sid:83650891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787399)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1stvkjdfiwxw79oezmc62wzmjjaeftyze"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_20; reference:url, urlhaus.abuse.ch/url/2787399/; classtype:trojan-activity;sid:83650499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787397)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hditwve1kadzeycbldxttxi4mmhddgyp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_20; reference:url, urlhaus.abuse.ch/url/2787397/; classtype:trojan-activity;sid:83650497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2787024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bash"; depth:5; endswith; nocase; http.host; content:"65.49.44.84"; depth:11; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2787024/; classtype:trojan-activity;sid:83650124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2786829)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1re9cqjrafya6wcb5e0zcolwdorvsf9pi"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2786829/; classtype:trojan-activity;sid:83649929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2786663)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/washywashy14/7zip-bin/master/win/er5thygfd.zip"; depth:47; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2786663/; classtype:trojan-activity;sid:83649763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2786661)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/washywashy14/7zip-bin/master/win/uemlxaw.zip"; depth:45; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_19; reference:url, urlhaus.abuse.ch/url/2786661/; classtype:trojan-activity;sid:83649761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2785768)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zev3n/ubuntu-gnome-privilege-escalation/main/cve-2020-1612%5b6_7%5d_exploit.sh"; depth:79; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_18; reference:url, urlhaus.abuse.ch/url/2785768/; classtype:trojan-activity;sid:83648868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2785466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/licensing/deployment/yellow%20pages%20scraper.exe"; depth:50; endswith; nocase; http.host; content:"www.blackhattoolz.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_03_18; reference:url, urlhaus.abuse.ch/url/2785466/; classtype:trojan-activity;sid:83648566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2785447)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/licensing/updates/tinder%20bot.exe"; depth:35; endswith; nocase; http.host; content:"www.blackhattoolz.com"; depth:21; isdataat:!1,relative; metadata:created_at 2024_03_18; reference:url, urlhaus.abuse.ch/url/2785447/; classtype:trojan-activity;sid:83648547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2782882)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/driveapplet.exe"; depth:16; endswith; nocase; http.host; content:"noithaticon.vn"; depth:14; isdataat:!1,relative; metadata:created_at 2024_03_14; reference:url, urlhaus.abuse.ch/url/2782882/; classtype:trojan-activity;sid:83645982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2782434)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/17c4755d1d45ed1bb454/8703634058188758823"; depth:41; endswith; nocase; http.host; content:"f24-zfcloud.zdn.vn"; depth:18; isdataat:!1,relative; metadata:created_at 2024_03_13; reference:url, urlhaus.abuse.ch/url/2782434/; classtype:trojan-activity;sid:83645534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2780273)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ge6chcvywbep4kgx_odpxtvfi3vj-zwy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_03_11; reference:url, urlhaus.abuse.ch/url/2780273/; classtype:trojan-activity;sid:83643373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2776130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//pcs/click|3f|adurl=//bamautzky.de/red.php"; depth:43; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_03_05; reference:url, urlhaus.abuse.ch/url/2776130/; classtype:trojan-activity;sid:83639230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2772689)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs/met111.sh"; depth:15; endswith; nocase; http.host; content:"106.254.250.98"; depth:14; isdataat:!1,relative; metadata:created_at 2024_02_29; reference:url, urlhaus.abuse.ch/url/2772689/; classtype:trojan-activity;sid:83635789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2769015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calendar/down/jeditor/jeditor.exe"; depth:34; endswith; nocase; http.host; content:"www.ojang.pe.kr"; depth:15; isdataat:!1,relative; metadata:created_at 2024_02_24; reference:url, urlhaus.abuse.ch/url/2769015/; classtype:trojan-activity;sid:83632115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765933)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2024/e_r1.bmp"; depth:33; endswith; nocase; http.host; content:"catbaparadisehotel.com.vn"; depth:25; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765933/; classtype:trojan-activity;sid:83629033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765626)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hitmanpro.zip"; depth:14; endswith; nocase; http.host; content:"hitman-pro.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765626/; classtype:trojan-activity;sid:83628726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765602)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f||7c|26|7c|adurl=https://patricstoremegans2.com/"; depth:61; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765602/; classtype:trojan-activity;sid:83628702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2765586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2024/e_default.bmp"; depth:38; endswith; nocase; http.host; content:"catbaparadisehotel.com.vn"; depth:25; isdataat:!1,relative; metadata:created_at 2024_02_20; reference:url, urlhaus.abuse.ch/url/2765586/; classtype:trojan-activity;sid:83628686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764512)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86_64"; depth:17; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764512/; classtype:trojan-activity;sid:83627612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.i686"; depth:15; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764507/; classtype:trojan-activity;sid:83627607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.mips"; depth:15; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764508/; classtype:trojan-activity;sid:83627608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764509)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764509/; classtype:trojan-activity;sid:83627609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2764511)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.spc"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_19; reference:url, urlhaus.abuse.ch/url/2764511/; classtype:trojan-activity;sid:83627611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2761815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dt9.txt"; depth:8; endswith; nocase; http.host; content:"delp-heizungsbau.de"; depth:19; isdataat:!1,relative; metadata:created_at 2024_02_15; reference:url, urlhaus.abuse.ch/url/2761815/; classtype:trojan-activity;sid:83624915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754787)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.spc"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754787/; classtype:trojan-activity;sid:83617887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.mips"; depth:15; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754786/; classtype:trojan-activity;sid:83617886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754784/; classtype:trojan-activity;sid:83617884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754785)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.arm"; depth:14; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754785/; classtype:trojan-activity;sid:83617885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/sysnew.x86_64"; depth:17; endswith; nocase; http.host; content:"best.obs.cn-sz1.ctyun.cn"; depth:24; isdataat:!1,relative; metadata:created_at 2024_02_01; reference:url, urlhaus.abuse.ch/url/2754783/; classtype:trojan-activity;sid:83617883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2754299)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1wuy2y3vbxibdfqcs6-kx96nocarzixfd"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_31; reference:url, urlhaus.abuse.ch/url/2754299/; classtype:trojan-activity;sid:83617399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2753677)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//projetodegente.com"; depth:40; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_30; reference:url, urlhaus.abuse.ch/url/2753677/; classtype:trojan-activity;sid:83616777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//higreens.co.in"; depth:36; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_25; reference:url, urlhaus.abuse.ch/url/2751573/; classtype:trojan-activity;sid:83614673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//kavyasourcing.com/"; depth:40; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_25; reference:url, urlhaus.abuse.ch/url/2751543/; classtype:trojan-activity;sid:83614643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751237)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://cliffg.me"; depth:37; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_24; reference:url, urlhaus.abuse.ch/url/2751237/; classtype:trojan-activity;sid:83614337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2751171)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://streammobs.com/"; depth:43; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_24; reference:url, urlhaus.abuse.ch/url/2751171/; classtype:trojan-activity;sid:83614271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749355)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://redeamazoniaazul.org/"; depth:49; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_18; reference:url, urlhaus.abuse.ch/url/2749355/; classtype:trojan-activity;sid:83612455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//www.jd-forever.com/"; depth:41; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_18; reference:url, urlhaus.abuse.ch/url/2749356/; classtype:trojan-activity;sid:83612456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749357)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//old.umcl.us/"; depth:34; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_18; reference:url, urlhaus.abuse.ch/url/2749357/; classtype:trojan-activity;sid:83612457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749182)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://wegrowcoaching.com/"; depth:47; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_17; reference:url, urlhaus.abuse.ch/url/2749182/; classtype:trojan-activity;sid:83612282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://dongyu.us/"; depth:38; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_17; reference:url, urlhaus.abuse.ch/url/2749177/; classtype:trojan-activity;sid:83612277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2749054)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1lrviuk1wka4di3qh7ach-b7m1ics2hbp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_16; reference:url, urlhaus.abuse.ch/url/2749054/; classtype:trojan-activity;sid:83612154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748605)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ssslllap1/asdasd/raw/main/crypted.exe"; depth:38; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2024_01_13; reference:url, urlhaus.abuse.ch/url/2748605/; classtype:trojan-activity;sid:83611705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ifvzub1blhmwsirshbe2wu5b1tus3ls-"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748365/; classtype:trojan-activity;sid:83611465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1yydiodtw09banou13ro8ielf9rcmljxy"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748363/; classtype:trojan-activity;sid:83611463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748360)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=11cbyky_wegqjut6afr8jannw7vub-xxf"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748360/; classtype:trojan-activity;sid:83611460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2748349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gv5qahzp_toxgct3ezfvvy4q3a5vvh6s"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_12; reference:url, urlhaus.abuse.ch/url/2748349/; classtype:trojan-activity;sid:83611449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//vaibhavtripathi.in"; depth:40; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_10; reference:url, urlhaus.abuse.ch/url/2747896/; classtype:trojan-activity;sid:83610996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//procuratio.nu/"; depth:36; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2024_01_10; reference:url, urlhaus.abuse.ch/url/2747890/; classtype:trojan-activity;sid:83610990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747826)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1u-vaalebjnomuhbyimsdjqctjqfyiwna"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2024_01_10; reference:url, urlhaus.abuse.ch/url/2747826/; classtype:trojan-activity;sid:83610926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2747433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/zpmmtvzq"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_01_08; reference:url, urlhaus.abuse.ch/url/2747433/; classtype:trojan-activity;sid:83610533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2746783)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"2.180.35.231"; depth:12; isdataat:!1,relative; metadata:created_at 2024_01_06; reference:url, urlhaus.abuse.ch/url/2746783/; classtype:trojan-activity;sid:83609883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2746751)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/avmezmcr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_01_05; reference:url, urlhaus.abuse.ch/url/2746751/; classtype:trojan-activity;sid:83609851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2746285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/v7jxrycp"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2024_01_04; reference:url, urlhaus.abuse.ch/url/2746285/; classtype:trojan-activity;sid:83609385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2743461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=12rmvuwgpj0dzbb3haoaww2lviavhvb4r"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_22; reference:url, urlhaus.abuse.ch/url/2743461/; classtype:trojan-activity;sid:83606561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2743460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1rfsmrzeanvap2tnmtwrptlepwarwlkge"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_22; reference:url, urlhaus.abuse.ch/url/2743460/; classtype:trojan-activity;sid:83606560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2742817)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://synergyconsulting.us"; depth:48; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_12_20; reference:url, urlhaus.abuse.ch/url/2742817/; classtype:trojan-activity;sid:83605917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2742518)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1k0bqhrtnu4v1yexoni5p1utyjuohmfzm"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_19; reference:url, urlhaus.abuse.ch/url/2742518/; classtype:trojan-activity;sid:83605618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2742516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1fhqpevblkipshqumjmsbzeetdzhzxv-j"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_12_19; reference:url, urlhaus.abuse.ch/url/2742516/; classtype:trojan-activity;sid:83605616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2740202)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//balkarsoftware.cubistech.com"; depth:50; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_12_13; reference:url, urlhaus.abuse.ch/url/2740202/; classtype:trojan-activity;sid:83603302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2733212)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=//churchinmanila.org/"; depth:41; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_20; reference:url, urlhaus.abuse.ch/url/2733212/; classtype:trojan-activity;sid:83596312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2730213)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sjm5t0ktlepibtv3kgaousspnw3zonom"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_13; reference:url, urlhaus.abuse.ch/url/2730213/; classtype:trojan-activity;sid:83593313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2730069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cronusxd/update/releases/download/programa/universal.cheat.all.games.rar"; depth:73; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2023_11_12; reference:url, urlhaus.abuse.ch/url/2730069/; classtype:trojan-activity;sid:83593169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2729736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://posicionamientonatural.es/"; depth:54; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_10; reference:url, urlhaus.abuse.ch/url/2729736/; classtype:trojan-activity;sid:83592836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2729405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pcs/click|3f|adurl=https://namaacont.com/"; depth:42; endswith; nocase; http.host; content:"adclick.g.doubleclick.net"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_09; reference:url, urlhaus.abuse.ch/url/2729405/; classtype:trojan-activity;sid:83592505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2728799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/wfwtp8qn"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_11_07; reference:url, urlhaus.abuse.ch/url/2728799/; classtype:trojan-activity;sid:83591899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2727395)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/frankcastle2/0/main/0j"; depth:23; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2023_11_03; reference:url, urlhaus.abuse.ch/url/2727395/; classtype:trojan-activity;sid:83590495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726994)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1lhnnwoydntgqibsykxwgd32s5xftxvfh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726994/; classtype:trojan-activity;sid:83590094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726921)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1oxpqeutyreby186exx4zeofyz0rjocsp"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726921/; classtype:trojan-activity;sid:83590021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726920)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1e2y5yppu_zjj4o3wmuo-2j8n9lbthkzc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726920/; classtype:trojan-activity;sid:83590020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726917)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1heka7sgmbcessdhxtvmfwxownz7sipbb"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726917/; classtype:trojan-activity;sid:83590017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726906)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1_ldguopt2cg7fblntw3ltxgtxqtmlflc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726906/; classtype:trojan-activity;sid:83590006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=10lygpyju_dlg3x6r9oslzgblshakstl-"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_11_01; reference:url, urlhaus.abuse.ch/url/2726907/; classtype:trojan-activity;sid:83590007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726777)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sqvm1xsoranfnvqst_kkdmn8yhgulm4k"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_31; reference:url, urlhaus.abuse.ch/url/2726777/; classtype:trojan-activity;sid:83589877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726774)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1cz1lqyxis4wvr7nlc71ukekxyhj5xu-l"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_31; reference:url, urlhaus.abuse.ch/url/2726774/; classtype:trojan-activity;sid:83589874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726592)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1zqzivoxid6wgvjstzd0lg2vxnpnc-puf"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_30; reference:url, urlhaus.abuse.ch/url/2726592/; classtype:trojan-activity;sid:83589692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726432)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drakeo03/rbxfpsunlocker-x64-hotfix1/zip/refs/heads/main"; depth:56; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2023_10_28; reference:url, urlhaus.abuse.ch/url/2726432/; classtype:trojan-activity;sid:83589532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2726089)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gfn3lqd1rvybut4ha-ldl92wt8ysrzfc"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_26; reference:url, urlhaus.abuse.ch/url/2726089/; classtype:trojan-activity;sid:83589189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2722703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image.png"; depth:10; endswith; nocase; http.host; content:"ircftp.net"; depth:10; isdataat:!1,relative; metadata:created_at 2023_10_20; reference:url, urlhaus.abuse.ch/url/2722703/; classtype:trojan-activity;sid:83585803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2720967)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"95.229.5.214"; depth:12; isdataat:!1,relative; metadata:created_at 2023_10_16; reference:url, urlhaus.abuse.ch/url/2720967/; classtype:trojan-activity;sid:83584067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2720935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"221.152.81.125"; depth:14; isdataat:!1,relative; metadata:created_at 2023_10_16; reference:url, urlhaus.abuse.ch/url/2720935/; classtype:trojan-activity;sid:83584035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2719389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1satmexzn3qpvqzfxnc-5dtnnn8lihdxh"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_12; reference:url, urlhaus.abuse.ch/url/2719389/; classtype:trojan-activity;sid:83582489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2715548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|confirm=no_antivirus|7c|26|7c|id=1-5tfbyc52tepabxjdszg1dcqgaizf0m6"; depth:98; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_10_01; reference:url, urlhaus.abuse.ch/url/2715548/; classtype:trojan-activity;sid:83578648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2713056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rter/"; depth:6; endswith; nocase; http.host; content:"tanscarattorneys.co.tz"; depth:22; isdataat:!1,relative; metadata:created_at 2023_09_21; reference:url, urlhaus.abuse.ch/url/2713056/; classtype:trojan-activity;sid:83576156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2708874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/readme.txt"; depth:11; endswith; nocase; http.host; content:"svirtual.sanviatorperu.edu.pe"; depth:29; isdataat:!1,relative; metadata:created_at 2023_09_01; reference:url, urlhaus.abuse.ch/url/2708874/; classtype:trojan-activity;sid:83571974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2702776)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/scler.ttf"; depth:19; endswith; nocase; http.host; content:"scainseto.com.br"; depth:16; isdataat:!1,relative; metadata:created_at 2023_08_08; reference:url, urlhaus.abuse.ch/url/2702776/; classtype:trojan-activity;sid:83565876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2694556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2/plain-sunset-8e5d78/original/js.jpeg"; depth:40; endswith; nocase; http.host; content:"cdn.pixelbin.io"; depth:15; isdataat:!1,relative; metadata:created_at 2023_08_01; reference:url, urlhaus.abuse.ch/url/2694556/; classtype:trojan-activity;sid:83557656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2693150)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/housenetshare.exe"; depth:18; endswith; nocase; http.host; content:"stdown.dinju.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_07_31; reference:url, urlhaus.abuse.ch/url/2693150/; classtype:trojan-activity;sid:83556250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2692699)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2/long-glade-33dc08/original/rump_img.jpeg"; depth:44; endswith; nocase; http.host; content:"cdn.pixelbin.io"; depth:15; isdataat:!1,relative; metadata:created_at 2023_07_30; reference:url, urlhaus.abuse.ch/url/2692699/; classtype:trojan-activity;sid:83555799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2686558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jc80ycae"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_07_20; reference:url, urlhaus.abuse.ch/url/2686558/; classtype:trojan-activity;sid:83549658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2682035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"59.7.131.145"; depth:12; isdataat:!1,relative; metadata:created_at 2023_07_13; reference:url, urlhaus.abuse.ch/url/2682035/; classtype:trojan-activity;sid:83545135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2677884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/a.exe"; depth:15; endswith; nocase; http.host; content:"api.baimless.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_07_07; reference:url, urlhaus.abuse.ch/url/2677884/; classtype:trojan-activity;sid:83540984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2629977)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|confirm=t|7c|26|7c|id=145b1fbjtyee3w1rjsazo7hzcoiiaxzum|7c|26|7c|uuid=eb581596-9566-4a21-b3b6-e6909eb42ff6|7c|26|7c|at=akkf8vzrltviqrn7wljfjcwisgcc:1683793107077"; depth:193; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2023_05_11; reference:url, urlhaus.abuse.ch/url/2629977/; classtype:trojan-activity;sid:83493077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2615314)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"194.208.56.60"; depth:13; isdataat:!1,relative; metadata:created_at 2023_04_21; reference:url, urlhaus.abuse.ch/url/2615314/; classtype:trojan-activity;sid:83478414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2602547)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/mdpqv8gx"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_04_08; reference:url, urlhaus.abuse.ch/url/2602547/; classtype:trojan-activity;sid:83465647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2587598)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jtx57kpr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_27; reference:url, urlhaus.abuse.ch/url/2587598/; classtype:trojan-activity;sid:83450698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2581006)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/salatikochen/salatapps/archive/refs/heads/main.zip"; depth:51; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2023_03_22; reference:url, urlhaus.abuse.ch/url/2581006/; classtype:trojan-activity;sid:83444106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2579753)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/fu3d5tvi"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_21; reference:url, urlhaus.abuse.ch/url/2579753/; classtype:trojan-activity;sid:83442853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2573934)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/4jusqzvd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_16; reference:url, urlhaus.abuse.ch/url/2573934/; classtype:trojan-activity;sid:83437034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2573741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rid/rid.js"; depth:11; endswith; nocase; http.host; content:"jawaratekno.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_16; reference:url, urlhaus.abuse.ch/url/2573741/; classtype:trojan-activity;sid:83436841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2573712)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cor/cor.js"; depth:11; endswith; nocase; http.host; content:"swiftfusion.tech"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_16; reference:url, urlhaus.abuse.ch/url/2573712/; classtype:trojan-activity;sid:83436812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2572493)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nti/nti.js"; depth:11; endswith; nocase; http.host; content:"shaderm.com"; depth:11; isdataat:!1,relative; metadata:created_at 2023_03_15; reference:url, urlhaus.abuse.ch/url/2572493/; classtype:trojan-activity;sid:83435593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571476)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"riderspin.com"; depth:13; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571476/; classtype:trojan-activity;sid:83434576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571457)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"estudio.ythan.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571457/; classtype:trojan-activity;sid:83434557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571417)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"admin.byte.in.ua"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571417/; classtype:trojan-activity;sid:83434517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571410)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"riderspin.com"; depth:13; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571410/; classtype:trojan-activity;sid:83434510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571398)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"records.dennisign.se"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571398/; classtype:trojan-activity;sid:83434498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"donkeytourscroatia.com"; depth:22; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571387/; classtype:trojan-activity;sid:83434487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571356)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"estudio.ythan.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571356/; classtype:trojan-activity;sid:83434456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571162)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"admin.byte.in.ua"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571162/; classtype:trojan-activity;sid:83434262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"records.dennisign.se"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571158/; classtype:trojan-activity;sid:83434258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571152)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"cfu.twr.mybluehost.me"; depth:21; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571152/; classtype:trojan-activity;sid:83434252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571135)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"donkeytourscroatia.com"; depth:22; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571135/; classtype:trojan-activity;sid:83434235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571043)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"donkeytourscroatia.com"; depth:22; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571043/; classtype:trojan-activity;sid:83434143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2571034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"estudio.ythan.com.br"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2571034/; classtype:trojan-activity;sid:83434134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"riderspin.com"; depth:13; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570990/; classtype:trojan-activity;sid:83434090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570844)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"derekludlow.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570844/; classtype:trojan-activity;sid:83433944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570732)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"cfu.twr.mybluehost.me"; depth:21; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570732/; classtype:trojan-activity;sid:83433832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"admin.byte.in.ua"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570642/; classtype:trojan-activity;sid:83433742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"embedone.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570563/; classtype:trojan-activity;sid:83433663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/connect/"; depth:9; endswith; nocase; http.host; content:"derekludlow.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570545/; classtype:trojan-activity;sid:83433645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570501)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"records.dennisign.se"; depth:20; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570501/; classtype:trojan-activity;sid:83433601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scarica/"; depth:9; endswith; nocase; http.host; content:"cfu.twr.mybluehost.me"; depth:21; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570474/; classtype:trojan-activity;sid:83433574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570386)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agenzia/"; depth:9; endswith; nocase; http.host; content:"derekludlow.com"; depth:15; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570386/; classtype:trojan-activity;sid:83433486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2570124)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oia/oia.js"; depth:11; endswith; nocase; http.host; content:"shreesaiseva.org"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_14; reference:url, urlhaus.abuse.ch/url/2570124/; classtype:trojan-activity;sid:83433224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2568876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teev/teev.js"; depth:13; endswith; nocase; http.host; content:"nusatoyota.co.id"; depth:16; isdataat:!1,relative; metadata:created_at 2023_03_13; reference:url, urlhaus.abuse.ch/url/2568876/; classtype:trojan-activity;sid:83431976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2568823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gcn/gcn.js"; depth:11; endswith; nocase; http.host; content:"spoar.org.in"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_13; reference:url, urlhaus.abuse.ch/url/2568823/; classtype:trojan-activity;sid:83431923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2555339)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rn8tlx2e"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_03_02; reference:url, urlhaus.abuse.ch/url/2555339/; classtype:trojan-activity;sid:83418439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2545788)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tedburke/commandcam/archive/refs/heads/master.zip"; depth:50; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2023_02_20; reference:url, urlhaus.abuse.ch/url/2545788/; classtype:trojan-activity;sid:83408888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2540034)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unlockteame/unlimited/zip/refs/heads/main"; depth:42; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2023_02_14; reference:url, urlhaus.abuse.ch/url/2540034/; classtype:trojan-activity;sid:83403134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2533240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/bztvxkzb"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_02_07; reference:url, urlhaus.abuse.ch/url/2533240/; classtype:trojan-activity;sid:83396340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2502405)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/tgp9td9z"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2023_01_09; reference:url, urlhaus.abuse.ch/url/2502405/; classtype:trojan-activity;sid:83365505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2440082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/raw/master/discord%20rat/resources/token%20grabber.dll"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_11_30; reference:url, urlhaus.abuse.ch/url/2440082/; classtype:trojan-activity;sid:83303182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2440081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moom825/discord-rat-2.0/raw/master/discord%20rat/resources/passwordstealer.dll"; depth:79; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_11_30; reference:url, urlhaus.abuse.ch/url/2440081/; classtype:trojan-activity;sid:83303181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2425972)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|confirm=no_antivirus|7c|26|7c|id=1cpaqimeblbmxrxoli6d3cczgkrbzpy8_"; depth:98; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2022_11_18; reference:url, urlhaus.abuse.ch/url/2425972/; classtype:trojan-activity;sid:83289072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2408069)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/zy5ntk/"; depth:18; endswith; nocase; http.host; content:"fromthetrenchesworldreport.com"; depth:30; isdataat:!1,relative; metadata:created_at 2022_11_11; reference:url, urlhaus.abuse.ch/url/2408069/; classtype:trojan-activity;sid:83271169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2406761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/wpoxoxqe2in4fju/doc7november00065.js"; depth:42; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2022_11_10; reference:url, urlhaus.abuse.ch/url/2406761/; classtype:trojan-activity;sid:83269861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2403614)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/uuja3km9"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_11_07; reference:url, urlhaus.abuse.ch/url/2403614/; classtype:trojan-activity;sid:83266714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2399181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/nrhtc20u"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_11_03; reference:url, urlhaus.abuse.ch/url/2399181/; classtype:trojan-activity;sid:83262281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2388056)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/j5nyvlbz"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_10_27; reference:url, urlhaus.abuse.ch/url/2388056/; classtype:trojan-activity;sid:83251156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2376908)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/hf1kfswr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_10_18; reference:url, urlhaus.abuse.ch/url/2376908/; classtype:trojan-activity;sid:83240008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2314671)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/8v775ivv"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_09_26; reference:url, urlhaus.abuse.ch/url/2314671/; classtype:trojan-activity;sid:83177771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2302899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/janchuk/voidrat/raw/master/voidrat.exe"; depth:39; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_09_14; reference:url, urlhaus.abuse.ch/url/2302899/; classtype:trojan-activity;sid:83165999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2300014)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/gxkzk3ds"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_09_12; reference:url, urlhaus.abuse.ch/url/2300014/; classtype:trojan-activity;sid:83163114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2276646)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ujztrvsh"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_08_24; reference:url, urlhaus.abuse.ch/url/2276646/; classtype:trojan-activity;sid:83139746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2276221)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jstt4bu3"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_08_23; reference:url, urlhaus.abuse.ch/url/2276221/; classtype:trojan-activity;sid:83139321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2253550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ib64cptx"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_07_03; reference:url, urlhaus.abuse.ch/url/2253550/; classtype:trojan-activity;sid:83116650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2253210)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/rwrja2sz"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_07_02; reference:url, urlhaus.abuse.ch/url/2253210/; classtype:trojan-activity;sid:83116310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2246139)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"178.219.38.228"; depth:14; isdataat:!1,relative; metadata:created_at 2022_06_20; reference:url, urlhaus.abuse.ch/url/2246139/; classtype:trojan-activity;sid:83109239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2241008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ty045yct"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_06_16; reference:url, urlhaus.abuse.ch/url/2241008/; classtype:trojan-activity;sid:83104108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2237175)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cg100/cg100.exe"; depth:16; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_06_14; reference:url, urlhaus.abuse.ch/url/2237175/; classtype:trojan-activity;sid:83100275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2237174)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgmb/benzmonster.exe"; depth:21; endswith; nocase; http.host; content:"update.cg100iii.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_06_14; reference:url, urlhaus.abuse.ch/url/2237174/; classtype:trojan-activity;sid:83100274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2230406)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/down/newsales/adm_atu.exe"; depth:26; endswith; nocase; http.host; content:"palharesinformatica.com.br"; depth:26; isdataat:!1,relative; metadata:created_at 2022_06_08; reference:url, urlhaus.abuse.ch/url/2230406/; classtype:trojan-activity;sid:83093506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2171312)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/ozrw36a2y1ch2cluzy/"; depth:44; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_04_29; reference:url, urlhaus.abuse.ch/url/2171312/; classtype:trojan-activity;sid:83034412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2164668)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/uadjw/"; depth:31; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_04_26; reference:url, urlhaus.abuse.ch/url/2164668/; classtype:trojan-activity;sid:83027768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2160868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atm/u7/gf/sqmjjkgf.zip"; depth:23; endswith; nocase; http.host; content:"cloudnewsfeed.com"; depth:17; isdataat:!1,relative; metadata:created_at 2022_04_23; reference:url, urlhaus.abuse.ch/url/2160868/; classtype:trojan-activity;sid:83023968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2135884)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/herrldgm"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_04_07; reference:url, urlhaus.abuse.ch/url/2135884/; classtype:trojan-activity;sid:82998984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2124302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmrig/xmrig/releases/download/v6.10.0/xmrig-6.10.0-linux-static-x64.tar.gz"; depth:75; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2022_03_31; reference:url, urlhaus.abuse.ch/url/2124302/; classtype:trojan-activity;sid:82987402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2119354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/3cxmq4uaxy/"; depth:36; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_03_29; reference:url, urlhaus.abuse.ch/url/2119354/; classtype:trojan-activity;sid:82982454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2119353)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verkaufsberater_service/3cxmq4uaxy/|3f|i=1"; depth:43; endswith; nocase; http.host; content:"farschid.de"; depth:11; isdataat:!1,relative; metadata:created_at 2022_03_29; reference:url, urlhaus.abuse.ch/url/2119353/; classtype:trojan-activity;sid:82982453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2114263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/yjmqxmidki/a/hyehwggs.ps1"; depth:45; endswith; nocase; http.host; content:"trtmyanmar.com"; depth:14; isdataat:!1,relative; metadata:created_at 2022_03_24; reference:url, urlhaus.abuse.ch/url/2114263/; classtype:trojan-activity;sid:82977363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2098517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/znbskzzj"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2022_03_15; reference:url, urlhaus.abuse.ch/url/2098517/; classtype:trojan-activity;sid:82961617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2086235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gvnzexvvs3vpv0-ihflwnmzmhij3qqly"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2022_03_09; reference:url, urlhaus.abuse.ch/url/2086235/; classtype:trojan-activity;sid:82949335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2053942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zp-user/protected%20client.js"; depth:30; endswith; nocase; http.host; content:"dreamwatchevent.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_02_22; reference:url, urlhaus.abuse.ch/url/2053942/; classtype:trojan-activity;sid:82917042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2021799)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/src/js/scripts/gallery/photo-swipe/retraction.php"; depth:50; endswith; nocase; http.host; content:"acms.saleseos.com"; depth:17; isdataat:!1,relative; metadata:created_at 2022_02_01; reference:url, urlhaus.abuse.ch/url/2021799/; classtype:trojan-activity;sid:82884899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2021757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/src/js/scripts/gallery/photo-swipe/highlight.php"; depth:49; endswith; nocase; http.host; content:"acms.saleseos.com"; depth:17; isdataat:!1,relative; metadata:created_at 2022_02_01; reference:url, urlhaus.abuse.ch/url/2021757/; classtype:trojan-activity;sid:82884857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2021704)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/src/js/scripts/gallery/photo-swipe/zany.php"; depth:44; endswith; nocase; http.host; content:"acms.saleseos.com"; depth:17; isdataat:!1,relative; metadata:created_at 2022_02_01; reference:url, urlhaus.abuse.ch/url/2021704/; classtype:trojan-activity;sid:82884804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2019378)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/userbackend/plugins/dropzone/min/tautly.php"; depth:51; endswith; nocase; http.host; content:"theholidayroads.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_01_31; reference:url, urlhaus.abuse.ch/url/2019378/; classtype:trojan-activity;sid:82882478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2019365)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/public/userbackend/plugins/dropzone/min/knave.php"; depth:50; endswith; nocase; http.host; content:"theholidayroads.com"; depth:19; isdataat:!1,relative; metadata:created_at 2022_01_31; reference:url, urlhaus.abuse.ch/url/2019365/; classtype:trojan-activity;sid:82882465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2008130)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/development/public/uploads/images/categories/beirut.php"; depth:56; endswith; nocase; http.host; content:"www.crazywickedaddiction.com"; depth:28; isdataat:!1,relative; metadata:created_at 2022_01_27; reference:url, urlhaus.abuse.ch/url/2008130/; classtype:trojan-activity;sid:82871230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (2008131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/belt.php"; depth:9; endswith; nocase; http.host; content:"forms.saurashtrauniversity.edu"; depth:30; isdataat:!1,relative; metadata:created_at 2022_01_27; reference:url, urlhaus.abuse.ch/url/2008131/; classtype:trojan-activity;sid:82871231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891112)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/honduras.php"; depth:13; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891112/; classtype:trojan-activity;sid:82754212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891066)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/searching.php"; depth:14; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891066/; classtype:trojan-activity;sid:82754166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets2/theme/css/linearization.php"; depth:36; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891070/; classtype:trojan-activity;sid:82754170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1891071)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wrongdoer.php"; depth:14; endswith; nocase; http.host; content:"xenon.studio"; depth:12; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1891071/; classtype:trojan-activity;sid:82754171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1890257)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/crypta.js"; depth:14; endswith; nocase; http.host; content:"reauthenticator.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_12_16; reference:url, urlhaus.abuse.ch/url/1890257/; classtype:trojan-activity;sid:82753357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888166)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/actionably.php"; depth:15; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888166/; classtype:trojan-activity;sid:82751266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888158)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/revslider/templates/360panorama/philip.php"; depth:62; endswith; nocase; http.host; content:"aakrutitexture.in"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888158/; classtype:trojan-activity;sid:82751258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888149)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/roughness.php"; depth:14; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888149/; classtype:trojan-activity;sid:82751249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/revslider/templates/360panorama/qualm.php"; depth:61; endswith; nocase; http.host; content:"aakrutitexture.in"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888138/; classtype:trojan-activity;sid:82751238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/redesign.php"; depth:13; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888114/; classtype:trojan-activity;sid:82751214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888115)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antienuretic.php"; depth:17; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888115/; classtype:trojan-activity;sid:82751215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888106)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fizz.php"; depth:9; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888106/; classtype:trojan-activity;sid:82751206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888108)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/revslider/templates/360panorama/welder.php"; depth:62; endswith; nocase; http.host; content:"aakrutitexture.in"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888108/; classtype:trojan-activity;sid:82751208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888086)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/designer.php"; depth:13; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888086/; classtype:trojan-activity;sid:82751186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888072)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/revslider/templates/360panorama/buried.php"; depth:62; endswith; nocase; http.host; content:"aakrutitexture.in"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888072/; classtype:trojan-activity;sid:82751172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888081)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/conditioner.php"; depth:16; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888081/; classtype:trojan-activity;sid:82751181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888082)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unthinkably.php"; depth:16; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888082/; classtype:trojan-activity;sid:82751182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888084)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unexplainable.php"; depth:18; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888084/; classtype:trojan-activity;sid:82751184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1888085)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whiz.php"; depth:9; endswith; nocase; http.host; content:"kramersmarionnettes.com"; depth:23; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1888085/; classtype:trojan-activity;sid:82751185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1887928)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/revslider/templates/360panorama/carbolic.php"; depth:64; endswith; nocase; http.host; content:"aakrutitexture.in"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1887928/; classtype:trojan-activity;sid:82751028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1887909)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/revslider/templates/360panorama/luckily.php"; depth:63; endswith; nocase; http.host; content:"aakrutitexture.in"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_15; reference:url, urlhaus.abuse.ch/url/1887909/; classtype:trojan-activity;sid:82751009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1840623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/t7scuzy/"; depth:21; endswith; nocase; http.host; content:"apple-service93.ru"; depth:18; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1840623/; classtype:trojan-activity;sid:82703723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839258)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shopped.php"; depth:12; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839258/; classtype:trojan-activity;sid:82702358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accumulation.php"; depth:17; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839238/; classtype:trojan-activity;sid:82702338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839240)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scuffler.php"; depth:13; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839240/; classtype:trojan-activity;sid:82702340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1839228)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sublimely.php"; depth:14; endswith; nocase; http.host; content:"muledo.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_12_01; reference:url, urlhaus.abuse.ch/url/1839228/; classtype:trojan-activity;sid:82702328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838316)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ticketing.php"; depth:14; endswith; nocase; http.host; content:"beoauto.alexion.rs"; depth:18; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838316/; classtype:trojan-activity;sid:82701416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complicate.php"; depth:15; endswith; nocase; http.host; content:"beoauto.alexion.rs"; depth:18; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838317/; classtype:trojan-activity;sid:82701417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blend.php"; depth:10; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838306/; classtype:trojan-activity;sid:82701406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gastric.php"; depth:12; endswith; nocase; http.host; content:"beoauto.alexion.rs"; depth:18; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838289/; classtype:trojan-activity;sid:82701389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flyer.php"; depth:10; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838275/; classtype:trojan-activity;sid:82701375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838242)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/warmhearted.php"; depth:16; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838242/; classtype:trojan-activity;sid:82701342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1838244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/daydream.php"; depth:13; endswith; nocase; http.host; content:"greenf.alexion.rs"; depth:17; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1838244/; classtype:trojan-activity;sid:82701344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1837873)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/investigative.php"; depth:18; endswith; nocase; http.host; content:"muledo.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_11_30; reference:url, urlhaus.abuse.ch/url/1837873/; classtype:trojan-activity;sid:82700973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1809781)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/libraries/vendor/joomla/registry/src/format/pinafore.php"; depth:57; endswith; nocase; http.host; content:"ukguk71.ru"; depth:10; isdataat:!1,relative; metadata:created_at 2021_11_23; reference:url, urlhaus.abuse.ch/url/1809781/; classtype:trojan-activity;sid:82672881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1778573)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/c91fwnb0"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_11_12; reference:url, urlhaus.abuse.ch/url/1778573/; classtype:trojan-activity;sid:82641673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1773622)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/semitrailer.php"; depth:16; endswith; nocase; http.host; content:"muledo.com"; depth:10; isdataat:!1,relative; metadata:created_at 2021_11_10; reference:url, urlhaus.abuse.ch/url/1773622/; classtype:trojan-activity;sid:82636722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1761107)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/svr_netchecker/server.asp|3f|v_command=3002|7c|26|7c|v_progname=sjptmanagerlauncher.exe"; depth:88; endswith; nocase; http.host; content:"server.toeicswt.co.kr"; depth:21; isdataat:!1,relative; metadata:created_at 2021_11_07; reference:url, urlhaus.abuse.ch/url/1761107/; classtype:trojan-activity;sid:82624207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1751625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/ywjkrwem"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_11_04; reference:url, urlhaus.abuse.ch/url/1751625/; classtype:trojan-activity;sid:82614725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1744285)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chimney.php"; depth:12; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1744285/; classtype:trojan-activity;sid:82607385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1743733)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zoologies.php"; depth:14; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1743733/; classtype:trojan-activity;sid:82606833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1743650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toggle.php"; depth:11; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1743650/; classtype:trojan-activity;sid:82606750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1743660)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unplug.php"; depth:11; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_11_03; reference:url, urlhaus.abuse.ch/url/1743660/; classtype:trojan-activity;sid:82606760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1728024)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/egenyqrk"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_29; reference:url, urlhaus.abuse.ch/url/1728024/; classtype:trojan-activity;sid:82591124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1727038)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/nwj3nqw2"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_29; reference:url, urlhaus.abuse.ch/url/1727038/; classtype:trojan-activity;sid:82590138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1720508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/medialibrary/012/chaperon.php"; depth:37; endswith; nocase; http.host; content:"shop.mediasova.ru"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_27; reference:url, urlhaus.abuse.ch/url/1720508/; classtype:trojan-activity;sid:82583608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1704978)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=04a3894062e7d373|7c|26|7c|resid=4a3894062e7d373%21192|7c|26|7c|authkey=ab7i1w77n6tsb3m"; depth:103; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_21; reference:url, urlhaus.abuse.ch/url/1704978/; classtype:trojan-activity;sid:82568078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1695302)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=07e7986a5bf9243c|7c|26|7c|resid=7e7986a5bf9243c%21490|7c|26|7c|authkey=abhawhbvtpoyc2a"; depth:103; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_19; reference:url, urlhaus.abuse.ch/url/1695302/; classtype:trojan-activity;sid:82558402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1681096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/htylx0l1"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_15; reference:url, urlhaus.abuse.ch/url/1681096/; classtype:trojan-activity;sid:82544196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1678523)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/vltktanthutn.exe"; depth:24; endswith; nocase; http.host; content:"kimyen.net"; depth:10; isdataat:!1,relative; metadata:created_at 2021_10_14; reference:url, urlhaus.abuse.ch/url/1678523/; classtype:trojan-activity;sid:82541623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1668138)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/2a3tx7hd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_10_11; reference:url, urlhaus.abuse.ch/url/1668138/; classtype:trojan-activity;sid:82531238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1658131)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=539bd593e9568c65|7c|26|7c|resid=539bd593e9568c65%21136|7c|26|7c|authkey=aepr2tr-q36tt8u|7c|26|7c|em=2"; depth:118; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_06; reference:url, urlhaus.abuse.ch/url/1658131/; classtype:trojan-activity;sid:82521231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1657096)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/ana/update.exe"; depth:22; endswith; nocase; http.host; content:"www.teknoarge.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_10_06; reference:url, urlhaus.abuse.ch/url/1657096/; classtype:trojan-activity;sid:82520196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1647561)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=12ma_yvbmprts6e_vkfnmwikrnwsarqbw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_29; reference:url, urlhaus.abuse.ch/url/1647561/; classtype:trojan-activity;sid:82510661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1641460)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/uploads/2021/01/stored.php"; depth:38; endswith; nocase; http.host; content:"easybrand.vn"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_23; reference:url, urlhaus.abuse.ch/url/1641460/; classtype:trojan-activity;sid:82504560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1640507)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download|3f|cid=2cc133e5e8e9b372|7c|26|7c|resid=2cc133e5e8e9b372%21113|7c|26|7c|authkey=agftuffxlpqkaz8|7c|26|7c|em=2"; depth:118; endswith; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_09_23; reference:url, urlhaus.abuse.ch/url/1640507/; classtype:trojan-activity;sid:82503607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1638740)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/xpmlg1s0"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_21; reference:url, urlhaus.abuse.ch/url/1638740/; classtype:trojan-activity;sid:82501840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1638721)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/3pqfze3c"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_21; reference:url, urlhaus.abuse.ch/url/1638721/; classtype:trojan-activity;sid:82501821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1624890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1o9jg3oqyewncoptigwscdbtfmvtfqygj"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_16; reference:url, urlhaus.abuse.ch/url/1624890/; classtype:trojan-activity;sid:82487990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1609238)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/mjzm2uub"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_10; reference:url, urlhaus.abuse.ch/url/1609238/; classtype:trojan-activity;sid:82472338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1609225)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/fhxehwzr"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_09_10; reference:url, urlhaus.abuse.ch/url/1609225/; classtype:trojan-activity;sid:82472325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1604292)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promethium.php"; depth:15; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_09; reference:url, urlhaus.abuse.ch/url/1604292/; classtype:trojan-activity;sid:82467392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1602881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/photon.php"; depth:11; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_08; reference:url, urlhaus.abuse.ch/url/1602881/; classtype:trojan-activity;sid:82465981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1602867)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/philanthropic.php"; depth:18; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_08; reference:url, urlhaus.abuse.ch/url/1602867/; classtype:trojan-activity;sid:82465967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1602778)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wash.php"; depth:9; endswith; nocase; http.host; content:"lawfirm.paperbirdtech.com"; depth:25; isdataat:!1,relative; metadata:created_at 2021_09_08; reference:url, urlhaus.abuse.ch/url/1602778/; classtype:trojan-activity;sid:82465878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1582118)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manly.php"; depth:10; endswith; nocase; http.host; content:"allendostmen.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_01; reference:url, urlhaus.abuse.ch/url/1582118/; classtype:trojan-activity;sid:82445218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1582015)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/strobing.php"; depth:13; endswith; nocase; http.host; content:"allendostmen.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_09_01; reference:url, urlhaus.abuse.ch/url/1582015/; classtype:trojan-activity;sid:82445115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1560761)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/safmanager/safman_setup.exe"; depth:38; endswith; nocase; http.host; content:"www.saf-oil.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2021_08_24; reference:url, urlhaus.abuse.ch/url/1560761/; classtype:trojan-activity;sid:82423861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503377)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/belt.php"; depth:9; endswith; nocase; http.host; content:"bridgeroad.maverickpreviews.com"; depth:31; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503377/; classtype:trojan-activity;sid:82366477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503361)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newborn.php"; depth:12; endswith; nocase; http.host; content:"chat-server.maverickpreviews.com"; depth:32; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503361/; classtype:trojan-activity;sid:82366461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruckus.php"; depth:11; endswith; nocase; http.host; content:"www.cutting-edge.in"; depth:19; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503351/; classtype:trojan-activity;sid:82366451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unanswerable.php"; depth:17; endswith; nocase; http.host; content:"chat-server.maverickpreviews.com"; depth:32; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503338/; classtype:trojan-activity;sid:82366438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1503341)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harass.php"; depth:11; endswith; nocase; http.host; content:"www.cutting-edge.in"; depth:19; isdataat:!1,relative; metadata:created_at 2021_08_03; reference:url, urlhaus.abuse.ch/url/1503341/; classtype:trojan-activity;sid:82366441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1497688)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.164.200.170"; depth:15; isdataat:!1,relative; metadata:created_at 2021_08_01; reference:url, urlhaus.abuse.ch/url/1497688/; classtype:trojan-activity;sid:82360788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1473823)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sweat.php"; depth:10; endswith; nocase; http.host; content:"www.cutting-edge.in"; depth:19; isdataat:!1,relative; metadata:created_at 2021_07_22; reference:url, urlhaus.abuse.ch/url/1473823/; classtype:trojan-activity;sid:82336923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1470181)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/power.txt"; depth:10; endswith; nocase; http.host; content:"103.106.250.161"; depth:15; isdataat:!1,relative; metadata:created_at 2021_07_21; reference:url, urlhaus.abuse.ch/url/1470181/; classtype:trojan-activity;sid:82333281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1469946)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hajime"; depth:7; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2021_07_21; reference:url, urlhaus.abuse.ch/url/1469946/; classtype:trojan-activity;sid:82333046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1431282)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/zn9ibvfw"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_07_06; reference:url, urlhaus.abuse.ch/url/1431282/; classtype:trojan-activity;sid:82294382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1422022)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1n8_s6gijerearczwh74blkygodig64eo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_07_03; reference:url, urlhaus.abuse.ch/url/1422022/; classtype:trojan-activity;sid:82285122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1422010)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1yfqtugahqhqrulwugdekeavffktsl8ci"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_07_03; reference:url, urlhaus.abuse.ch/url/1422010/; classtype:trojan-activity;sid:82285110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1391235)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sbd1rnw8luztjmsh6gdlzupvyupbopa0|7c|26|7c|revid=0b3yyjts_woklr2vnyxvqohlidxbxn1l2wwjntxfnwvi5v0h3pq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_23; reference:url, urlhaus.abuse.ch/url/1391235/; classtype:trojan-activity;sid:82254335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1378480)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ctmywlj5wouiug1wgizy3ke7yj1u0yor|7c|26|7c|revid=0b_t0-zked1mgagxwmxcwywq5q0q1uk1uoxcwaup6l2ovmtdjpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_19; reference:url, urlhaus.abuse.ch/url/1378480/; classtype:trojan-activity;sid:82241580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1372338)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1alq8r5tnr6wwiftqa3l6d9fymv7y0g9m"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_17; reference:url, urlhaus.abuse.ch/url/1372338/; classtype:trojan-activity;sid:82235438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1371786)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watercress.php"; depth:15; endswith; nocase; http.host; content:"www.playtown.co.za"; depth:18; isdataat:!1,relative; metadata:created_at 2021_06_16; reference:url, urlhaus.abuse.ch/url/1371786/; classtype:trojan-activity;sid:82234886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1371739)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lining.php"; depth:11; endswith; nocase; http.host; content:"www.playtown.co.za"; depth:18; isdataat:!1,relative; metadata:created_at 2021_06_16; reference:url, urlhaus.abuse.ch/url/1371739/; classtype:trojan-activity;sid:82234839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1371719)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scroungy.php"; depth:13; endswith; nocase; http.host; content:"www.playtown.co.za"; depth:18; isdataat:!1,relative; metadata:created_at 2021_06_16; reference:url, urlhaus.abuse.ch/url/1371719/; classtype:trojan-activity;sid:82234819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1369536)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/steeplechases.php"; depth:18; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_15; reference:url, urlhaus.abuse.ch/url/1369536/; classtype:trojan-activity;sid:82232636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1369533)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/familial.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_15; reference:url, urlhaus.abuse.ch/url/1369533/; classtype:trojan-activity;sid:82232633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1364815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update_vbase/voklight.exe"; depth:26; endswith; nocase; http.host; content:"visam.info"; depth:10; isdataat:!1,relative; metadata:created_at 2021_06_14; reference:url, urlhaus.abuse.ch/url/1364815/; classtype:trojan-activity;sid:82227915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1364597)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update_vbase/voklightd.exe"; depth:27; endswith; nocase; http.host; content:"visam.info"; depth:10; isdataat:!1,relative; metadata:created_at 2021_06_14; reference:url, urlhaus.abuse.ch/url/1364597/; classtype:trojan-activity;sid:82227697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1352974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"103.125.163.10"; depth:14; isdataat:!1,relative; metadata:created_at 2021_06_11; reference:url, urlhaus.abuse.ch/url/1352974/; classtype:trojan-activity;sid:82216074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1350653)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/habitual.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1350653/; classtype:trojan-activity;sid:82213753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1350619)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ruleless.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1350619/; classtype:trojan-activity;sid:82213719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1350517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1tilqozot07vylvdmmsfs7ia452jwhktj|7c|26|7c|revid=0b7gsmqzks4xkcdjcwhuvatj2qvlvchnmnnovu2ldzstek2jzpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1350517/; classtype:trojan-activity;sid:82213617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1348672)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1etpmpb2shvuny5dxj5awfpxklxqpbzgx"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_10; reference:url, urlhaus.abuse.ch/url/1348672/; classtype:trojan-activity;sid:82211772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346907)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toothy.php"; depth:11; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346907/; classtype:trojan-activity;sid:82210007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346883)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unpunished.php"; depth:15; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346883/; classtype:trojan-activity;sid:82209983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346885)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jordan.php"; depth:11; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346885/; classtype:trojan-activity;sid:82209985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1346871)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/defended.php"; depth:13; endswith; nocase; http.host; content:"jyothishmathi.in"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1346871/; classtype:trojan-activity;sid:82209971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1343323)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hoopoe.php"; depth:11; endswith; nocase; http.host; content:"thementordirectory.com"; depth:22; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1343323/; classtype:trojan-activity;sid:82206423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1343313)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hare.php"; depth:9; endswith; nocase; http.host; content:"thementordirectory.com"; depth:22; isdataat:!1,relative; metadata:created_at 2021_06_09; reference:url, urlhaus.abuse.ch/url/1343313/; classtype:trojan-activity;sid:82206413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1331376)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1b6t1mjnjcvndcy-mdqq0neqrbocqyju4"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_06; reference:url, urlhaus.abuse.ch/url/1331376/; classtype:trojan-activity;sid:82194476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1327898)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inst77player/inst77player_1.0.0.1.exe"; depth:38; endswith; nocase; http.host; content:"softdl.360tpcdn.com"; depth:19; isdataat:!1,relative; metadata:created_at 2021_06_05; reference:url, urlhaus.abuse.ch/url/1327898/; classtype:trojan-activity;sid:82190998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1319551)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1nw1gmzg6lwtuhs0tte969xcfpp9_dc5q"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_06_03; reference:url, urlhaus.abuse.ch/url/1319551/; classtype:trojan-activity;sid:82182651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314584)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqofspqgo4lhe7xt4ky-gkjbc9rgwzgw9rksc_azpw2gotdlnhx9oxc_rgk1zz9mgxxwqoixey0eajp/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314584/; classtype:trojan-activity;sid:82177684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314578)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vszvhw0lywviz_dpqozkdip0orjsf7411ucirwqegcgfxwqqb3nqpbn3d7orqqxnatypulra_ssggie/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314578/; classtype:trojan-activity;sid:82177678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314581)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vr-asdhfa85lnhp1g6rll18x2htnflvy5zggxzrfveecvbhjiwaes9o9w3dn49od7lplixl3u59icjr/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314581/; classtype:trojan-activity;sid:82177681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314569)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqb__8qdiraoo-s_qrzkk8o_8brsuwaeje3ivcd5efhddlux4gw5otilj5ezfenwjzaha-zojj_7srj/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314569/; classtype:trojan-activity;sid:82177669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314563)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqm_l1o1djktv6pcfwixdz1gjaqrg26rpb3n3uqpk0jqvif91b_irdew7mo34hhhoffbjohoztlmdtp/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314563/; classtype:trojan-activity;sid:82177663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314556)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vrxkt9v4qcom-0wjceb6bexufgpr_vdebkc-kra8h7gutbblset1veguumqxs3npiv4qw-7_1kiy3jm/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314556/; classtype:trojan-activity;sid:82177656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vspnrqtfaftwpvbd8o61fbvozlhc3z0x8jy4glnji-v80xrxnlemgt89l5imnr_7kxst0gn9ydkjj0q/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314548/; classtype:trojan-activity;sid:82177648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314543)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vs1h7txewarzqve-jwxnwcgzibofoz58qrk8kerhmfz8mpippgfjeoijthgmm-tw7lwcipr8acup_ft/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314543/; classtype:trojan-activity;sid:82177643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314544)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vr92cz6z4uh71ogqyzgn6vtdc54xoa0iovizmkmogvekyix648nysfipvt4qto6uvtrp9jsatoeuhk3/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314544/; classtype:trojan-activity;sid:82177644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtuc-a7s7ylxnfwqp8oxz6no5uwdmabudx-6glkwrnzjwqwgdtcpdvwp0x0l03qdarzrzonj_adevlw/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314545/; classtype:trojan-activity;sid:82177645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314534)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqe1vc-nlfenfgigyaugmmg1dq4l0-haikp9qxkacc32ig0xtg6go8lejdoogo0vfeoie4tcyy4_bn4/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314534/; classtype:trojan-activity;sid:82177634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314535)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vsrvkllojuhzbqokettk0u2b1whglldp35-o1zgt_jlem2z2odwedj0z9sgtukvikdowcuan-0fj5wn/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314535/; classtype:trojan-activity;sid:82177635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314537)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqvbpr6y2jjnkxfpcwt9uv7pqycg6vdoowr-xnakhtl9ns4tk44rpa91em8usoc992uqyrpn6ucy5ep/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314537/; classtype:trojan-activity;sid:82177637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1314526)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vq8kqm4rsobvbpga8ncnzs-1xulwuezfri9x1ktowpiijctqe1uq0iged6iq7sa5zuhnh56egsebkoj/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_06_02; reference:url, urlhaus.abuse.ch/url/1314526/; classtype:trojan-activity;sid:82177626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287391)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtecbrofm9hcrdmzz8g7ktneypnrpr1s7bvyoit3r8jd7rjanmysk9yyuhvzmdp3dmkd-xss7kpyffa/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287391/; classtype:trojan-activity;sid:82150491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287387)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vt544w_wvxhvfskbx2zio7pht-jzhb1nvr7y1qhtxccjopcfxzhm1mottjhjsdudpgs9lfrjcqzoi8n/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287387/; classtype:trojan-activity;sid:82150487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287373)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vrtnhy8ipm82egefg7zhukj5qwbit31-jlhdsxovff8rcefw2uhpndpuclv_ffrqqdjhxyxympj3ame/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287373/; classtype:trojan-activity;sid:82150473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1287333)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vt4iy9nlwuov8hsmpykbfkn1fh1ydp7ms8dudg2ldfjgxf8rumdtzgiw7ukoifo3ap-pb7ybzlcdfqi/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_26; reference:url, urlhaus.abuse.ch/url/1287333/; classtype:trojan-activity;sid:82150433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278913)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vtyg409rjv4omi3oujyjsc6ajzflluuz37ofzbpjjihmrewoh2ehp2pwbfllgyy_yzqdrldwcaejvd5/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278913/; classtype:trojan-activity;sid:82142013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278910)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vr1e4kzyqneoh2tjc5rh_unlfwjdo31gedrveg0wdyrprmm3yfdxjqxdvyy535adzu5p9m4mrvdau9v/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278910/; classtype:trojan-activity;sid:82142010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278896)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vq6nr-yg49vldzzxliqvpupbajoss2nfxsnsk3khaixmvqydl20mxhttp-qa7mojkwa4osepa76nnbl/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278896/; classtype:trojan-activity;sid:82141996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278899)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/d/e/2pacx-1vqyowyoxata2couqa6uc3gwi59sq5maualr7yfmq6luzvtefqopogncbli8hx6vubkt2b65qerqhzy8/pub"; depth:104; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278899/; classtype:trojan-activity;sid:82141999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1278586)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/j5fxvrf3"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_24; reference:url, urlhaus.abuse.ch/url/1278586/; classtype:trojan-activity;sid:82141686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1252888)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/v1jcezvd"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_18; reference:url, urlhaus.abuse.ch/url/1252888/; classtype:trojan-activity;sid:82115988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1237690)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1m8jszvq-ztfrul7vgsb6q-n3ftgnkbdj|7c|26|7c|revid=0bxrhybf9__wnmgjlnmxmunzznlu0v204azc4edmzcep6a0hzpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_15; reference:url, urlhaus.abuse.ch/url/1237690/; classtype:trojan-activity;sid:82100790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1233306)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gv_nk9llqw4fxudo-khja7nuuj1kevvw|7c|26|7c|revid=0b7zefp-g6n7vm0zhowo4be9pvus4mmh0ymxvd3r6zlu3ylznpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_14; reference:url, urlhaus.abuse.ch/url/1233306/; classtype:trojan-activity;sid:82096406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1230008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/jnljbghz"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_05_13; reference:url, urlhaus.abuse.ch/url/1230008/; classtype:trojan-activity;sid:82093108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1220349)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1h_dyp_d5lst4akyf2qezxl7j1scvbtvs|7c|26|7c|revid=0b5thckui5i0mdk5moelbnm9vuhnydvjnvwpyq01vrg5xvwhrpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_05_11; reference:url, urlhaus.abuse.ch/url/1220349/; classtype:trojan-activity;sid:82083449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1199812)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1uygnpwzzyzn2rodsrimg0-sloxy_letg"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_05_06; reference:url, urlhaus.abuse.ch/url/1199812/; classtype:trojan-activity;sid:82062912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1198558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view/59bmj3vj18vh2/drive/storage/a/files/download|3f|id=625899581658508733"; depth:75; endswith; nocase; http.host; content:"sites.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2021_05_06; reference:url, urlhaus.abuse.ch/url/1198558/; classtype:trojan-activity;sid:82061658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1184754)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1ygn4gkmy9musdp_lgnpyjjh6rskt39vp|7c|26|7c|revid=0b8rbgp2bpeofmk5ta3n3mgjtefbzdevwtk5wwhpjd3yruejjpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_30; reference:url, urlhaus.abuse.ch/url/1184754/; classtype:trojan-activity;sid:82047854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1182816)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1zxejnkdwqezrbgani5vjk2y2nhmpkg0z|7c|26|7c|revid=0b-bo0wgwxcblsui1mehkbhrlu01rwxnyrxzxanbdendmbndnpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1182816/; classtype:trojan-activity;sid:82045916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181763)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=mep5euraznm5lmjsb2cuzgf1bs5uzxq6l0lnqudflzavns5legu=|7c|26|7c|filename=%ec%9d%b8%ed%84%b0%eb%84%b7_%ec%a2%85%eb%9f%89%ec%a0%9c_%ed%85%8c%ec%8a%a4%ed%8a%b8.exe"; depth:199; endswith; nocase; http.host; content:"cfs9.blog.daum.net"; depth:18; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181763/; classtype:trojan-activity;sid:82044863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=ymxvzze5mtk5nubmczezlnrpc3rvcnkuy29toi9hdhrhy2gvmc8xnzawmdawmdawmdauzxhl|7c|26|7c|filename=oleaut32.dll%bf%c0%b7%f9%c7%d8%b0%e1%c7%cf%b1%e2.exe"; depth:184; endswith; nocase; http.host; content:"cfs13.tistory.com"; depth:17; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181758/; classtype:trojan-activity;sid:82044858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181756)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=mdczafhaznmxmc5ibg9nlmrhdw0ubmv0oi9jtufhrs8wlzkwlmv4zq==|7c|26|7c|filename=xp_sp3_%ed%85%8c%eb%a7%88%ed%8c%a8%ec%b9%98.exe"; depth:163; endswith; nocase; http.host; content:"cfs10.blog.daum.net"; depth:19; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181756/; classtype:trojan-activity;sid:82044856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1181755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=metnwe5aznm3lmjsb2cuzgf1bs5uzxq6l0lnqudflzavmc5legu=|7c|26|7c|filename=%ec%9d%b8%ed%84%b0%eb%84%b7_%ec%a2%85%eb%9f%89%ec%a0%9c_%ed%85%8c%ec%8a%a4%ed%8a%b8-cksal16.exe/%ec%9d%b8%ed%84%b0%eb%84%b7_%ec%a2%85%eb%9f%89%ec%a0%9c_%ed%85%8c%ec%8a%a4%ed%8a%b8-cksal16.exe"; depth:303; endswith; nocase; http.host; content:"cfs7.blog.daum.net"; depth:18; isdataat:!1,relative; metadata:created_at 2021_04_29; reference:url, urlhaus.abuse.ch/url/1181755/; classtype:trojan-activity;sid:82044855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1152444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1jpl-uouydm5hypqm67uokyddrblbpxvw|7c|26|7c|revid=0b7zpiprmoc5ubhpwclq0cxdyte5vwtrbymnidznhtgm3bzvrpq"; depth:135; endswith; nocase; http.host; content:"docs.google.com"; depth:15; isdataat:!1,relative; metadata:created_at 2021_04_22; reference:url, urlhaus.abuse.ch/url/1152444/; classtype:trojan-activity;sid:82015544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (1010244)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/bew39lta"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_02_14; reference:url, urlhaus.abuse.ch/url/1010244/; classtype:trojan-activity;sid:81873344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (984502)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/g7vaue54"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_01_30; reference:url, urlhaus.abuse.ch/url/984502/; classtype:trojan-activity;sid:81847602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (961009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/00aujclx"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2021_01_14; reference:url, urlhaus.abuse.ch/url/961009/; classtype:trojan-activity;sid:81824109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (957784)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamewd/yhdl.exe"; depth:16; endswith; nocase; http.host; content:"download.caihong.com"; depth:20; isdataat:!1,relative; metadata:created_at 2021_01_13; reference:url, urlhaus.abuse.ch/url/957784/; classtype:trojan-activity;sid:81820884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (936427)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/bxjesdj7w3meuh7iatiurbsgh/"; depth:36; endswith; nocase; http.host; content:"cdaonline.com.ar"; depth:16; isdataat:!1,relative; metadata:created_at 2020_12_21; reference:url, urlhaus.abuse.ch/url/936427/; classtype:trojan-activity;sid:81799527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (765703)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/lm/7cfvaaa9jo/"; depth:27; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_29; reference:url, urlhaus.abuse.ch/url/765703/; classtype:trojan-activity;sid:81628803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (756747)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/rrrv7ilgm2dzpohaklkhewb8rkju15bmqeewccglap/"; depth:56; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_27; reference:url, urlhaus.abuse.ch/url/756747/; classtype:trojan-activity;sid:81619847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (756736)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/4ld2g8w3rrmhtgvvvpeq2orlcqm71yyxveriw5rzitvii3/"; depth:60; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_27; reference:url, urlhaus.abuse.ch/url/756736/; classtype:trojan-activity;sid:81619836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (733798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/oct/w9hmkanqe5py4r/"; depth:32; endswith; nocase; http.host; content:"ncxps.com"; depth:9; isdataat:!1,relative; metadata:created_at 2020_10_22; reference:url, urlhaus.abuse.ch/url/733798/; classtype:trojan-activity;sid:81596898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (637433)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paetools.exe"; depth:13; endswith; nocase; http.host; content:"soft.110route.com"; depth:17; isdataat:!1,relative; metadata:created_at 2020_10_01; reference:url, urlhaus.abuse.ch/url/637433/; classtype:trojan-activity;sid:81500533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (613088)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mikf/gallery-dl/releases/download/v1.15.0/gallery-dl.exe"; depth:57; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2020_09_26; reference:url, urlhaus.abuse.ch/url/613088/; classtype:trojan-activity;sid:81476188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (554647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/file/x7z9wbk77tt6v9/"; depth:30; endswith; nocase; http.host; content:"cdaonline.com.ar"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_18; reference:url, urlhaus.abuse.ch/url/554647/; classtype:trojan-activity;sid:81417747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (490516)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hmatrix/data/hack1226.exe"; depth:26; endswith; nocase; http.host; content:"cd.textfiles.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_14; reference:url, urlhaus.abuse.ch/url/490516/; classtype:trojan-activity;sid:81353616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (453216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enteihacking/mt/master/asycivic.jpg"; depth:36; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2020_09_04; reference:url, urlhaus.abuse.ch/url/453216/; classtype:trojan-activity;sid:81316316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (453035)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1g_x0a_gnyxai5glsipkq1b2mqknanuw8"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_04; reference:url, urlhaus.abuse.ch/url/453035/; classtype:trojan-activity;sid:81316135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (452177)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=14muad9cmj6mxsd9lrccuo1egxyf5f-ty"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_03; reference:url, urlhaus.abuse.ch/url/452177/; classtype:trojan-activity;sid:81315277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (451466)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1yrmkzxf4rmy9utrikbh6rgvsokehbmeo"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_09_02; reference:url, urlhaus.abuse.ch/url/451466/; classtype:trojan-activity;sid:81314566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (447394)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1sm7b9902i8v4yitepf6gzomqc84ltloi"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_08_31; reference:url, urlhaus.abuse.ch/url/447394/; classtype:trojan-activity;sid:81310494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (446803)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1gavcby-nhlq22ohbgm530exffsrg1aub"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_08_30; reference:url, urlhaus.abuse.ch/url/446803/; classtype:trojan-activity;sid:81309903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (439389)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/statement/ul397wfyb/"; depth:29; endswith; nocase; http.host; content:"reifenquick.de"; depth:14; isdataat:!1,relative; metadata:created_at 2020_08_24; reference:url, urlhaus.abuse.ch/url/439389/; classtype:trojan-activity;sid:81302489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (436727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/statement/ul397wfyb/"; depth:29; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2020_08_19; reference:url, urlhaus.abuse.ch/url/436727/; classtype:trojan-activity;sid:81299827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (435731)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; endswith; nocase; http.host; content:"94.43.139.153"; depth:13; isdataat:!1,relative; metadata:created_at 2020_08_18; reference:url, urlhaus.abuse.ch/url/435731/; classtype:trojan-activity;sid:81298831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (434320)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/hl8-8w4cs-6325/"; depth:24; endswith; nocase; http.host; content:"reifenquick.de"; depth:14; isdataat:!1,relative; metadata:created_at 2020_08_17; reference:url, urlhaus.abuse.ch/url/434320/; classtype:trojan-activity;sid:81297420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (434311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/xofsl/"; depth:12; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_17; reference:url, urlhaus.abuse.ch/url/434311/; classtype:trojan-activity;sid:81297411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (432722)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/xofsl/"; depth:12; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_14; reference:url, urlhaus.abuse.ch/url/432722/; classtype:trojan-activity;sid:81295822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (429290)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/overview/sw94b26/"; depth:23; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_11; reference:url, urlhaus.abuse.ch/url/429290/; classtype:trojan-activity;sid:81292390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (427444)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gttu/invoice/ujn3me8cye/"; depth:25; endswith; nocase; http.host; content:"dweixin.cn"; depth:10; isdataat:!1,relative; metadata:created_at 2020_08_07; reference:url, urlhaus.abuse.ch/url/427444/; classtype:trojan-activity;sid:81290544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (426974)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/t55prjrdcx/0y8615606244201084438n0kq7whr/"; depth:49; endswith; nocase; http.host; content:"seismophonic.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_08_07; reference:url, urlhaus.abuse.ch/url/426974/; classtype:trojan-activity;sid:81290074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (426390)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/open-0627720493640-azq24pffjrm/guarded-space/gxkx9t42ra6yf-6x7uyx330389w/"; depth:82; endswith; nocase; http.host; content:"www.reifenquick.de"; depth:18; isdataat:!1,relative; metadata:created_at 2020_08_06; reference:url, urlhaus.abuse.ch/url/426390/; classtype:trojan-activity;sid:81289490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (426310)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/covid19/statement/"; depth:19; endswith; nocase; http.host; content:"schenckel.com.br"; depth:16; isdataat:!1,relative; metadata:created_at 2020_08_06; reference:url, urlhaus.abuse.ch/url/426310/; classtype:trojan-activity;sid:81289410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (424629)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/kdgxnbhp"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2020_08_05; reference:url, urlhaus.abuse.ch/url/424629/; classtype:trojan-activity;sid:81287729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (422650)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"123.110.182.187"; depth:15; isdataat:!1,relative; metadata:created_at 2020_07_31; reference:url, urlhaus.abuse.ch/url/422650/; classtype:trojan-activity;sid:81285750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (422458)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/invoice/aog-3515110/"; depth:21; endswith; nocase; http.host; content:"lindnerelektroanlagen.de"; depth:24; isdataat:!1,relative; metadata:created_at 2020_07_30; reference:url, urlhaus.abuse.ch/url/422458/; classtype:trojan-activity;sid:81285558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (420521)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/parts_service/ly944myw/"; depth:28; endswith; nocase; http.host; content:"hitstation.nl"; depth:13; isdataat:!1,relative; metadata:created_at 2020_07_28; reference:url, urlhaus.abuse.ch/url/420521/; classtype:trojan-activity;sid:81283621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (419868)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paradiselost/statement/s7nr8p8ut/"; depth:34; endswith; nocase; http.host; content:"damiancollier.com"; depth:17; isdataat:!1,relative; metadata:created_at 2020_07_27; reference:url, urlhaus.abuse.ch/url/419868/; classtype:trojan-activity;sid:81282968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (417815)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/znhs8f1m"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2020_07_22; reference:url, urlhaus.abuse.ch/url/417815/; classtype:trojan-activity;sid:81280915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (417814)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/6xgqcgx8"; depth:13; endswith; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; metadata:created_at 2020_07_22; reference:url, urlhaus.abuse.ch/url/417814/; classtype:trojan-activity;sid:81280914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (410755)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d35ha/processhide/master/bins/processhide32.exe"; depth:48; endswith; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; metadata:created_at 2020_07_10; reference:url, urlhaus.abuse.ch/url/410755/; classtype:trojan-activity;sid:81273855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (390013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1am1ztjjhswzwdbvue5tke5mbkwjud0w5"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_06_15; reference:url, urlhaus.abuse.ch/url/390013/; classtype:trojan-activity;sid:81253113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (390009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1hd7ffgig6btbzuy2_2kds_t4u637qxjn"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_06_15; reference:url, urlhaus.abuse.ch/url/390009/; classtype:trojan-activity;sid:81253109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368318)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/pdf.exe"; depth:22; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368318/; classtype:trojan-activity;sid:81231418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368317)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/doc/774d0427cd607b1c09131cc277a68c9edd7cf01499d356bcb1ef4a08e6fc322a.doc"; depth:83; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368317/; classtype:trojan-activity;sid:81231417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368315)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/xerox01_pdf.exe"; depth:30; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368315/; classtype:trojan-activity;sid:81231415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368311)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/njrat.exe"; depth:24; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368311/; classtype:trojan-activity;sid:81231411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368309)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/order_pdf.exe"; depth:28; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368309/; classtype:trojan-activity;sid:81231409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (368303)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/threatsim/exe/640.exe"; depth:22; endswith; nocase; http.host; content:"0022a601.pphost.net"; depth:19; isdataat:!1,relative; metadata:created_at 2020_05_25; reference:url, urlhaus.abuse.ch/url/368303/; classtype:trojan-activity;sid:81231403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (366549)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1pyl4hq8sbp5qatm1zz9vmsze1cuy2uzw"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_05_22; reference:url, urlhaus.abuse.ch/url/366549/; classtype:trojan-activity;sid:81229649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (355363)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/0/uc|3f|id=1osjrfvjdy1vblk4fya98jp5jlnk7rutv|7c|26|7c|export=download"; depth:72; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_05_01; reference:url, urlhaus.abuse.ch/url/355363/; classtype:trojan-activity;sid:81218463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (351490)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uc|3f|export=download|7c|26|7c|id=1nndvq_2_7doyyuqvcvwmory_4lyrplb7"; depth:68; endswith; nocase; http.host; content:"drive.google.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_04_26; reference:url, urlhaus.abuse.ch/url/351490/; classtype:trojan-activity;sid:81214590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (326350)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/builds/offers/12.exe"; depth:21; endswith; nocase; http.host; content:"softcatalog.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2020_03_18; reference:url, urlhaus.abuse.ch/url/326350/; classtype:trojan-activity;sid:81189450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (322758)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload_control/download.blog|3f|fhandle=ymxvzzcxmzyyqgzzns50axn0b3j5lmnvbtovyxr0ywnolzavmtqwmdawmdawmdawlmv4zq%3d%3d|7c|26|7c|filename=crack-pro20.exe"; depth:151; endswith; nocase; http.host; content:"cfs5.tistory.com"; depth:16; isdataat:!1,relative; metadata:created_at 2020_03_08; reference:url, urlhaus.abuse.ch/url/322758/; classtype:trojan-activity;sid:81185858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (314465)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fta.exe"; depth:8; endswith; nocase; http.host; content:"vincentdemiero.com"; depth:18; isdataat:!1,relative; metadata:created_at 2020_02_14; reference:url, urlhaus.abuse.ch/url/314465/; classtype:trojan-activity;sid:81177565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (314464)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documeynt9897.zip"; depth:18; endswith; nocase; http.host; content:"vincentdemiero.com"; depth:18; isdataat:!1,relative; metadata:created_at 2020_02_14; reference:url, urlhaus.abuse.ch/url/314464/; classtype:trojan-activity;sid:81177564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (314463)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvs.zip"; depth:8; endswith; nocase; http.host; content:"vincentdemiero.com"; depth:18; isdataat:!1,relative; metadata:created_at 2020_02_14; reference:url, urlhaus.abuse.ch/url/314463/; classtype:trojan-activity;sid:81177563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (308942)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-lm9-32/"; depth:21; endswith; nocase; http.host; content:"www.chenwangqiao.com"; depth:20; isdataat:!1,relative; metadata:created_at 2020_02_05; reference:url, urlhaus.abuse.ch/url/308942/; classtype:trojan-activity;sid:81172042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (306649)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/3waa9-ke38h-15/"; depth:26; endswith; nocase; http.host; content:"www.chenwangqiao.com"; depth:20; isdataat:!1,relative; metadata:created_at 2020_02_03; reference:url, urlhaus.abuse.ch/url/306649/; classtype:trojan-activity;sid:81169749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (304070)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/file/"; depth:16; endswith; nocase; http.host; content:"www.chenwangqiao.com"; depth:20; isdataat:!1,relative; metadata:created_at 2020_01_31; reference:url, urlhaus.abuse.ch/url/304070/; classtype:trojan-activity;sid:81167170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (288508)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omlakdj17fkcjfsd/common_module/security_lkveb9o0tx_wd3lhz42yf1slt/tlcs2lwhd3vo_38wyy7/"; depth:87; endswith; nocase; http.host; content:"owlcity.ru"; depth:10; isdataat:!1,relative; metadata:created_at 2020_01_14; reference:url, urlhaus.abuse.ch/url/288508/; classtype:trojan-activity;sid:81151608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (254738)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvd/dist/fileupload/1571723382710/9.915787746614242.jpg"; depth:56; endswith; nocase; http.host; content:"cdn.xiaoduoai.com"; depth:17; isdataat:!1,relative; metadata:created_at 2019_11_18; reference:url, urlhaus.abuse.ch/url/254738/; classtype:trojan-activity;sid:81117838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (254737)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvd/dist/fileupload/1571723350789/0.25579108623802416.jpg"; depth:58; endswith; nocase; http.host; content:"cdn.xiaoduoai.com"; depth:17; isdataat:!1,relative; metadata:created_at 2019_11_18; reference:url, urlhaus.abuse.ch/url/254737/; classtype:trojan-activity;sid:81117837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (242568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"202.4.124.58"; depth:12; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/242568/; classtype:trojan-activity;sid:81105668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (240568)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"94.244.113.217"; depth:14; isdataat:!1,relative; metadata:created_at 2019_10_07; reference:url, urlhaus.abuse.ch/url/240568/; classtype:trojan-activity;sid:81103668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (240550)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"71.42.105.34"; depth:12; isdataat:!1,relative; metadata:created_at 2019_10_07; reference:url, urlhaus.abuse.ch/url/240550/; classtype:trojan-activity;sid:81103650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (239019)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"36.66.139.36"; depth:12; isdataat:!1,relative; metadata:created_at 2019_10_06; reference:url, urlhaus.abuse.ch/url/239019/; classtype:trojan-activity;sid:81102119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (238008)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"190.12.99.194"; depth:13; isdataat:!1,relative; metadata:created_at 2019_10_05; reference:url, urlhaus.abuse.ch/url/238008/; classtype:trojan-activity;sid:81101108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (237890)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.i"; depth:3; endswith; nocase; http.host; content:"185.12.78.161"; depth:13; isdataat:!1,relative; metadata:created_at 2019_10_05; reference:url, urlhaus.abuse.ch/url/237890/; classtype:trojan-activity;sid:81100990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (222263)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen.exe"; depth:11; endswith; nocase; http.host; content:"www.konsor.ru"; depth:13; isdataat:!1,relative; metadata:created_at 2019_08_04; reference:url, urlhaus.abuse.ch/url/222263/; classtype:trojan-activity;sid:81085363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (222259)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/keygen.exe"; depth:11; endswith; nocase; http.host; content:"konsor.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2019_08_04; reference:url, urlhaus.abuse.ch/url/222259/; classtype:trojan-activity;sid:81085359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (221595)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kszip/news2/v1.0.7.31/news2_02.exe"; depth:35; endswith; nocase; http.host; content:"download.pdf00.cn"; depth:17; isdataat:!1,relative; metadata:created_at 2019_08_01; reference:url, urlhaus.abuse.ch/url/221595/; classtype:trojan-activity;sid:81084695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (220541)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25072019_0963.xls"; depth:18; endswith; nocase; http.host; content:"fakers.co.jp"; depth:12; isdataat:!1,relative; metadata:created_at 2019_07_29; reference:url, urlhaus.abuse.ch/url/220541/; classtype:trojan-activity;sid:81083641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (219275)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0996938c001/6e8a2a4f-40ac-464f-9a70-7c67f0a0da19.pdf"; depth:53; endswith; nocase; http.host; content:"files.constantcontact.com"; depth:25; isdataat:!1,relative; metadata:created_at 2019_07_24; reference:url, urlhaus.abuse.ch/url/219275/; classtype:trojan-activity;sid:81082375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (217486)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meteoradminz/hidden-tear/zip/master"; depth:36; endswith; nocase; http.host; content:"codeload.github.com"; depth:19; isdataat:!1,relative; metadata:created_at 2019_07_17; reference:url, urlhaus.abuse.ch/url/217486/; classtype:trojan-activity;sid:81080586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (215077)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doumai/news2/v1.0.7.01/news2_01.exe"; depth:36; endswith; nocase; http.host; content:"download.doumaibiji.cn"; depth:22; isdataat:!1,relative; metadata:created_at 2019_07_06; reference:url, urlhaus.abuse.ch/url/215077/; classtype:trojan-activity;sid:81078177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (203280)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/qt51crk.exe"; depth:21; endswith; nocase; http.host; content:"www.hseda.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_05_29; reference:url, urlhaus.abuse.ch/url/203280/; classtype:trojan-activity;sid:81066380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (203157)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/qt51crk.exe"; depth:21; endswith; nocase; http.host; content:"hseda.com"; depth:9; isdataat:!1,relative; metadata:created_at 2019_05_28; reference:url, urlhaus.abuse.ch/url/203157/; classtype:trojan-activity;sid:81066257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (202114)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/screenmate/cute/sm1302.zip"; depth:27; endswith; nocase; http.host; content:"www.starcountry.net"; depth:19; isdataat:!1,relative; metadata:created_at 2019_05_26; reference:url, urlhaus.abuse.ch/url/202114/; classtype:trojan-activity;sid:81065214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (201513)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wj1bsetup.exe"; depth:14; endswith; nocase; http.host; content:"dl.dzqzd.com"; depth:12; isdataat:!1,relative; metadata:created_at 2019_05_24; reference:url, urlhaus.abuse.ch/url/201513/; classtype:trojan-activity;sid:81064613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200800)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/releases/zorke_release/zorke_asciiverter_v1.00/zke-ascv.exe"; depth:60; endswith; nocase; http.host; content:"nerve.untergrund.net"; depth:20; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200800/; classtype:trojan-activity;sid:81063900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200798)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/releases/12.2013/nrv-ppwr.zip"; depth:30; endswith; nocase; http.host; content:"nerve.untergrund.net"; depth:20; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200798/; classtype:trojan-activity;sid:81063898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200771)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/razor/rzr-winner_intro.zip"; depth:27; endswith; nocase; http.host; content:"chiptune.com"; depth:12; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200771/; classtype:trojan-activity;sid:81063871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/releases/zorke_release/zorke_nfo_file_viewer_v1.00/zke-nfoview.exe"; depth:67; endswith; nocase; http.host; content:"nerve.untergrund.net"; depth:20; isdataat:!1,relative; metadata:created_at 2019_05_23; reference:url, urlhaus.abuse.ch/url/200770/; classtype:trojan-activity;sid:81063870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (200129)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/qxuserctrlsetup_1010.exe"; depth:29; endswith; nocase; http.host; content:"sta.qinxue.com"; depth:14; isdataat:!1,relative; metadata:created_at 2019_05_22; reference:url, urlhaus.abuse.ch/url/200129/; classtype:trojan-activity;sid:81063229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (195172)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eypipe/pipefile/adpopup/adpopup_1382523956.exe"; depth:47; endswith; nocase; http.host; content:"goto.stnts.com"; depth:14; isdataat:!1,relative; metadata:created_at 2019_05_13; reference:url, urlhaus.abuse.ch/url/195172/; classtype:trojan-activity;sid:81058272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (185713)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qrtb.exe"; depth:9; endswith; nocase; http.host; content:"xiaoma-10021647.file.myqcloud.com"; depth:33; isdataat:!1,relative; metadata:created_at 2019_04_26; reference:url, urlhaus.abuse.ch/url/185713/; classtype:trojan-activity;sid:81048813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (184801)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tqpjo/scan/uftruaemi2h/"; depth:24; endswith; nocase; http.host; content:"redlk.com"; depth:9; isdataat:!1,relative; metadata:created_at 2019_04_25; reference:url, urlhaus.abuse.ch/url/184801/; classtype:trojan-activity;sid:81047901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (176091)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/templates/theme261/css/msg.jpg"; depth:31; endswith; nocase; http.host; content:"sk-comtel.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_04_12; reference:url, urlhaus.abuse.ch/url/176091/; classtype:trojan-activity;sid:81039191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (175833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/templates/theme261/html/com_contact/category/hp.gf"; depth:51; endswith; nocase; http.host; content:"sk-comtel.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_04_11; reference:url, urlhaus.abuse.ch/url/175833/; classtype:trojan-activity;sid:81038933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (173971)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/support/trust/en/042019/"; depth:30; endswith; nocase; http.host; content:"brightworks.cz"; depth:14; isdataat:!1,relative; metadata:created_at 2019_04_09; reference:url, urlhaus.abuse.ch/url/173971/; classtype:trojan-activity;sid:81037071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (165554)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure.myacc.resourses.com/"; depth:28; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_03_25; reference:url, urlhaus.abuse.ch/url/165554/; classtype:trojan-activity;sid:81028654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (165504)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i203611254b019514581.zip"; depth:25; endswith; nocase; http.host; content:"programandojuntos.us.tempcloudsite.com"; depth:38; isdataat:!1,relative; metadata:created_at 2019_03_25; reference:url, urlhaus.abuse.ch/url/165504/; classtype:trojan-activity;sid:81028604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (164277)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/corporation/new_invoice/1033530/hijmq-jo_uqgwdlyf-8e/"; depth:54; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_03_22; reference:url, urlhaus.abuse.ch/url/164277/; classtype:trojan-activity;sid:81027377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (162770)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/artluz/produtos/sendincsec/support/sec/en_en/03-2019/"; depth:54; endswith; nocase; http.host; content:"alarmline.com.br"; depth:16; isdataat:!1,relative; metadata:created_at 2019_03_20; reference:url, urlhaus.abuse.ch/url/162770/; classtype:trojan-activity;sid:81025870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (161757)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomatoleizhutizy/tomatoleizhutizy.exe"; depth:38; endswith; nocase; http.host; content:"softdl2.360tpcdn.com"; depth:20; isdataat:!1,relative; metadata:created_at 2019_03_19; reference:url, urlhaus.abuse.ch/url/161757/; classtype:trojan-activity;sid:81024857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (157610)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stats/f06bn-kgh24-ncoviajp/"; depth:28; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_03_12; reference:url, urlhaus.abuse.ch/url/157610/; classtype:trojan-activity;sid:81020710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (155567)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rawabijob.hta"; depth:14; endswith; nocase; http.host; content:"local-update.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_03_10; reference:url, urlhaus.abuse.ch/url/155567/; classtype:trojan-activity;sid:81018667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (154627)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/za.ebali"; depth:9; endswith; nocase; http.host; content:"mitreart.com"; depth:12; isdataat:!1,relative; metadata:created_at 2019_03_07; reference:url, urlhaus.abuse.ch/url/154627/; classtype:trojan-activity;sid:81017727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (143834)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hl2dm/hl2dm_updater.exe"; depth:24; endswith; nocase; http.host; content:"update.bruss.org.ru"; depth:19; isdataat:!1,relative; metadata:created_at 2019_02_23; reference:url, urlhaus.abuse.ch/url/143834/; classtype:trojan-activity;sid:81006934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (143833)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hl2dm/hl2dm%5fupdater.exe"; depth:26; endswith; nocase; http.host; content:"update.bruss.org.ru"; depth:19; isdataat:!1,relative; metadata:created_at 2019_02_23; reference:url, urlhaus.abuse.ch/url/143833/; classtype:trojan-activity;sid:81006933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (143301)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pistacchietto/win-python-backdoor/raw/master/win.bat"; depth:53; endswith; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; metadata:created_at 2019_02_23; reference:url, urlhaus.abuse.ch/url/143301/; classtype:trojan-activity;sid:81006401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (140791)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bv5eh1ierp/"; depth:12; endswith; nocase; http.host; content:"augsburg-auto.com"; depth:17; isdataat:!1,relative; metadata:created_at 2019_02_20; reference:url, urlhaus.abuse.ch/url/140791/; classtype:trojan-activity;sid:81003891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (140156)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1465810408079_502.exe"; depth:22; endswith; nocase; http.host; content:"static.topxgun.com"; depth:18; isdataat:!1,relative; metadata:created_at 2019_02_19; reference:url, urlhaus.abuse.ch/url/140156/; classtype:trojan-activity;sid:81003256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (122975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/box.bin"; depth:13; endswith; nocase; http.host; content:"dusttv.com"; depth:10; isdataat:!1,relative; metadata:created_at 2019_02_13; reference:url, urlhaus.abuse.ch/url/122975/; classtype:trojan-activity;sid:80986075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (121029)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/active/pcclear_eng_mini.exe"; depth:28; endswith; nocase; http.host; content:"down.pcclear.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_02_10; reference:url, urlhaus.abuse.ch/url/121029/; classtype:trojan-activity;sid:80984129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (116990)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ltbx_h3dtc-obppcj/maj/messages/2019-02/"; depth:40; endswith; nocase; http.host; content:"airlife.bget.ru"; depth:15; isdataat:!1,relative; metadata:created_at 2019_02_04; reference:url, urlhaus.abuse.ch/url/116990/; classtype:trojan-activity;sid:80980090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (115233)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/sanghyun-guest.exe"; depth:25; endswith; nocase; http.host; content:"sanghyun.nfile.net"; depth:18; isdataat:!1,relative; metadata:created_at 2019_02_01; reference:url, urlhaus.abuse.ch/url/115233/; classtype:trojan-activity;sid:80978333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (115231)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/sanghyun.exe"; depth:19; endswith; nocase; http.host; content:"sanghyun.nfile.net"; depth:18; isdataat:!1,relative; metadata:created_at 2019_02_01; reference:url, urlhaus.abuse.ch/url/115231/; classtype:trojan-activity;sid:80978331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112779)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/update.exe"; depth:17; endswith; nocase; http.host; content:"sg123.net"; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112779/; classtype:trojan-activity;sid:80975879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112648)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/install.exe"; depth:18; endswith; nocase; http.host; content:"sg123.net"; depth:9; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112648/; classtype:trojan-activity;sid:80975748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112647)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/install.exe"; depth:18; endswith; nocase; http.host; content:"igra123.com"; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112647/; classtype:trojan-activity;sid:80975747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (112642)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/update.exe"; depth:17; endswith; nocase; http.host; content:"igra123.com"; depth:11; isdataat:!1,relative; metadata:created_at 2019_01_29; reference:url, urlhaus.abuse.ch/url/112642/; classtype:trojan-activity;sid:80975742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (111691)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/haeum.exe"; depth:16; endswith; nocase; http.host; content:"haeum.nfile.net"; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_28; reference:url, urlhaus.abuse.ch/url/111691/; classtype:trojan-activity;sid:80974791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (110142)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/%d3%b2%bc%fe%d0%c5%cf%a2%b2%e9%bf%b4%c6%f7.exe"; depth:47; endswith; nocase; http.host; content:"down.54nb.com"; depth:13; isdataat:!1,relative; metadata:created_at 2019_01_25; reference:url, urlhaus.abuse.ch/url/110142/; classtype:trojan-activity;sid:80973242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (106003)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin133.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106003/; classtype:trojan-activity;sid:80969103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (106002)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd156.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106002/; classtype:trojan-activity;sid:80969102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (106000)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin130.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/106000/; classtype:trojan-activity;sid:80969100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105999)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin142.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105999/; classtype:trojan-activity;sid:80969099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105998)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd124.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105998/; classtype:trojan-activity;sid:80969098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105997)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin141.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105997/; classtype:trojan-activity;sid:80969097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105991)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin140.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105991/; classtype:trojan-activity;sid:80969091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105985)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd136.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105985/; classtype:trojan-activity;sid:80969085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105976)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcoin/qcoin139.exe"; depth:19; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105976/; classtype:trojan-activity;sid:80969076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105975)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd/jd137.exe"; depth:13; endswith; nocase; http.host; content:"cdn-10049480.file.myqcloud.com"; depth:30; isdataat:!1,relative; metadata:created_at 2019_01_19; reference:url, urlhaus.abuse.ch/url/105975/; classtype:trojan-activity;sid:80969075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105558)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n/tui/ciqinmishi/6/cqms.exe"; depth:28; endswith; nocase; http.host; content:"bundle.kpzip.com"; depth:16; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105558/; classtype:trojan-activity;sid:80968658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (105407)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hkhe3fktc/"; depth:11; endswith; nocase; http.host; content:"atkcgnew.evgeni7e.beget.tech"; depth:28; isdataat:!1,relative; metadata:created_at 2019_01_18; reference:url, urlhaus.abuse.ch/url/105407/; classtype:trojan-activity;sid:80968507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (104016)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drop/css/obr.hta"; depth:17; endswith; nocase; http.host; content:"www.myvcart.com"; depth:15; isdataat:!1,relative; metadata:created_at 2019_01_16; reference:url, urlhaus.abuse.ch/url/104016/; classtype:trojan-activity;sid:80967116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (102706)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autoguarder/autoguarder_2.3.7.350.exe"; depth:38; endswith; nocase; http.host; content:"softdl4.360.cn"; depth:14; isdataat:!1,relative; metadata:created_at 2019_01_12; reference:url, urlhaus.abuse.ch/url/102706/; classtype:trojan-activity;sid:80965806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (102548)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doumai/tips/v1.0.1.11/tips_01.exe"; depth:34; endswith; nocase; http.host; content:"download.doumaibiji.cn"; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_11; reference:url, urlhaus.abuse.ch/url/102548/; classtype:trojan-activity;sid:80965648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (102545)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doumai/fmt/v1.0.1.11/fmt_01.exe"; depth:32; endswith; nocase; http.host; content:"download.doumaibiji.cn"; depth:22; isdataat:!1,relative; metadata:created_at 2019_01_11; reference:url, urlhaus.abuse.ch/url/102545/; classtype:trojan-activity;sid:80965645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (98628)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6nqq.js"; depth:8; endswith; nocase; http.host; content:"www.hostingcloud.science"; depth:24; isdataat:!1,relative; metadata:created_at 2018_12_21; reference:url, urlhaus.abuse.ch/url/98628/; classtype:trojan-activity;sid:80961728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (96625)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iuia-qgkdtq2rfbxd7z_ljiaengvq-4cy/"; depth:35; endswith; nocase; http.host; content:"www.ardguisser.com"; depth:18; isdataat:!1,relative; metadata:created_at 2018_12_17; reference:url, urlhaus.abuse.ch/url/96625/; classtype:trojan-activity;sid:80959725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95728)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/download/zip/waigua/shiqi/2003/06/20030620.exe"; depth:52; endswith; nocase; http.host; content:"veryboys.com"; depth:12; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95728/; classtype:trojan-activity;sid:80958828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95727)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/download/zip/waigua/mir2/2003/05/200305252.exe"; depth:52; endswith; nocase; http.host; content:"veryboys.com"; depth:12; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95727/; classtype:trojan-activity;sid:80958827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95634)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/guochang/setup_tvplayer.zip"; depth:44; endswith; nocase; http.host; content:"www.okhan.net"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95634/; classtype:trojan-activity;sid:80958734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95633)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/youxi/okhan.net-2wn.rar"; depth:40; endswith; nocase; http.host; content:"www.okhan.net"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_15; reference:url, urlhaus.abuse.ch/url/95633/; classtype:trojan-activity;sid:80958733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95209)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/us/information/122018/"; depth:23; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_12_14; reference:url, urlhaus.abuse.ch/url/95209/; classtype:trojan-activity;sid:80958309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (95078)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/us/information/122018"; depth:22; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_12_14; reference:url, urlhaus.abuse.ch/url/95078/; classtype:trojan-activity;sid:80958178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (94279)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload/20140812/14078161556897.rar"; depth:35; endswith; nocase; http.host; content:"static.3001.net"; depth:15; isdataat:!1,relative; metadata:created_at 2018_12_13; reference:url, urlhaus.abuse.ch/url/94279/; classtype:trojan-activity;sid:80957379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (94199)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/youxi/okhan.net-2wn.rar"; depth:40; endswith; nocase; http.host; content:"okhan.net"; depth:9; isdataat:!1,relative; metadata:created_at 2018_12_13; reference:url, urlhaus.abuse.ch/url/94199/; classtype:trojan-activity;sid:80957299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (94194)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/soft/uploadfile/anquan/pjbingdianhuanyuan.rar"; depth:46; endswith; nocase; http.host; content:"okhan.net"; depth:9; isdataat:!1,relative; metadata:created_at 2018_12_13; reference:url, urlhaus.abuse.ch/url/94194/; classtype:trojan-activity;sid:80957294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (92354)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/3"; depth:14; endswith; nocase; http.host; content:"itssprout.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_10; reference:url, urlhaus.abuse.ch/url/92354/; classtype:trojan-activity;sid:80955454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (92351)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/2"; depth:14; endswith; nocase; http.host; content:"itssprout.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_10; reference:url, urlhaus.abuse.ch/url/92351/; classtype:trojan-activity;sid:80955451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (92344)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/1"; depth:14; endswith; nocase; http.host; content:"itssprout.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_12_10; reference:url, urlhaus.abuse.ch/url/92344/; classtype:trojan-activity;sid:80955444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (86730)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/076360tad/oamo/business/"; depth:25; endswith; nocase; http.host; content:"flyingmutts.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_11_29; reference:url, urlhaus.abuse.ch/url/86730/; classtype:trojan-activity;sid:80949830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85901)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tekiwanatain/installer.rar"; depth:27; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_11_28; reference:url, urlhaus.abuse.ch/url/85901/; classtype:trojan-activity;sid:80949001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85881)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/5fg9yjwr.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85881/; classtype:trojan-activity;sid:80948981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85879)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/a9to40e7.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85879/; classtype:trojan-activity;sid:80948979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85878)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/e6i8pdc0.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85878/; classtype:trojan-activity;sid:80948978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85877)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-07/28/117228/4wtjdjio.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85877/; classtype:trojan-activity;sid:80948977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85876)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/29/106045/zwy1q6k0.rar"; depth:36; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85876/; classtype:trojan-activity;sid:80948976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (85874)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/2009-06/06/98428/07c9mfhe.zip"; depth:35; endswith; nocase; http.host; content:"p3.zbjimg.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_11_27; reference:url, urlhaus.abuse.ch/url/85874/; classtype:trojan-activity;sid:80948974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (84040)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0415jbrob/sep/smallbusiness"; depth:28; endswith; nocase; http.host; content:"www.udobrit.ru"; depth:14; isdataat:!1,relative; metadata:created_at 2018_11_23; reference:url, urlhaus.abuse.ch/url/84040/; classtype:trojan-activity;sid:80947140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (79623)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/urzfhrbbg"; depth:10; endswith; nocase; http.host; content:"vagler.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2018_11_13; reference:url, urlhaus.abuse.ch/url/79623/; classtype:trojan-activity;sid:80942723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (79342)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigfile/v1/urls/d/1gpusd8uwnakepjjehixnayfekq/kbdjubux_j-nvjot1z-mdw"; depth:69; endswith; nocase; http.host; content:"attach.mail.daum.net"; depth:20; isdataat:!1,relative; metadata:created_at 2018_11_13; reference:url, urlhaus.abuse.ch/url/79342/; classtype:trojan-activity;sid:80942442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (71185)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nykol16/kepek.exe"; depth:18; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_10_26; reference:url, urlhaus.abuse.ch/url/71185/; classtype:trojan-activity;sid:80934285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (67517)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbs/attachment/forum/201106/03/153053ki5kbisfbc8316i3.rar"; depth:58; endswith; nocase; http.host; content:"attach.66rpg.com"; depth:16; isdataat:!1,relative; metadata:created_at 2018_10_13; reference:url, urlhaus.abuse.ch/url/67517/; classtype:trojan-activity;sid:80930617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (67474)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbs/attachment/forum/201108/22/215335elkpi66piz56eii9.zip"; depth:58; endswith; nocase; http.host; content:"attach.66rpg.com"; depth:16; isdataat:!1,relative; metadata:created_at 2018_10_12; reference:url, urlhaus.abuse.ch/url/67474/; classtype:trojan-activity;sid:80930574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (66694)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autoup/client/aqclient.exe"; depth:27; endswith; nocase; http.host; content:"pay.aqiu6.com"; depth:13; isdataat:!1,relative; metadata:created_at 2018_10_11; reference:url, urlhaus.abuse.ch/url/66694/; classtype:trojan-activity;sid:80929794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (66274)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toneraruhaz/wp-admin/network/installer.rar"; depth:43; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_10_09; reference:url, urlhaus.abuse.ch/url/66274/; classtype:trojan-activity;sid:80929374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (66164)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fvlmodell/letoltes/files/scalecalc.exe"; depth:39; endswith; nocase; http.host; content:"users.atw.hu"; depth:12; isdataat:!1,relative; metadata:created_at 2018_10_09; reference:url, urlhaus.abuse.ch/url/66164/; classtype:trojan-activity;sid:80929264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (63742)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/124/proj14/evil.exe"; depth:20; endswith; nocase; http.host; content:"samsclass.info"; depth:14; isdataat:!1,relative; metadata:created_at 2018_10_02; reference:url, urlhaus.abuse.ch/url/63742/; classtype:trojan-activity;sid:80926842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (63741)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/124/proj14/rsh-192-168-1-89.exe"; depth:32; endswith; nocase; http.host; content:"samsclass.info"; depth:14; isdataat:!1,relative; metadata:created_at 2018_10_02; reference:url, urlhaus.abuse.ch/url/63741/; classtype:trojan-activity;sid:80926841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (59247)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vqd0d5/"; depth:8; endswith; nocase; http.host; content:"robertrowe.com"; depth:14; isdataat:!1,relative; metadata:created_at 2018_09_23; reference:url, urlhaus.abuse.ch/url/59247/; classtype:trojan-activity;sid:80922347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (57935)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/factures-09-2018/"; depth:18; endswith; nocase; http.host; content:"hasalltalent.com"; depth:16; isdataat:!1,relative; metadata:created_at 2018_09_19; reference:url, urlhaus.abuse.ch/url/57935/; classtype:trojan-activity;sid:80921035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (57059)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/en/need-to-send-the-attachment"; depth:40; endswith; nocase; http.host; content:"vgd.vg"; depth:6; isdataat:!1,relative; metadata:created_at 2018_09_17; reference:url, urlhaus.abuse.ch/url/57059/; classtype:trojan-activity;sid:80920159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (56449)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7mn5zo8d/"; depth:10; endswith; nocase; http.host; content:"vgd.vg"; depth:6; isdataat:!1,relative; metadata:created_at 2018_09_14; reference:url, urlhaus.abuse.ch/url/56449/; classtype:trojan-activity;sid:80919549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (44461)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5805773c/payment/personal"; depth:26; endswith; nocase; http.host; content:"ct3-24.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2018_08_20; reference:url, urlhaus.abuse.ch/url/44461/; classtype:trojan-activity;sid:80907561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (44113)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/663752sludgz/oamo/us/"; depth:22; endswith; nocase; http.host; content:"ct3-24.ru"; depth:9; isdataat:!1,relative; metadata:created_at 2018_08_17; reference:url, urlhaus.abuse.ch/url/44113/; classtype:trojan-activity;sid:80907213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (38013)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/gxfqfem5m813nva/firefox_67.3.39.js"; depth:40; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_08_02; reference:url, urlhaus.abuse.ch/url/38013/; classtype:trojan-activity;sid:80901113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (38011)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/dqrsgzlf8jeefw0/firefox_67.3.45.js"; depth:40; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_08_02; reference:url, urlhaus.abuse.ch/url/38011/; classtype:trojan-activity;sid:80901111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (38009)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/dl/g4is5u674v6l2yy/firefox_67.3.16.js"; depth:40; endswith; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; metadata:created_at 2018_08_02; reference:url, urlhaus.abuse.ch/url/38009/; classtype:trojan-activity;sid:80901109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (17216)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dl/facture_431977465.doc"; depth:25; endswith; nocase; http.host; content:"mail.swingologygolfschools.com"; depth:30; isdataat:!1,relative; metadata:created_at 2018_06_11; reference:url, urlhaus.abuse.ch/url/17216/; classtype:trojan-activity;sid:80880316; rev:1;)
# Number of entries: 29122